Re: Policy Enforcement

[Vik Solem <vik.solem () TUFTS EDU>]

On Mar 26, 2010, at 13:34 , Scott Sweren wrote:
> Some questions I am interested in knowing your responses to are:

Note: This may take your discussion in a different direction.

I don't speak for my boss, but what I see here is a focus on
communicating risk.  Especially, communicating risk to the people who
are responsible for the data.  They are the ones who have authority,
and by helping them to understand what must be done Information
Security is no longer in the operational role of saying "yes" or "no"
or "5 yard penalty".  Instead we're in the role of understanding the
business processes, understanding the real world risks involved, and
then communicating those risks to the people who have the authority to
effect change.  With this method, new management structures are not
required.

e.g. There is already a person who is responsible for the data on that
machine.  Find them.  Explain to them why running windows as a user
with Administrative privilege is putting that data at risk.  Provide
them with solid alternatives.
* eliminate the risk (delete the data and make sure it doesn't come
back)
* mitigate risk where possible (don't run as admin, use separate
browsers for surfing web vs. doing real work)
* bear the remainder (consider buying insurance to pay for
notifications as needed)

Just my 2 cents.

-Vik

Vik Solem
Sr. Applications Risk Consultant
Information Security
Tufts University UIT / 617-627-4326

Check Out the UIT Information Security Team blog
http://blogs.uit.tufts.edu/infosecteamblog/