Benjamin Scott wrote:
>
> is designed to assure four things:
>
> - Availability (you can get to it when you want to)
> - Integrity (you get in what you get out)
> - Confidentiality (other people cannot get to it)
> - Authenticity (you know who put it in or got it out)
>
> Of these, only the last two are typically considered to be "security" by
> many people.
This is very true. Things like availability and back-ups are usually
viewed as a sysadmin function, but most don't consider them as part of
a security strategy. However, this is the reason that a lot of
companies have an ammended security policy for the sysadmins or
security administrators that includes the rights and responsibilities
specific to their job function and includes things like back-up
rotation, levels of back-ups, and off-site storage.
>However, if you think about it, the last two are completely
> useless without the first two. Security is a lot more than passwords and a
> firewall. It is a UPS and backups, too. And a million other things. Of
> course, most of all, it is a process, not a product [1].
Of course, security *IS* a process. The question is, does process
dictate the policy or does policy dictate the process? One thing that
I have encountered in the past is the absence of policy (which to me
is insane), even though there is a process that is followed.
C-Ya,
Kenny
--
---------------------------------------------------
Kenneth E. Lussier
Geek by nature, Linux by choice
PGP KeyID 0xD71DF198
Public key available @ http://pgp.mit.edu
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
