On Wed, 26 May 1999, ward, bryan wrote:
> Go bye the golden rule if Security cost more then what you are protecting
> does it make sense?
Intangibles and forward evaluations make that a difficult metric, and not
always entirely appropriate. There's a zero-dollar immediate cost in
allowing 3rd graders to view pornography on the Internet. Does that mean
that supplying any kind of protection is unnecessary? (note that doesn't
necessary mean technical protection, it could mean social or supervisory
- also note "immediate cost")
Throw in the legal possibilities of things like being held liable for much
greater damages inflicted to another site, and valuation can quickly become
meaningless. Given the multi-jurisdictional nature of the Internet, that's a
possibility that doesn't necessarily make for good value in straight
valuation comparisons.
I think it's more important to look at the opposite side of the coin.
What value does providing <xyzzy> provide to the business, and does it
have a long-term positive net effect that outweighs not providing it.
That does need to be combined with a risk and business analysis of {use,
misuse, misappropriation, the item not being available if adaquate
infrastructure isn't paid for up-front.}
Even after years of learning that default permit rules don't work for
firewalls, we're steadily cruising into the default permit rules for
business behaviour when it comes to network infrastructure.
We used to require a written business case by a department head prior to
allowing Web access. You'd be surprised at the ammount of productivity
that's been lost since that policy died. I'd bet that at most
large businesses it's a deficit.
Another real problem, and it's due to increase exponentially is that
providing a service for a business need doesn't automatically mean it'll
be used for such. It's easier to provide a vaulation estimate for e-mail
between business partners or customers and an entity than it is to
provide the negative valuation estimates for increased virus activity,
time spent on joke lists and chain letters, customer lists flying out to
competitors, and things like that.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
