I delivered a paper this week to help define the
relationship between operational security and our friends in the IA
security world. I believe because my "gut" tells me that the truthiness
(http://en.wikipedia.org/wiki/Truthiness) that we as information
security practitioners are growing in the way of doctors and lawyers.
After all you don't send a Trial Lawyer to sort out the settlement of an
estate and you don't send a Proctologist to deliver a baby; eh? We have
specialists and generalist, coders and admins, and yes the dark side
wonkers.
In my paper I proposed that information security should be a synergy
between three components; security engineering, information assurance
(policy & procedures), and security operations (NOC/SOC/CSIRC). Just as
the space shuttle has multiple redundant systems organizations should
have checks and balances (speed bumps) to ensure that technology isn't
put into production until the risks that the technology will induce are
mitigated. I'm wondering if this approach is too theoretical or am I
stretching the concept of least privilege and separation of duties too
far? I contend that those principals are applicable to not only systems
and individuals but on an organizational level as well. Integration is
a great thing but isn't it possible to take integration too far to the
point where the lack of complexity becomes a vulnerability unto itself?
No comments:
Post a Comment