- Over-focus on operational controls: Firewalls, anti-virus, passwords. Under-focus on security architecture, systems analysis, and business needs.
- Risk analysis is to do a gap analysis against the list of best practices du jour.
- Incident response means everyone run around with their hair on fire.
- A "post-mortem" means patch the hole and move on. Root cause? It was that hole. And we just fixed it!
- "We recognize that privacy is very important to our customers. Our website uses Secure Sockets Layer so that information you provide to us is protected over the Internet."
- Security is all about the CIA triad, but when push comes to shove, it's availability that wins.
- Vulnerability scanning is done once every few months. Against the Internet perimeter. And you only look at the "highs"
- Access controls are binary: you can either see nothing or you can see everything.
- Security policies are inches thick, nobody reads them.
- Authentication is entirely about really complicated passwords, rotated frequently.
- Paper shredders everywhere because physical security is important, dammit! Laptops and drives rarely encrypted.
- The IT department manages the IT and the security department adds the security afterwards.
- Application security means our software supports strong passwords.
Any additions? Please post here or on your Myspace page!