Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Wed, 17 Mar 2010 10:14:16 -0400
On Wed, 17 Mar 2010 08:54:47 EDT, "Mclaughlin, Kevin (mclaugkl)" said:
Really? They are considered best practices, common knowledge, the way to do things, (pick your semantic here), etc. because a lot of folks (smarter than I am, I bet) spent the time to analyze, research and come up with a best practice and that's how NIST, ISO, COBIT, etc. get produced.
There's a few actual "best practices" out there. However, in practice they tend to be swamped by the wave-a-dead-chicken voodoo security checklists often seen in the hands of clueless auditors. There's only a limited number of times you can sit through a security audit that has "Do you have a firewall?" as a checkbox item but does *not* have "Is it actually installed/enabled?" and "Has anybody actually configured it?" checkboxes before you start screaming "The Stupid, It Burns!". You say you haven't seen that yet? Then there's still hope for you. Run and escape while you still can. :)
Attachment:
_bin
Description:
Current thread:
- Are users right in rejecting security advice? Allison Dolan (Mar 16)
- <Possible follow-ups>
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 16)
- Re: Are users right in rejecting security advice? Stanclift, Michael (Mar 16)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 16)
- Re: Are users right in rejecting security advice? Russell Fulton (Mar 17)
- Re: Are users right in rejecting security advice? Valdis Kletnieks (Mar 17)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Valdis Kletnieks (Mar 17)
- Re: Are users right in rejecting security advice? Vik Solem (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Joe St Sauver (Mar 17)
- Re: Are users right in rejecting security advice? Perloff, Jim (Mar 17)
- Re: Are users right in rejecting security advice? Brad Judy (Mar 17)
- Re: Are users right in rejecting security advice? David Escalante (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Michael Van Norman (Mar 17)
- Re: Are users right in rejecting security advice? Basgen, Brian (Mar 17)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 17)
(Thread continues...)