RE: Security Simplification

Security is a trade-off, money/effort against risk. Reading
between the lines, your VP is saying that *his perception of*
the current stance is that the money/effort is too great and
he believes that it can be reduced without increasing risk
past acceptable levels.
All of your current security measures SHOULD be aimed at
mitigating some risk to the business. (Obviously, the first
place to look for cuts is any measures that are not having
this effect....) So you need to identify places where the
mitigation being achieved is small, and confirm with him that
the risk associated with discontinuing those measures is
acceptable.
If you're lucky, you may find cases where some single measure
can provide equivalent mitigation to what two or three measures
are currently achieving. But it won't be an exact trade-off,
because such gains in *efficiency* usually sacrifice *depth*.

It would help to know what part of the current security
arrangements he finds too complex. There may be opportunities
to shift some of the complexity between different constituencies,
such as between users and sysadmins. What part of the picture
is he most focussed on?

David Gillett



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of
oligarchicalrule@xxxxxxxxx
Sent: Wednesday, February 21, 2007 11:51 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Security Simplification

If you were told by a VP to simplify security for your
organization, what you think would be a starting point? It's
seems vague. We run Windows servers/desktops that are built
on the same images. We use Cisco switches/routers/etc. I'm
not really sure where to start.



---------------------------------------------------------------------------
This list is sponsored by: BigFix

If your IT fails, you're out of business - or worse. Arm your
enterprise with BigFix, the single converged IT security and operations
engine. BigFix enables continuous discovery, assessment, remediation,
and enforcement for complex and distributed IT environments in real-time
from a single console.
Think what's next. Think BigFix.

http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/
---------------------------------------------------------------------------

Relevant Pages

  • RE: Why Easy To Use Software Is Putting You At Risk
    ... I do agree that the additions and changes to Solarius will make it more secure and that this is good. ... Why Easy To Use Software Is Putting You At Risk ... instead I would say that the view that security is ... Four Construction Workers Died after Crane Collapse in Toledo, ...
    (Security-Basics)
  • RE: Why Easy To Use Software Is Putting You At Risk
    ... Why Easy To Use Software Is Putting You At Risk ... Four Construction Workers Died after Crane Collapse in Toledo, ... The first issue to address is yes you found a vulnerability and it was ... a Security Discussion board, that is what we do here. ...
    (Security-Basics)
  • More food for thought
    ... Basic Risk Analysis ... I have taken a position that the professional security community in general ... has and will continue to fail because they are operating under the same ... storing those backups safely offsite in a secure location on a daily basis. ...
    (comp.security.misc)
  • More food for thought
    ... Basic Risk Analysis ... I have taken a position that the professional security community in general ... has and will continue to fail because they are operating under the same ... storing those backups safely offsite in a secure location on a daily basis. ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: Risk metrics
    ... security management life cycle. ... more objective snapshot of a company's risk posture. ... > traditional risk metrics in pen-tests cannot be ... >> vulnerability works, and if an exploit is in the ...
    (Pen-Test)