Re: [fw-wiz] Webex and the like

• Previous message: Nathan: "RE: [fw-wiz] Nortel Contivity Firewall"
• In reply to: Mike Hoskins: "Re: [fw-wiz] Webex and the like"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: George Capehart <capegeo@opengroup.org>
To: Mike Hoskins <mike@adept.org>
Date: Thu, 27 Feb 2003 22:10:06 -0500

Mike Hoskins wrote:
>

<snip>

>
> I've been in that boat. An old CTO used to say security people have to
> have a point where they say "that's against my religion" and don't budge.
> He insisted that was part of the job. I pretty much agree, but also
> realize that there are times when you're ultimately just a "technology
> enabler" and can't say no. In those cases, I think the best thing you can
> do is present a clear, documented case as to the risks involved and make
> every relevant manager sign off on it. Then if sh!t breaks, you can just
> point at the paper with a smug look on your face.

Absolutely. In the end, the purpose information security serves is to
help the organization manage risk. That's what it's all about. The
most useful tool I've found to help formalize the process is the
Certification and Accreditation process that originated in the US
government and the DoD. (See
www.nstissc.gov/Assets/pdf/nstissi_1000.pdf and
http://csrc.nist.gov/sec-cert/ for the goodies). I guarantee that after
the business manager goes through that process and he/she *formally
assumes responsibility for the risk*, the point will have been made . .
. It's not necessary to drag them through the whole process every time,
but, especially on large, distributed systems, it's a real eye-opener.
Plus, it _formally_ puts the responsibility and accountability where it
belongs . . . Doesn't leave any wiggle room . . .

/g

--
George W. Capehart
"We did a risk management review.  We concluded that there was no risk
 of any management."  -- Dilbert
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Next message: Manoj K. Mohan: "[fw-wiz] help on adding rule to iptables for matching MAC address through program"
• Previous message: Nathan: "RE: [fw-wiz] Nortel Contivity Firewall"
• In reply to: Mike Hoskins: "Re: [fw-wiz] Webex and the like"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [fw-wiz] iso 17799 ... > say no to a manager when he is screaming at you to do something that ... Perhaps what we need is a common security admin's statement to help ... The more we add, the more we take on risk, and that increases the ... Paul D. Robertson ... (Firewall-Wizards) RE: Why Easy To Use Software Is Putting You At Risk ... I do agree that the additions and changes to Solarius will make it more secure and that this is good. ... Why Easy To Use Software Is Putting You At Risk ... instead I would say that the view that security is ... Four Construction Workers Died after Crane Collapse in Toledo, ... (Security-Basics) RE: Why Easy To Use Software Is Putting You At Risk ... Why Easy To Use Software Is Putting You At Risk ... Four Construction Workers Died after Crane Collapse in Toledo, ... The first issue to address is yes you found a vulnerability and it was ... a Security Discussion board, that is what we do here. ... (Security-Basics) More food for thought ... Basic Risk Analysis ... I have taken a position that the professional security community in general ... has and will continue to fail because they are operating under the same ... storing those backups safely offsite in a secure location on a daily basis. ... (comp.security.misc) More food for thought ... Basic Risk Analysis ... I have taken a position that the professional security community in general ... has and will continue to fail because they are operating under the same ... storing those backups safely offsite in a secure location on a daily basis. ... (comp.os.ms-windows.nt.admin.security)