> From my experience working at NASA (moffet field as an intern one > summer) was that their IT department (in my building) was good at what > they did but had a pretty restrictive security policy (which is a good > thing i guess). So i would rate them as excellent although too > restrictive. > -- > Jason Freidman <[EMAIL PROTECTED]>
Since a primary tenant of all good security policies is the principle of least privilage that baisically states that no-one should have more access than the absolute minimum necessary to do their job. Of course no-one really does this that I have seen. But a good yard-stick of your security policy and implementation is if everyone complains it is too strict. As long as you have the support of managment, this is when I feel most comfortable. It looks like NASA is doing it right, which I have always heard. Being ahead of the curve, 4 years ago they instituted a comprehenive vullnerability assessment and patching and remediation program that turned the hostile penetration rate from over 20% to less than 1% in a year. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
