Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Wed, 17 Mar 2010 10:45:25 -0700
I agree, policies are one way the institution makes a definitive statement on acceptable levels level of risk. The ideal situation is where the choice an employee makes vis-à-vis security compliance is whether or not to comply with college policy. Failure to comply may mean an ineffective policy, or may lead to opportunities for correction. Thus, while employees need to be a part of the policy development process, once the institution has collectively made a risk avoidance decision, it then becomes a compliance issue. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College Office: 520-206-4873
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael Van Norman Sent: Wednesday, March 17, 2010 9:52 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Are users right in rejecting security advice? Part of the problem here is the phrasing. We should not be looking at "security norms," we should be looking at "policy norms." Policies are going to differ between institutions, as well as *within* institutions as you move between different user communities. Security controls are a technical response to a desired policy outcome (with apologies for over-simplification). "Best practices," or whatever you want to call them, must be evaluated in relation to a specific policy goal. The "best practice" for accomplishing one goal may be exactly the wrong thing to do in accomplishing another (in which case the security measure will actually become a security breach). What we really need in this space is a list of desired policy outcomes along with the practices and technologies that have been proven effective in accomplishing those outcomes. With such a list in hand, a security audit can focus on the effectiveness of a given piece of "security" against a specific policy target. What we have today in too many cases is auditing of generic security practices against unspecified requirements. /Mike
Current thread:
- Re: Are users right in rejecting security advice?, (continued)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Valdis Kletnieks (Mar 17)
- Re: Are users right in rejecting security advice? Vik Solem (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Joe St Sauver (Mar 17)
- Re: Are users right in rejecting security advice? Perloff, Jim (Mar 17)
- Re: Are users right in rejecting security advice? Brad Judy (Mar 17)
- Re: Are users right in rejecting security advice? David Escalante (Mar 17)
- Re: Are users right in rejecting security advice? Mclaughlin, Kevin (mclaugkl) (Mar 17)
- Re: Are users right in rejecting security advice? Michael Van Norman (Mar 17)
- Re: Are users right in rejecting security advice? Basgen, Brian (Mar 17)
- Re: Are users right in rejecting security advice? Allison Dolan (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
- Re: Are users right in rejecting security advice? Dick Jacobson (Mar 17)
- Re: Are users right in rejecting security advice? John Nunnally (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)
(Thread continues...)