Re: [ISN] Security: Lotsa Talk, Little Walk

From: mea culpa (jerichoat_private)
Date: Wed Sep 23 1998 - 08:50:30 PDT

  • Next message: mea culpa: "[ISN] Burned by Firewalls"

    Reply From: mhtat_private
    >> = Original Article
    >  = Jay Dyson's Reply
    > > Despite statements of strong support for information security by top
    > > management, an astonishing number of companies fail to take the most
    > > basic steps to protect themselves from hackers, disgruntled employees
    > > and industrial spies.
    As the person quoted in the article from Ernst & Young, John Darbyshire,
    almost a year ago, he was a Director of Price Waterhouse Enterprise
    Security Solutions group who was not that knowledgable in security
    policies in procedures within its own firm dealing with stealing corporate
    records, and data.  But yet has the audacity to state how much it costs to
    draft a security policy for a $50 million dollar company.  Drafting of a
    security policy is much more than price.
    > 	This comes as little surprise.  Security is rarely handled in a
    > proactive manner in the government, educational or commercial sectors.  In
    > my experience, the only people who actually tend to be passionate about
    > security are those who possess the ability to defeat it.  As many people
    > who are "in charge" of computer and network security do not possess these
    > skills (and I will refrain from any untoward comments involving the "Peter
    > Principle"), security is often sacrificed in the name of convenience and
    > hubris.
    > > Of those surveyed, 84% said their senior management believes that
    > > information security is "important" or "extremely important." But the
    > > following results indicate that that concern isn't translating into
    > > action: 
    > > 
    > >    * Forty-one percent said they don't have   
    > >      formal security policies.                
    > >    * Three-quarters said they have no
    > >      incident response plans.                 
    > >    * More than half said they lack disaster   
    > >      recovery plans.                          
    > >    * More than a third said they don't        
    > >      monitor their networks for suspicious    
    > >      activity.                                
    > >    * Fewer than one in five use encryption    
    > >      technology to safeguard sensitive        
    > >      information.                             
    > 	What's truly sad about this unfortunate state of affairs is that
    > there's already a blueprint available that can resolve almost 99% of these
    > fundamental deficiencies: RFC 2196 - Site Security Handbook.  (Available
    > via
    Yes, a majority of what Jon Darbyshire stated has been said over and over
    again, and majority of the points are discussed in the RFC mentioned
    aboved.  How about Ernst & Young finding new material to quote. 
    > 	Alas, experience has taught me time and again that just because
    > someone is running a server doesn't mean they *should* be.  All too often,
    > the truly critical tasks of information technology and security have been
    > relegated to the status of "someone else's job."
    > 	And just as all important tasks are overlooked until it's too
    > late, so computer and network security is resigned to a similar fate.
    > Everybody knows that somebody should do it, but nobody dares to take the
    > initiative, lest they step on somebody else's toes.
    Yes, Ernst & Young has spent a lot of money over there to give us the
    impression that they have hired a lot of so-called security experts to
    help Jon Darbyshire expand his vocabulary and quote other people's
    Nuff said..
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated []

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:05:22 PDT