Security Basics mailing list archives
Re: Allowing access to social networking... securely?
From: Patrick J Kobly <patrick () kobly com>
Date: Sun, 24 May 2009 22:04:22 -0600
no () dot no wrote:
Most assuredly, I would concur with this statement. This doesn't, of course, detract from the need to consider risks introduced by bypass mechanisms in a decision as to whether to block SN sites.If you have a user that will violate corporate policy by circumventing systems put in place, that is an HR issue.
The examples you site, we block. We're incredibly concerned about data leakage being in the financial industry. Maybe those systems aren't needed in all forms of business.As I indicated, there are technical controls that will be more or less effective against many or all of these mechanisms. But they will be either a) ineffective against at least 1 bypass mechanism or b) insanely draconian.
The argument here is that blocking SN sites in the workplace creates a hostile on your network. That introduces new risks. Whether the risks introduced outweigh the benefits of the blocking, I don't know - you know your environment.
I'm of the belief that we all choose where we work, and we all play by the rules laid out by mgmt. We can choose to play along, or not. Those measures aren't put in place to make people's work environment less fun. They're done for the well being of the company.If the decisions are _actually_ based on a real business analysis... As opposed to, say, resolving an HR problem of productivity by transferring the problem to the Security folks.
Probably an indication that technical preventive controls alone (or primarily) may not be the right solution. Particularly given that the controls that were initially discussed have almost exactly _nil_ impact in addressing that issue.It only takes one person to leak out sensitive data, emails, etc and create a potentially bad situation.
PK ------------------------------------------------------------------------ This list is sponsored by: InfoSec InstituteNeed to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!
http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Re: Allowing access to social networking... securely?, (continued)
- Re: Allowing access to social networking... securely? krymson (May 20)
- Re: Allowing access to social networking... securely? krymson (May 20)
- RE: Allowing access to social networking... securely? Robin Smith (FaceTime) (May 21)
- Re: Re: Allowing access to social networking... securely? chmod1777 (May 21)
- Re: Re: Re: Allowing access to social networking... securely? lmaia (May 21)
- RE: Re: Re: Allowing access to social networking... securely? Ian Bradshaw (May 22)
- Re: Allowing access to social networking... securely? krymson (May 22)
- Re: Allowing access to social networking... securely? krymson (May 22)
- Re: Allowing access to social networking... securely? Patrick J Kobly (May 22)
- Re: Re: Allowing access to social networking... securely? no (May 22)
- Re: Allowing access to social networking... securely? Patrick J Kobly (May 25)
- Re: Re: Allowing access to social networking... securely? Stephen Mullins (May 26)