How to Suck at Information Security

Discussion in 'BlackHat Lounge' started by The Scarlet Pimp, Jan 17, 2009.

  1. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Joined:
    Apr 2, 2008
    Messages:
    982
    Likes Received:
    3,494
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    Security Policy and Compliance

    * Ignore regulatory compliance requirements.

    * Assume the users will read the security policy because you've asked them to.

    * Use security templates without customizing them.

    * Jump into a full-blown adoption of frameworks such as ISO 27001/27002 before you're ready.

    * Create security policies you cannot enforce.

    * Enforce policies that are not properly approved.

    * Blindly follow compliance requirements without creating overall security architecture.

    * Create a security policy just to mark a checkbox.

    * Pay someone to write your security policy without any knowledge of your business or processes.

    * Translate policies in a multi-language environment without consistent meaning across the languages.

    * Make sure none of the employees finds the policies.

    * Assume that if the policies worked for you last year, they'll be valid for the next year.

    * Assume that being compliant means you're secure.

    * Assume that policies don't apply to executives.

    * Hide from the auditors.


    Read the rest of this list by clicking here:
    http://isc.sans.org/diary.html?storyid=5644