Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Are users right in rejecting security advice?

From: Dick Jacobson <Dick.Jacobson () NDUS EDU>
Date: Wed, 17 Mar 2010 15:08:31 -0500
On Wed, 17 Mar 2010, Eric Case wrote:

And I suspect this thread started (I can't find the beginning anymore ;-)
because we were talking about auditing best practices as opposed to IT
security best practices ??



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell Fulton
Sent: Wednesday, March 17, 2010 1:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Are users right in rejecting security advice?


<snip>


I now cringe when I hear the phrase "Best Practice" when applied to
security


The problem I see with "Best Practice," "Best Known Practice," "Effective
Practices," etc. is one size fits some.  Is that "Best Practice" for a
small, centralized, risk-adverse institution or a large, decentralized,
risk-accepting institution?
-Eric


Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase





-----------------------------------------------------------------------
    Dick Jacobson               e-mail : Dick.Jacobson () ndus edu
    NDUS IT Security Officer    office : STTC 219
                phone  : 701-231-6280 <NEW phone number>
-----------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: