Thursday, October 31, 2013

13 Warning signs that your infosec program is stuck in the wrong decade

  1. Over-focus on operational controls: Firewalls, anti-virus, passwords.  Under-focus on security architecture, systems analysis, and business needs.
  2. Risk analysis is to do a gap analysis against the list of best practices du jour.
  3. Incident response means everyone run around with their hair on fire.
  4. A "post-mortem" means patch the hole and move on.   Root cause?  It was that hole. And we just fixed it!
  5. "We recognize that privacy is very important to our customers.  Our website uses Secure Sockets Layer so that information you provide to us is protected over the Internet."
  6. Security is all about the CIA triad, but when push comes to shove, it's availability that wins.
  7. Vulnerability scanning is done once every few months.  Against the Internet perimeter.  And you only look at the "highs"
  8. Access controls are binary: you can either see nothing or you can see everything.
  9. Security policies are inches thick, nobody reads them.
  10. Authentication is entirely about really complicated passwords, rotated frequently.
  11. Paper shredders everywhere because physical security is important, dammit!  Laptops and drives rarely encrypted.
  12. The IT department manages the IT and the security department adds the security afterwards.  
  13. Application security means our software supports strong passwords.

Any additions?  Please post here or on your Myspace page!

No comments: