Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Are users right in rejecting security advice?

From: "Perloff, Jim" <perloffj () UCHASTINGS EDU>
Date: Wed, 17 Mar 2010 08:02:57 -0700
Words of wisdom.
J

_________________________________________________
Call the HelpDesk at x8802 with your computer problems
 or questions, or email us at helpdesk () uchastings edu

Jim Perloff
Network Administrator
UC Hastings College of the Law
200 McAllister Street
San Francisco, CA  94102
415.565.4712
http://uchastings.edu/infotech/index.html

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
Sent: Wednesday, March 17, 2010 7:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Are users right in rejecting security advice?

On Wed, 17 Mar 2010 08:54:47 EDT, "Mclaughlin, Kevin (mclaugkl)" said:

Really?  They are considered best practices, common knowledge, the way



to do things, (pick your semantic here), etc.  because a lot of folks 
(smarter than I am, I bet) spent the time to analyze, research and 
come up with a best practice and that's how NIST, ISO, COBIT, etc. get

produced.

There's a few actual "best practices" out there.  However, in practice
they tend to be swamped by the wave-a-dead-chicken voodoo security
checklists often seen in the hands of clueless auditors.

There's only a limited number of times you can sit through a security
audit that has "Do you have a firewall?" as a checkbox item but does
*not* have "Is it actually installed/enabled?" and "Has anybody actually
configured it?"
checkboxes before you start screaming "The Stupid, It Burns!".

You say you haven't seen that yet?  Then there's still hope for you. Run
and escape while you still can. :)
Previous By Date Next
Previous By Thread Next

Current thread: