Shostack + Friends Blog Archive


How about "Align with the business?"

I normally have a lot of respect for CIO Magazine. Their journalists cover the topics that matter to CIOs, they remain focused on how to make the technology support the business, etc. That’s why I was surprised to see this CIO’s Guide To Safe Computing, which starts:

Ellyn believes that companies should strive for a holistic approach to achieving security. The top 15 strategies for computing responsibly are highlighted in the report and are practices IT departments of any size should implement if they haven’t already done so.

1. Establish strong identity management for network access, ideally including passwords, smart cards and biometrics.

2. Strictly control password management and administration; avoid outsourcing this at all costs.

Not until #14 do we get to policies, and even there, its not about the business.

Number 13 starts out well: “Inspect the software development practices of vendors to determine …” their ability to control backdoors? How about their ability to control the use of gets()?!?

To be fair, I haven’t read the report–it may contain language about business alignment which is hard to summarize into a bullet list.