Firewall Wizards mailing list archives
Re: iso 17799
From: "Paul D. Robertson" <paul () compuwar net>
Date: Wed, 21 Jul 2004 07:16:37 -0400 (EDT)
On Wed, 21 Jul 2004, Devdas Bhagat wrote:
Agreed. Even more than the learning and training materials, the reference materials for the "social" part of security are what is missing. How to say no to a manager when (s)he is screaming at you to do something that you aren't confident about. Sample documentation on justifying security expenses.
Perhaps what we need is a common security admin's statement to help communicate effectively both up and down the organization... Perhaps I just felt like waxing philosophic... ---------------------------------------------------------------------- Something About Security I'm one of the security people here, and so are you. I know that security works by limiting things, so should you. That means that I'm going to resist adding new things or broadening access, because resisting them reduces our collective risk. The more we add, the more we take on risk, and that increases the odds of something bad happening. It might not happen, but that's luck- so I need you to help me out here. Give me business cases so that risks can be weighed against benefits. Get me involved early in new things, so that security can be taken into account up front, instead of being tacked on at the end. Tell me about things that are strange. Discuss new technologies with me, and give me time to research things. Value my contributions, because I'm fighting to defend us each and every day. Don't try to get me to make exceptions- I don't make them for me, I shouldn't have to make them for you. Management should set the example about following rules, not the example of how to bend and break them. I understand trust and integrity because they're the tools of my business. You should understand them too. Just because your friends do it at their company doesn't make it safe, or a good idea. If you want bragging rights, just use phrases like "Oh, our security is much stronger than yours then!" If you can't explain why, let me help you! I'd be happy to explain it to you, so you can explain it to anyone! The Hoover Dam could have been built much more inexpensively by cutting corners. You probably wouldn't want to live downstream of it if it were. The same is true of the systems and networks we rely on. Infrastructure takes time, care and planning. Here are some things I'd like you to ponder: If we have a bucket full of water, and we poke one little hole in the bottom, it'll still mostly hold water, two holes, and it'll still mostly be a bucket. At some point, it'll become a sieve. Firewalls and networks are like that too. If you take a revolver, and put a single cartridge in it, spin the cylinder, close it, and placing the gun to your head, pull the trigger- if it doesn't go off, that doesn't mean it's safe, and certainly doesn't make pulling the trigger a second time any safer! Risk is like that too. Defenders have to "win" every single day. Attackers only have to win once. I have to balance the preceding statements with the fact that we have a job to accomplish, and we can't do it disconnected from everything. Please understand where I'm coming from, and how heavy the weight is on my shoulders. Take a bit of the burden if you can, it'll be appreciated. If not, then please don't make it any more difficult for me. Together, we're the security team. Paul D. Robertson Moderator, Firewall-Wizards http://honor.icsalabs.com -------------------------------------------------------------------------- Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: iso 17799, (continued)
- Re: iso 17799 Paul D. Robertson (Jul 19)
- Re: iso 17799 Marcus J. Ranum (Jul 19)
- Re: iso 17799 George Capehart (Jul 20)
- Re: iso 17799 Marcus J. Ranum (Jul 19)
- Re: iso 17799 Christine Kronberg (Jul 20)
- Re: iso 17799 J. Oquendo (Jul 19)
- Re: iso 17799 Bennett Todd (Jul 19)
- Re: iso 17799 Dana Nowell (Jul 20)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 20)
- Re: iso 17799 Devdas Bhagat (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Message not available
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 George Capehart (Jul 21)
- Re: iso 17799 Darren Reed (Jul 21)
- SMS ports Jyotish K Sen Gupta (Jul 21)
- Re: SMS ports John Adams (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 19)
- irc was Re: iso 17799 ArkanoiD (Jul 21)
- Re: irc was Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: irc was Re: iso 17799 ArkanoiD (Jul 21)