Re: [fw-wiz] Webex and the like
From: George Capehart (capegeo@opengroup.org)
Date: 02/28/03
- Previous message: Nathan: "RE: [fw-wiz] Nortel Contivity Firewall"
- In reply to: Mike Hoskins: "Re: [fw-wiz] Webex and the like"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: George Capehart <capegeo@opengroup.org> To: Mike Hoskins <mike@adept.org> Date: Thu, 27 Feb 2003 22:10:06 -0500
Mike Hoskins wrote:
>
<snip>
>
> I've been in that boat. An old CTO used to say security people have to
> have a point where they say "that's against my religion" and don't budge.
> He insisted that was part of the job. I pretty much agree, but also
> realize that there are times when you're ultimately just a "technology
> enabler" and can't say no. In those cases, I think the best thing you can
> do is present a clear, documented case as to the risks involved and make
> every relevant manager sign off on it. Then if sh!t breaks, you can just
> point at the paper with a smug look on your face.
Absolutely. In the end, the purpose information security serves is to
help the organization manage risk. That's what it's all about. The
most useful tool I've found to help formalize the process is the
Certification and Accreditation process that originated in the US
government and the DoD. (See
www.nstissc.gov/Assets/pdf/nstissi_1000.pdf and
http://csrc.nist.gov/sec-cert/ for the goodies). I guarantee that after
the business manager goes through that process and he/she *formally
assumes responsibility for the risk*, the point will have been made . .
. It's not necessary to drag them through the whole process every time,
but, especially on large, distributed systems, it's a real eye-opener.
Plus, it _formally_ puts the responsibility and accountability where it
belongs . . . Doesn't leave any wiggle room . . .
/g
-- George W. Capehart "We did a risk management review. We concluded that there was no risk of any management." -- Dilbert _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Manoj K. Mohan: "[fw-wiz] help on adding rule to iptables for matching MAC address through program"
- Previous message: Nathan: "RE: [fw-wiz] Nortel Contivity Firewall"
- In reply to: Mike Hoskins: "Re: [fw-wiz] Webex and the like"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
