Educause Security Discussion mailing list archives

Re: Are users right in rejecting security advice?

From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Wed, 17 Mar 2010 10:45:25 -0700

 I agree, policies are one way the institution makes a definitive statement on acceptable levels level of risk. The 
ideal situation is where the choice an employee makes vis-à-vis security compliance is whether or not to comply with 
college policy. Failure to comply may mean an ineffective policy, or may lead to opportunities for correction. Thus, 
while employees need to be a part of the policy development process, once the institution has collectively made a risk 
avoidance decision, it then becomes a compliance issue.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael Van Norman
Sent: Wednesday, March 17, 2010 9:52 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Are users right in rejecting security advice?

Part of the problem here is the phrasing.  We should not be looking at
"security norms," we should be looking at "policy norms."  Policies are
going to differ between institutions, as well as *within* institutions
as
you move between different user communities.  Security controls are a
technical response to a desired policy outcome (with apologies for
over-simplification).  "Best practices," or whatever you want to call
them,
must be evaluated in relation to a specific policy goal.  The "best
practice" for accomplishing one goal may be exactly the wrong thing to
do in
accomplishing another (in which case the security measure will actually
become a security breach).

What we really need in this space is a list of desired policy outcomes
along
with the practices and technologies that have been proven effective in
accomplishing those outcomes.  With such a list in hand, a security
audit
can focus on the effectiveness of a given piece of "security" against a
specific policy target.  What we have today in too many cases is
auditing of
generic security practices against unspecified requirements.

/Mike

Current thread:

Re: Are users right in rejecting security advice?, (continued)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Valdis Kletnieks (Mar 17)
- Re: Are users right in rejecting security advice? Vik Solem (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Joe St Sauver (Mar 17)
- Re: Are users right in rejecting security advice? Perloff, Jim (Mar 17)
- Re: Are users right in rejecting security advice? Brad Judy (Mar 17)
- Re: Are users right in rejecting security advice? David Escalante (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Michael Van Norman (Mar 17)
- Re: Are users right in rejecting security advice? Basgen, Brian (Mar 17)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
- Re: Are users right in rejecting security advice? Dick Jacobson (Mar 17)
- Re: Are users right in rejecting security advice? John Nunnally (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)

(Thread continues...)