[NBLUG/talk] acceptable risk

Kendall Shaw kshaw at kendallshaw.com
Wed Nov 20 08:46:52 PST 2013


Thanks. Reading about PCI compliance seems like it might be helpful. I 
see documentation about prioritizing plans for compliance which I think 
implies considering acceptable levels of risk.

Starting from zero, I can imagine listing some vulnerabilities and 
listing costs involved with addressing the vulnerabilities. But, that is 
only one step beyond this plan:

problem -> solution

An example of being too conservative would be to say that people may not 
attach their computers to a network. Another extreme would be to say 
that authentication wastes resources that could be spent on producing a 
product.

Kendall

On 11/20/2013 08:25 AM, Aaron Grattafiori wrote:
>
> I am no standards expert, but I do work in security.
>
> Standards can help, it varies on the starting security level of the 
> environment. Sometimes people need certification and standards for 
> reasons, other times they need. PCI can be seen as an example. It 
> isn't a silver bullet (as nothing in security is) but does it help? 
> You bet.
>
> ISO2700, as far as I remember, is more geared toward physical security 
> and access vs anything technical. Someone from Sonic could probably 
> correct me, although I doubt they've gone through the process for 
> their datacenter.
>
> Assessing risk is a complex topic, and not a responsibly taken lightly 
> if those decisions (or lack of) are what provide the budget, people or 
> time for actual security.
>
> Hope that helps?
>
> -Aaron
>
> On Nov 20, 2013 8:13 AM, "Kendall Shaw" <kshaw at kendallshaw.com 
> <mailto:kshaw at kendallshaw.com>> wrote:
>
>     Hi,
>
>     If this is too far off topic, sorry. It is about network security
>     and system administration, so it is kind of sort of about linux...
>
>     I am employed as a computer programmer. Security polices are being
>     developed where I work. It is not my job to deal with the issue,
>     but it is going to affect my ability to do work. One major concern
>     that I have is that it doesn't appear to me that people understand
>     the concept that you can never be 100% secure.
>
>     I would hope that a person tasked with establishing policies would
>     include a plan for assessing acceptable risks by balancing
>     competing factors like the need to be able to produce a product.
>     Do you know of any articles or books that have concrete advice for
>     developing a plan to assess acceptable levels of risk within an
>     organization? Or, do you have any concrete advice that is general
>     about the subject?
>
>     In books about QA there are examples of the type of thing I have
>     been hoping to find, where it describes an outline for designing a
>     set of questions to apply to a given situation in order to devise
>     a test plan.
>
>     I usually fail to convey the idea that I am asking about a general
>     practice, not what do I do right now about a particular situation.
>     For example "How do I become a pilot" asks for advice about a
>     practice. "How should I trap the gopher that is in my backyard"
>     asks for advice about a particular situation.
>
>     An example of concrete advice about a general subject is: the ISO
>     27001 standard.
>
>     Do you have any advice?
>
>     Kendall
>     _______________________________________________
>     talk mailing list
>     talk at nblug.org <mailto:talk at nblug.org>
>     http://nblug.org/cgi-bin/mailman/listinfo/talk
>
>
>
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk


-- 
Sorry, you must accept the license.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nblug.org/pipermail/talk/attachments/20131120/7819668a/attachment.html>


More information about the talk mailing list