Educause Security Discussion mailing list archives
Re: Policy Enforcement
From: Vik Solem <vik.solem () TUFTS EDU>
Date: Fri, 26 Mar 2010 13:58:54 -0400
On Mar 26, 2010, at 13:34 , Scott Sweren wrote:
Some questions I am interested in knowing your responses to are:
Note: This may take your discussion in a different direction. I don't speak for my boss, but what I see here is a focus on communicating risk. Especially, communicating risk to the people who are responsible for the data. They are the ones who have authority, and by helping them to understand what must be done Information Security is no longer in the operational role of saying "yes" or "no" or "5 yard penalty". Instead we're in the role of understanding the business processes, understanding the real world risks involved, and then communicating those risks to the people who have the authority to effect change. With this method, new management structures are not required. e.g. There is already a person who is responsible for the data on that machine. Find them. Explain to them why running windows as a user with Administrative privilege is putting that data at risk. Provide them with solid alternatives. * eliminate the risk (delete the data and make sure it doesn't come back) * mitigate risk where possible (don't run as admin, use separate browsers for surfing web vs. doing real work) * bear the remainder (consider buying insurance to pay for notifications as needed) Just my 2 cents. -Vik Vik Solem Sr. Applications Risk Consultant Information Security Tufts University UIT / 617-627-4326 Check Out the UIT Information Security Team blog http://blogs.uit.tufts.edu/infosecteamblog/
Current thread:
- Policy Enforcement Scott Sweren (Mar 26)
- <Possible follow-ups>
- Re: Policy Enforcement Vik Solem (Mar 26)
- Re: Policy Enforcement Valdis Kletnieks (Mar 26)
- Re: Policy Enforcement John Ladwig (Mar 26)
- Re: Policy Enforcement Valdis Kletnieks (Mar 26)
- Re: Policy Enforcement Jeff Kell (Mar 26)