"Kenneth E. Lussier" said:
>Of course, security *IS* a process. The question is, does process
>dictate the policy or does policy dictate the process? One thing that
>I have encountered in the past is the absence of policy (which to me
>is insane), even though there is a process that is followed.
>
Policy? We don't need no stinking policy! :)
Yep, it's insane. Before you can decide HOW to protect something, you need to know
WHAT you are protecting, from WHOM, WHY, and what the consequences of the loss are.
And, as Ben pointed out, you need to remember that part of the WHAT can be access to
the information (Availability, Integrity).
When I was doing security, I first required a clear, written policy of the above.
Then we could look at all the ways to access the info, and figure out what was the
best HOW(s). Even then, sometimes the HOW was itself policy & procedures (we'll back
up every night), vs technology (we need five copies of this stuff around the world).
And, having achieved it once, you have to continue to re-evaluate. WHO, WHAT, WHERE,
WHY, BY WHOM, and finally HOW.
jeff
-----------------------------------------------------------------------
Jeffry Smith Technical Sales Consultant Mission Critical Linux
[EMAIL PROTECTED] phone:603.930.9739 fax:978.446.9470
-----------------------------------------------------------------------
Thought for today: pumpkin holder n.
See patch pumpkin.
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
