lheal's Journal: Security is a matter of opinion

(Draft)

The time to deal with the PHB and the security consultant is before the report comes. Define a level of security your company finds acceptable.

It doesn't take much to quickly set the right tone for a security audit. Even the Pointiest of HBs can understand the basic rules:

1. You're never totally secure. The goal is to find a level of safety that we can tolerate and still get satisfactory service from our systems. (Do we change our passwords every day? No, too much hassle.) Security must be balanced with usefulness, and that balance point is different for each machine in each company.
2. We layer security measures on top of one another and hope that our effort is enough to make someone seek an easier target.
3. Bosses understand cost/benefit ratios, and they understand that you get more usefulness for more dollars. They'll also understand that you get more security with more dollars - what are they willing to pay (either for labor or devices)?

If you have a chance, take them through this:
The only way to really secure a system is to turn it off. Not very useful, but highly secure. Ok, so maybe turn it on, but unplug the network cable. And lock the door. (Who has a key? Who cleans the room? ) But it's a server, so it sort of has to be on the network to be useful. So plug it in, but use a firewall it off from the rest of the network with every service but files blocked. Well, ... you get the idea.

It's all about tradeoffs. Sometimes something comes along that makes life better, easier, and cheaper at the same time, but usually you only get one or two out of three.