moved (Chris Vogel)

Megacorp Inc security policy 1. This policy is approved by Management.
2. All staff shall obey this security policy.
3. Data shall be available only to those with a “need-to-know”.
4. All breaches of this policy shall be reported at once to [Security. Figure 9.1 – typical corporate policy language]

This sort of language is common, but useless – at least to the security engineer.

[1/2]

· 1 · 0 · 0
moved (Chris Vogel)  

It dodges the central issue, namely ‘Who determines “need-to-know” and how?’

Second, it mixes statements at different levels (organizational approval of a policy should logically not be part of the policy itself).

Third, there is a mechanism but it’s implied rather than explicit: ‘staff shall obey

(Ross Anderson, " — Third Edition", PDF-Preview 2020-05-16)

[2/2]

Show thread
0
Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml