Quote:
Originally Posted by Semper Fidelis  The bottom line with Security, however, is that the decisions cannot be pushed down to the "Security Guy". There needs to be understanding at the management level to inform users of the decisions being made and to ensure that security doesn't destroy usability due to its strictness. |
I agree.
Just as clarification, I'm not looking so much for security from various intrusions, but more so security from within the company. Instead of starting off from scratch and reinventing the wheel at the office, I have to fix a broken system, and I don't have very much experience with servers.
A good example of our situation is that when the company first started, we used the same password for everything. When I arrived, I showed management that this was a serious problem and why (they didn't believe me). We don't use that system anymore, but we don't have the best one in effect right now either. While I would love to have electronic ID cards for every employee, we simply don't have that kind of money, so I am working on finding a nice middle ground on what I would like to see happen with our security vs. what we have available to us. I have a whole checklist of changes I would like to make that are similar to the one above, but I am not entirely sure that my solutions are the
best ones available. At work, I am my own department, so I don't have co-workers who come to the office with different ideas for various projects and assignments (that's why I have the PB!
)
But seriously, I know what my goals are, and I would like some feedback on my solutions. Are there any books out there that talk about different approaches to this? Do they address the legal aspects of this (as in company confidentiality agreements)?
Thanks!