Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Windows O/S Patching Question

From: David Gillett <gillettdavid () FHDA EDU>
Date: Mon, 26 Mar 2012 13:06:39 -0700
It's TOOOO long if the compromised is out in the wild


  That is, I believe, the definition of a "0-day":  The "patch window"
between discovery of a vulnerability and appearance of an exploit "in the
wild" is of zero length, usually because the vulnerability was identified
(by vendor or researchers) only by reverse-engineering some new exploit....

...

I believe it is the task of auditors to verify two assertions:

1.  The institution's policies/procedures meet its business needs.

  where "meet the requirements of thus-and-such standard" is often accepted
as a minimum set of requirements, necessary but not necessarily sufficient
to satisfy this assertion, and

2.  Actual operations conform to those policies/procedures.

  So to pass an audit is going to require at least (a) a written
standard/policy, and (b) an "audit trail" logging actions performed with
time and date.  If you don't have both of those, you shouldn't pass an
audit.  Ever.

  Once you have them, then it's time to look closer at #1 and at the actual
needs of the business -- whether regulatory compliance is mandated by
legislation, what degree of risk is acceptable, and so forth -- stuff where
Senior Management makes some choices, even if the choice is only whether to
remain in business or not....


David Gillett, CISSP CCNP
Previous By Date Next
Previous By Thread Next

Current thread: