|
List Info Thread: Compliance
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
Compliance |
|
List Info Thread: Compliance
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
mac.com> wrote:
> At 8:04 AM -0400 6/8/06, Mark Curphey wrote:
>
> > So how do "you" go about selling the
virtues of getting it to companies?
> > Does "getting it" save you money? Does
"getting it" improve customer
> > loyalty?
>
> I am not convinced that "getting it"
produces superior results to just
> complying with requirements.
>
> The principle of Least Privilege (or something similar,
depending
> on the terminology of your particular bible) says that
every file
> on a system should be protected against
"world" access (or whatever
> terminology is used on your operating system). Someone
who "gets it"
> is not going to do better in this regard than someone
who uses a tool
> to methodically check the protection of every file on
the system.
>
> If a file is found that allows world access, it must be
changed. Some
> situations demand that access to particular files be
generally allowed
> but only through particular programs that mediate
access. (The system
> I use calls this "protected subsystems".)
Someone who implements this
> approach due to slavish submission to regulations is
doing no worse
> than someone who uses the same approach due to
"getting it".
>
> There is a strong temptation on the part of the person
who "gets it"
> to install the mediation program with broad privilege.
The operating
> system I use calls this "SYSPRV" -- I
forget the name of the corresponding
> Unix term. Thus the person who "gets it"
is actually "winging it" and
> "getting it" wrong. The person who merely
slavishly follows regulations
> will end up more secure.
> --
> Larry Kilgallen
> LJK Software
>
--
Dan Jacob
917.647.0880
www.hcAnalytics.com