Richard Stiennon blogged about 'best' practices for data protection during these difficult economic times. I can see where they come from and I can comprehend the business logic behind them, I do have a problem with most of the suggested 'best' practices ... lemme explain
1. Restate and re-publish your organization policy on confidential information. Require everyone in the company to sign it.
if you have a policy and it is not signed off on, you're a dork. Assume you have some disgruntled employees, after requiring everybody to sign off on the policy you will have a shitload of disgruntled employees. These people will know what you are up to. People are not stupid cows, you're just covering your bases. How are you gonna pick up the pieces when recovery starts ? You're throwing all your HR management principles out of the window. Good luck
4. Identify and restrict access to key data such as employee records, resumes, customer lists, and financial statements.
well yeah ... if it's touch or go, this is a project worth spending your valuable money on. For one it's gonna f* up your business processes if handled in haste and you'll spend money that you could better use in places where they actually benefit the business at this moment.
5. Log, monitor and audit employee online actions
I'm not even going into privacy isses here. but logging and monitoring would assume you have a baseline to compare anomalies against. Again, starting 'now' because times are precarious is too late and it's also wasting precious resources which (when laying off people) are only gonna get scarcer.
7. Use extra caution with system admins and privileged users.
if you have over-privileged users, and that's what you're talking about here, you haven't been really on-par with your security efforts. Extra caution is not gonna help you much, it is also not a very measurable security control.
All in all, I'm mostly appalled by the disrespect these 'best' practices show for the people that worked their ass off for you in the past years. Yes, the people that pulled all nighters for meeting deadlines and those people that in your (the average managers) eyes represent costs (-$$).
If this is the time to justify security controls, you're one bad-ass CISO, CSO or whatever title you carry.
I'm not saying security controls (including those in the above-mentioned article) are not worth it, but NOW ? I'm sorry, it's too little, too late.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment