Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security vs. Business Process. Does Business Process trump Security Process?

From: Jesse Thompson <jesse.thompson () DOIT WISC EDU>
Date: Fri, 3 Jul 2009 09:03:29 -0500
Stucky, David wrote:

Your comments fall right in line with what I tend to struggle with.  I will tell people that security should not 
interfere with business, but business must be appropriately secure.  I stress the fact that we must work together to 
find the right solutions to support business needs in an appropriately secure manner.  As a sysadmin/security type it 
is important to remember you cannot eliminate risk; but you have to work hard to manage and reduce risk.


To bring this back the topic of attachment blocking...  The tactic I
described earlier, of renaming the file and adding warning to the
message, strikes this balance quite well.

It mitigates the security problem by forcing the user to rethink the
consequences of opening the attachment.  It also does not put an
unreasonable burden on the business task.

Remember Randy's point that you can't prevent the user from doing
something if they are determined.  It is possible that the user's
workaround to a strict security measure will cause them to introduce
additional security or privacy threats.  As an example, perhaps your
users will work around your exe attachment blocking by enabling Windows
File Sharing.

Jesse

--
  Jesse Thompson
  Division of Information Technology, University of Wisconsin-Madison
  Email/IM: jesse.thompson () doit wisc edu

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Previous By Date Next
Previous By Thread Next

Current thread: