Re: Pre Production System Accreditation

[Dan Johnson <djj4 () UWM EDU>]

Hi Valdis,

You are correct, there is no such thing as a 'perfectly' secure system and
eventually, (here comes that ROI that Jim mentioned...) the return does not
match the cost.

As well, there has been a lot of FUD going around about security.
Unfortunately, in my haste, I have added to the FUD with 'perfect' security!

As to the level of security needed... um, does that mean I have to take my
home computer down a few levels from the top level DoD specifications as
outlined by NIST?  Man, all that work... ;o)

(In all, very valid points!)

Dan Johnson
IS Comprehensive Services Senior
University of Wisconsin-Milwaukee
PO Box 469
Mellencamp Hall, Room B60
Milwaukee, WI  53201
(414)229-2911

"The stupid neither forgive nor forget; the naive forgive and forget; the
wise forgive but do not forget."

Thomas Szasz, The Second Sin (1973) "Personal Conduct"




-----Original Message-----
From: Valdis Kletnieks [mailto:Valdis.Kletnieks () VT EDU]
Sent: Wednesday, September 05, 2007 1:43 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Pre Production System Accreditation

On Wed, 05 Sep 2007 12:35:14 CDT, Dan Johnson said:

> Instead of adding more to the long message that this has become... the
> axiom provided is completely true.  As security professionals, we all
> need to strive for the perfection of secure systems.

Erm. No.  We don't want a perfectly secure system.  We want an
*appropriately* secure system.  At some point, the costs of better security
outweigh the benefits.

And the sysadmins actually realize it at a gut level, even if they can't
spell it out - that's why they tend to say "here comes the security geek
with a bunch of silly rules and dumb restrictions".  Because quite often,
they *know* that some of the requirements don't make much difference in
*real* security.

Of course, deciding what a "sufficiently high" level of security should be
for a given system is a whole *different* can of worms.. ;)