1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to Suck at Information Security

Discussion in 'BlackHat Lounge' started by The Scarlet Pimp, Jan 17, 2009.

  1. The Scarlet Pimp

    The Scarlet Pimp Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 2, 2008
    Messages:
    788
    Likes Received:
    3,129
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    Security Policy and Compliance

    * Ignore regulatory compliance requirements.

    * Assume the users will read the security policy because you've asked them to.

    * Use security templates without customizing them.

    * Jump into a full-blown adoption of frameworks such as ISO 27001/27002 before you're ready.

    * Create security policies you cannot enforce.

    * Enforce policies that are not properly approved.

    * Blindly follow compliance requirements without creating overall security architecture.

    * Create a security policy just to mark a checkbox.

    * Pay someone to write your security policy without any knowledge of your business or processes.

    * Translate policies in a multi-language environment without consistent meaning across the languages.

    * Make sure none of the employees finds the policies.

    * Assume that if the policies worked for you last year, they'll be valid for the next year.

    * Assume that being compliant means you're secure.

    * Assume that policies don't apply to executives.

    * Hide from the auditors.


    Read the rest of this list by clicking here:
    http://isc.sans.org/diary.html?storyid=5644