[NBLUG/talk] acceptable risk
Aaron Grattafiori
aaron at digitalinfinity.net
Wed Nov 20 08:25:27 PST 2013
I am no standards expert, but I do work in security.
Standards can help, it varies on the starting security level of the
environment. Sometimes people need certification and standards for reasons,
other times they need. PCI can be seen as an example. It isn't a silver
bullet (as nothing in security is) but does it help? You bet.
ISO2700, as far as I remember, is more geared toward physical security and
access vs anything technical. Someone from Sonic could probably correct me,
although I doubt they've gone through the process for their datacenter.
Assessing risk is a complex topic, and not a responsibly taken lightly if
those decisions (or lack of) are what provide the budget, people or time
for actual security.
Hope that helps?
-Aaron
On Nov 20, 2013 8:13 AM, "Kendall Shaw" <kshaw at kendallshaw.com> wrote:
> Hi,
>
> If this is too far off topic, sorry. It is about network security and
> system administration, so it is kind of sort of about linux...
>
> I am employed as a computer programmer. Security polices are being
> developed where I work. It is not my job to deal with the issue, but it is
> going to affect my ability to do work. One major concern that I have is
> that it doesn't appear to me that people understand the concept that you
> can never be 100% secure.
>
> I would hope that a person tasked with establishing policies would include
> a plan for assessing acceptable risks by balancing competing factors like
> the need to be able to produce a product. Do you know of any articles or
> books that have concrete advice for developing a plan to assess acceptable
> levels of risk within an organization? Or, do you have any concrete advice
> that is general about the subject?
>
> In books about QA there are examples of the type of thing I have been
> hoping to find, where it describes an outline for designing a set of
> questions to apply to a given situation in order to devise a test plan.
>
> I usually fail to convey the idea that I am asking about a general
> practice, not what do I do right now about a particular situation. For
> example "How do I become a pilot" asks for advice about a practice. "How
> should I trap the gopher that is in my backyard" asks for advice about a
> particular situation.
>
> An example of concrete advice about a general subject is: the ISO 27001
> standard.
>
> Do you have any advice?
>
> Kendall
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nblug.org/pipermail/talk/attachments/20131120/555f88f8/attachment.html>
More information about the talk
mailing list