Vin McLellan wrote:
> If military commanders received career-defining fitness reports
> which appropriately and knowledgeably evaluated the quality of the infosec
> management and resource protection on their base or ship, they damn well
> would do better than leave diaper-innocent 6-months-in-the-service sysops
> with responsibility (and no budget) for safeguarding their Command's
> digital crown jewels.
They also wouldn't cave to user-demand for poking holes in compromising a
night shift could troll the porn sites, or play Quake2. !!
> If the military hierarchy used the same standard of accountability
> to evaluate the quality of infosec management that they routinely use to
> evaluate the quality of physical security around the base armory, the
> likelihood that a DoD Command would use a layered and properly-managed
> defense scheme is much higher. Put more bluntly: If a General had his star
> tarnished every time an easily-blocked cyber attack succeeded within his
> Command, military payroll and logistics data would surely be much more
> securely held than is the norm today.
Never underestimate an Oficers ability to pass the buck - and the blame!
> But the same token, of course, corporate executives with fiduciary
> responsibility for managing corporate resources should be hung out to dry
> when they allow infosec protection for corporate assets to fall below some
> minimal standard -- except, perhaps, when such risks are explicitly
> accepted, with a cost/benefit justification.
made more laughable when one considers how many IS departmenst report to
> For much of the past three decades, I thought the lack of
> accountability for infosec was temporary, a reflection of the utter
> ignorance of many corporate and military managers about IT. If that was
> once true, however, it no longer is -- and the fact that a CEO knows
> nothing about SEC filings or Accounting Principles is not an acceptable
> excuse for an organization failing to file appropriate and timely reports.
> What we see today is a systematic evasion of responsibility for appropriate
> infosec, and there is simply no excuse for it.
-Thats an agreement "duh" BTW.
> The painful truth is, of course, that the people most responsible
> for the lousy state of infosec policy management (what policies, you hear
> them ask!?) and procedures, and implementation are the audit and infosec
> professionals themselves, who have never managed to explicitly define --
> and help the courts enforce -- a minimal standard of professional system
connect me-- connect me-- connect me--
reliability-- reliability-- reliability--
What we're vulnerable!
protect me-- protect me-- protect me--
Shit! I have to learn how to scale the Walls!
exempt me-- exempt me-- exempt me--
We've been hacked?
*******its YOUR fault!******
With so many systems and networks now connected to the Internet and
> accessible to remote attacks, the lack of any such clearly-defined minimal
> standard of appropriate and professional IT stewardship becomes steadily
> more egregious.
LUX ./. owen