I'm an executive! Jail is bad! Can I not go?
The threat opportunities caused by excessive compliance.
With personally severe penalties for negligence with current regulation the tap has been wide open for funding compliance efforts. Just as with executive compensation, all major companies want to be above average. They don't want to meet best or recommended practices, they want to exceed them.
These increasingly excessive controls, policies, and roles have caused their own exposures and risks which go largely unrecognized.
Examples:
- Overly strict password aging and complexity cause an increase in the use of post-its and password lists as they have to be replaced often. Smart cards are left in workstations. Tokens are put under webcams.
- Segregation of duties for audit and risk frameworks when too zealously applied mean that skills become specialized and no individual is allowed to have a complete understanding of operations. If no one retained on staff has a effective holistic understanding of complicated systems, solutions can become piecemeal and unreliable. Staff retention becomes a larger problem as tasks become more repetitive and narrow.
- Untrusted resources are trusted. Hard things to do, such as information classification and fine-grained access controls are replaced with easy and ineffective things to do, like trusting all workstations absolutely. Many really well qualified people consider portable storage to be the greatest threat to IT. I'll discuss why it's not.
---
I'll have more examples to go through until I'm out of time or am booed off stage.
Ian Gorrie
Geek.
Started as a systems and infrastructure monkey in startups and ISPs.
Now consults as a generalist in the information security and systems infrastructure field.
|
