Re: iso 17799

["Paul D. Robertson" <paul () compuwar net>]

On Wed, 21 Jul 2004, Devdas Bhagat wrote:

> Agreed. Even more than the learning and training materials, the reference
> materials for the "social" part of security are what is missing. How to
> say no to a manager when (s)he is screaming at you to do something that
> you aren't confident about. Sample documentation on justifying security
> expenses.

Perhaps what we need is a common security admin's statement to help
communicate effectively both up and down the organization...  Perhaps I
just felt like waxing philosophic...

----------------------------------------------------------------------
Something About Security

I'm one of the security people here, and so are you.  I know that security
works by limiting things, so should you.  That means that I'm going to
resist adding new things or broadening access, because resisting them
reduces our collective risk.

The more we add, the more we take on risk, and that increases the
odds of something bad happening.  It might not happen, but that's luck- so
I need you to help me out here.  Give me business cases so that risks can
be weighed against benefits.  Get me involved early in new things, so that
security can be taken into account up front, instead of being tacked on at
the end.

Tell me about things that are strange.  Discuss new technologies with me,
and give me time to research things.  Value my contributions, because I'm
fighting to defend us each and every day.

Don't try to get me to make exceptions- I don't make them for me, I
shouldn't have to make them for you.  Management should set the example
about following rules, not the example of how to bend and break them.  I
understand trust and integrity because they're the tools of my business.
You should understand them too.

Just because your friends do it at their company doesn't make it safe, or
a good idea.  If you want bragging rights, just use phrases like "Oh, our
security is much stronger than yours then!"  If you can't explain why, let
me help you!  I'd be happy to explain it to you, so you can explain it to
anyone!

The Hoover Dam could have been built much more inexpensively by cutting
corners.  You probably wouldn't want to live downstream of it if it were.
The same is true of the systems and networks we rely on.  Infrastructure
takes time, care and planning.

Here are some things I'd like you to ponder:

If we have a bucket full of water, and we poke one little hole in the
bottom, it'll still mostly hold water, two holes, and it'll still mostly
be a bucket.  At some point, it'll become a sieve.  Firewalls and
networks are like that too.

If you take a revolver, and put a single cartridge in it, spin the
cylinder, close it, and placing the gun to your head, pull the trigger- if
it doesn't go off, that doesn't mean it's safe, and certainly doesn't
make pulling the trigger a second time any safer!  Risk is like that too.

Defenders have to "win" every single day.  Attackers only have to win
once.

I have to balance the preceding statements with the fact that we have a
job to accomplish, and we can't do it disconnected from everything.  Please
understand where I'm coming from, and how heavy the weight is on my
shoulders.  Take a bit of the burden if you can, it'll be appreciated.  If
not, then please don't make it any more difficult for me.

Together, we're the security team.

Paul D. Robertson
Moderator, Firewall-Wizards
http://honor.icsalabs.com
--------------------------------------------------------------------------

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards