Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Are users right in rejecting security advice?

From: "Jansen, Morgan R." <morgan.jansen () ROSALINDFRANKLIN EDU>
Date: Wed, 17 Mar 2010 14:58:21 -0500
This is such an interesting discussion!  I agree that security must be tailored for the institution.  Relating the 
reasoning to the user base and giving them training is key.  My husband works with me and hated when we implemented 
more restrictive password policies.  I have found that when people understand why they are more restrictive and are 
given some tips on how to remember their passwords they are more agreeable.  
 
Morgan Jansen
morgan.jansen () rosalindfranklin edu
<mailto:morgan.shank () rosalindfranklin edu> 

________________________________

From: The EDUCAUSE Security Constituent Group Listserv on behalf of Patrick Ouellette
Sent: Wed 3/17/2010 2:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Are users right in rejecting security advice?



Problem is, without enforceable laws/policies and strong support for it from management, "best practices" ends up  
being the reality ...

What's the old saying about standards? "The fun with standards is that there's so many to choose from", and since none 
of them have the force/weight of law... choose with impunity!

Sincerely,

Patrick Ouellette
Algonquin College - School of Advanced Technology
Program Coordinator: Computer Systems Technician & Technology - Networking / Security Programs
Professor - Computer Studies Department



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Case
Sent: March-17-10 3:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Are users right in rejecting security advice?


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell Fulton
Sent: Wednesday, March 17, 2010 1:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Are users right in rejecting security advice?


<snip>


I now cringe when I hear the phrase "Best Practice" when applied to
security


The problem I see with "Best Practice," "Best Known Practice," "Effective
Practices," etc. is one size fits some.  Is that "Best Practice" for a
small, centralized, risk-adverse institution or a large, decentralized,
risk-accepting institution?
-Eric


Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase


--
Previous By Date Next
Previous By Thread Next

Current thread: