[NBLUG/talk] acceptable risk
Kendall Shaw
kshaw at kendallshaw.com
Wed Nov 20 08:13:46 PST 2013
Hi,
If this is too far off topic, sorry. It is about network security and
system administration, so it is kind of sort of about linux...
I am employed as a computer programmer. Security polices are being
developed where I work. It is not my job to deal with the issue, but it
is going to affect my ability to do work. One major concern that I have
is that it doesn't appear to me that people understand the concept that
you can never be 100% secure.
I would hope that a person tasked with establishing policies would
include a plan for assessing acceptable risks by balancing competing
factors like the need to be able to produce a product. Do you know of
any articles or books that have concrete advice for developing a plan to
assess acceptable levels of risk within an organization? Or, do you have
any concrete advice that is general about the subject?
In books about QA there are examples of the type of thing I have been
hoping to find, where it describes an outline for designing a set of
questions to apply to a given situation in order to devise a test plan.
I usually fail to convey the idea that I am asking about a general
practice, not what do I do right now about a particular situation. For
example "How do I become a pilot" asks for advice about a practice. "How
should I trap the gopher that is in my backyard" asks for advice about a
particular situation.
An example of concrete advice about a general subject is: the ISO 27001
standard.
Do you have any advice?
Kendall
More information about the talk
mailing list