Security should be risk related. You need to be able to define the risks
and the costs of both implementing a solution or accepting the risk.
This should be based on economic cost.
To be effective, you need to work with the other teams and look at ways
to enable projects in a secure manner.
There are nearly always solutions. From your perspective, the start
looks like education. People need to understand the risks and this is
something you can start to address with little cost or comparitive
effort.
Regards,
Craig
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Francois Yang
Sent: Friday, 16 February 2007 3:18 AM
Cc: security-basics@securityfocus.com
Subject: Re: security not a big priority?
On 2/15/07, Josh Miller <joshua@itsecureadmin.com> wrote:
This must be your first security job, right? ;-)
All joking aside, this is very common, especially in government jobs,
based on my experience. It's a tough road to ride down and I
recommend
documenting all of your efforts for future reference and being as
supportive as possible while not creating a problem between you and
the
people you work with.
Good luck.
Thanks,
Josh Miller, RHCE
Actually no. this is my second.
I used to be a security admin at a private company. Now it's at a
public college and it's way different. At the old place I had the
final say in everything. My boss was 100% behind me and management
even the president trusted me. So whatever I said, was pretty much
what went on. So picture that. Coming from a place where I had full
say to a place where I have almost no say. is a big change.
yea, I'll just keep working on documenting and trying to show them how
important security is.
--
If you think technology can solve your security problems, then you
don't understand the problems and you don't understand the technology.
Bruce Schneier
Liability limited by a scheme approved under Professional Standards Legislation
in respect of matters arising within those States and Territories of Australia
where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If
you are not the intended recipient, you must not use or disclose the
information. If you have received this email in error, please inform us
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the
email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may
not rely on this message as advice unless it has been electronically signed by
a Partner of BDO or it is subsequently confirmed by letter or fax signed by a
Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments
due to viruses, interference, interception, corruption or unauthorised access.
