1. Forum
  2. Usenet
  3. COMP.RISKS

  • Risks Digest 34.44 (2/2)

    From RISKS List Owner@21:1/5 to All on Mon Sep 9 01:04:02 2024
    [continued from previous message]

    (internal and external) who are incentivized to say "no" because it's
    easier and faster than documenting variances; or approving
    compensating controls... Auditors who don't understand the system
    holistically and won't/can't see why a compensating control addresses
    one or more requirements... Or lawyers and insurers who are unwilling
    or unable to understand the technical nuances and prioritize "exact
    compliance" over actual security.

    I'd love to have systems that were both secure and compliant with
    policy, but if I have to choose one over the other, I'll tend toward
    actual security.

    ------------------------------

    Date: Wed, 4 Sep 2024 20:27:27 -0600
    From: Charles Cazabon <charlesc@pyropus.ca>
    Subject: Re: Standard security policies and variances (Kilby, RISKS-34.43]

    Having run into this situation myself a number of times, I can relate that things don't always -- or perhaps even usually -- go as smoothly as this suggestion assumes.

    Large organizations set standard baseline policies. Frontline helpdesk or security folks apply the baseline policies, because it's a Standard Policy. Someone requests a variance - such as me, for accessibility reasons - and it turns out to be essentially impossible to get *any* variance, because in
    large organizations it's no one's job to create and apply those variances or otherwise deviate from the standard policy, and the incentives are all
    against doing so.

    E.g., 18 months later, I was still waiting for that variance...

    ------------------------------

    Date: Sat, 28 Oct 2023 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) has moved to the ftp.sri.com site:
    <risksinfo.html>.
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    delightfully searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume/previous directories
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 34.44
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)