 |
| Find
All Your Small and Medium Business Web Hosting Needs at Hostway - Find
Out More |
| Recent
Articles |
New Students Don't Want IT Jobs
From cube farms, to narcissic personality disorder. From Outsourcing to psychopath managers, people who will never get it, budget issues where IT is always on...
Security Engineers Giving Tricks Away
Should security engineers and people working in security be giving our tricks away so that anyone can find them on line and use them? This is a good ethical debate for security professionals to be having. There are...
Groundwork 5.2 Released
Groundwork, the provider of the open source based IT management and network monitoring solution, announced at OSBC the availability of GroundWork...
Protecting Systems From "Malware As A Service"
Interesting new research was released today on Malware as a Service, with credentials stolen, and researchers cracking malware. Security Company Finjan reports the first indication that the theft of FTP credentials...
|
|
04.24.08
Information Security Ethics
 By
Dan Morrill
Interesting conversation over at Slashdot on the idea of senior management playing fast and loose with compliancy and systems/network audits. The idea of management dropping in their legal obligations as one thing, but as far as information security goes, this is not the first time, and not the last time that security by check box has been an issue.
What does an information security person do?
"I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I see our own senior officers reduce the risk ratings of internal findings, and even strong-arm 3rd party auditors/testers to reduce their risk ratings on the threat of losing our business. It's truly sad that the fear of losing our jobs and the necessity of supporting our families comes first before the security of highly confidential information. All so executives can look good and make their bonuses? How should people start blowing the whistle on companies like this?" Source: Slashdot
| Find
All Your Small and Medium Business Web Hosting Needs at Hostway - Find
Out More |
From a security viewpoint, it is interesting to note that this is something that at some point any security engineer is going to have to deal with. A manager, developer, associate asking that something be downgraded. Usually all it really takes is a "show me the danger" routine, but for procedural or policy items it is not so easy. How do you show the danger in downgrading an issue that is policy based?
Most security engineers don't know how to work out loss/damage to reputation, we can only make hazy guesses as to the probable damage that doing X rather than Y will cause to the organization. While I do understand that is a broad categorization, and there are security engineers out there that have intimate details of cost, loss, and risk management, many do not.
So if you were in this person's shoes, what would you do?
Comments
About
the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
|
