Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Are users right in rejecting security advice?

From: Patrick Ouellette <ouellep () ALGONQUINCOLLEGE COM>
Date: Wed, 17 Mar 2010 15:44:43 -0400
Problem is, without enforceable laws/policies and strong support for it from management, "best practices" ends up  
being the reality ...

What's the old saying about standards? "The fun with standards is that there's so many to choose from", and since none 
of them have the force/weight of law... choose with impunity!

Sincerely,

Patrick Ouellette
Algonquin College - School of Advanced Technology 
Program Coordinator: Computer Systems Technician & Technology - Networking / Security Programs 
Professor - Computer Studies Department



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Case
Sent: March-17-10 3:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Are users right in rejecting security advice?


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell Fulton
Sent: Wednesday, March 17, 2010 1:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Are users right in rejecting security advice?


<snip>


I now cringe when I hear the phrase "Best Practice" when applied to
security


The problem I see with "Best Practice," "Best Known Practice," "Effective
Practices," etc. is one size fits some.  Is that "Best Practice" for a
small, centralized, risk-adverse institution or a large, decentralized,
risk-accepting institution?
-Eric


Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase


--
Previous By Date Next
Previous By Thread Next

Current thread: