Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Pre Production System Accreditation
From: Dan Johnson <djj4 () UWM EDU>
Date: Wed, 5 Sep 2007 15:40:12 -0500

Hi Valdis,

You are correct, there is no such thing as a 'perfectly' secure system and
eventually, (here comes that ROI that Jim mentioned...) the return does not
match the cost.

As well, there has been a lot of FUD going around about security.
Unfortunately, in my haste, I have added to the FUD with 'perfect' security!

As to the level of security needed... um, does that mean I have to take my
home computer down a few levels from the top level DoD specifications as
outlined by NIST?  Man, all that work... ;o)

(In all, very valid points!)

Dan Johnson
IS Comprehensive Services Senior
University of Wisconsin-Milwaukee
PO Box 469
Mellencamp Hall, Room B60
Milwaukee, WI  53201
(414)229-2911

"The stupid neither forgive nor forget; the naive forgive and forget; the
wise forgive but do not forget."

Thomas Szasz, The Second Sin (1973) "Personal Conduct"




-----Original Message-----
From: Valdis Kletnieks [mailto:Valdis.Kletnieks () VT EDU]
Sent: Wednesday, September 05, 2007 1:43 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Pre Production System Accreditation

On Wed, 05 Sep 2007 12:35:14 CDT, Dan Johnson said:

Instead of adding more to the long message that this has become... the
axiom provided is completely true.  As security professionals, we all
need to strive for the perfection of secure systems.

Erm. No.  We don't want a perfectly secure system.  We want an
*appropriately* secure system.  At some point, the costs of better security
outweigh the benefits.

And the sysadmins actually realize it at a gut level, even if they can't
spell it out - that's why they tend to say "here comes the security geek
with a bunch of silly rules and dumb restrictions".  Because quite often,
they *know* that some of the requirements don't make much difference in
*real* security.

Of course, deciding what a "sufficiently high" level of security should be
for a given system is a whole *different* can of worms.. ;)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]