NO MORE UPDATES TO THIS PAGE PLEASE. SUBMIT ALL FUTURE COMMENTS TO

General comment

Sections in this chapter are too long. When reading 22.1.2 it referred me to 7.1.3 and it took a bit of page flicking to find the section simply because a lot of pages don't have numbered subsections. Consider going to 4 digit numbering or splitting sections up.

-- StephenHarris - 24 Aug 2006

[ Tom's reply: Good point, but a little too late to fix right now. I can put page # references in if you have specific examples. Status: DONE ]

7.1.2 Ask the Right Questions (pg 121)

Another asset that companies are concerned about is "time". People accessing the internet or personal email from work is time that they're not spending working. Indeed, a company that allows a worker to access pornography from their desk could leave themselves open to sexual harrasment cases. So part of a solid security policy is in determining what external resources workers should have access to. The answer to the question may turn out to be "any", or it may turn out to be "require proxy access and use XYZ to filter requests". As much as I hate the idea, it is a valid question that needs to be part of the security policy.

Similarly, access to other external resources could be locked down; why would a desktop need to access a random fileserver on the internet? Unlikely! Definitely not for work related stuff.

-- StephenHarris - 13 Aug 2006

7.1 pg 135

Don't use cubicles as an example of "out of band" authentication. This can change too quickly to be relevant. 3 new people have moved in around me within the past month and my official work location isn't where I sit.

pg 137

Another type of security-sensitive product would be one that holds end-user (eg customers of the company) data, such as credit card information. Another type are core infrastructure devices; compromise the DNS server or even the routers and switches and you allow Man In The Middle Attacks. Compromise the NAS or SAN devices and you get unauditted access to data. And so on.

pg 139

Where you say embedded and mention HTTP, do you also mean "tunnel via HTTPS proxies" ? This is almost a lost cause. Because of border firewalls many products allow their communications to go via SOCKS or HTTPS proxies. Even AIM and Jabber can do this. And at least one SSH client (a security product!) comes with HTTPS tunnelling built in. Bleh.

[ Status: DONE ]

pg 143

A policywriter should do more than just regurgitate product specifications and say "these are our requirements". Why yes, we do have one of these people here in this company!

[ Status: DONE ]

pg 144

Auditor. Might be an idea to disambiguate the use of the word "program" where you say "An auditor builds a program...". Maybe rephrase that totally. As a security engineer I've written programs that run on the Unix systems that compare the server configuration to security baseline policies and report the results to a central database. I'm not the auditor, however; that's another person who reviews the results (or a random sampling of results, anyway) and kicks the machine owners to show either a Risk Acceptance of the deviance, or to bring the machine back into compliance.

And there I hinted at another role in the security world;

[ Tom's reply: "program" means a system of programs that meet a need. I've clarified the paragraph. ]

Risk Manager

This is a technical management role, but from the business side. The job of the Risk Manager is to evaluate technical requests (eg "We want to enable anonymous FTP on this server", or "We want outside providers to access this resource via this method" or "We need a weaker password policy on this box") and determine the risk to the company of allowing this deviance from policy standards, whether to allow it or require the solution be re-engineered to avoid this deviance, and then be able to justify any risk acceptances to the auditors (internal or external). Large companies may have many risk managers, aligned to the divisions of the company which a large risk management structure supporting them.

[ Tom's reply: Added. Status: DONE ]

-- StephenHarris - 14 Aug 2006