Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12345»»»

Security Regulations Expand / Collapse
Author
Message
Posted Tuesday, March 16, 2010 10:25 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 11:08 AM
Points: 31,371, Visits: 15,839
Comments posted to this topic are about the item Security Regulations






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #884390
Posted Wednesday, March 17, 2010 2:32 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Thursday, October 31, 2013 3:11 AM
Points: 171, Visits: 444
Whilst I agree that on one hand this would reduce the number of viruses and botnets floating around, it would also put rather large barrier on people connecting to the internet.
Both with older people not understanding it, and technophobe parents not wanting their kids to risk having their household fined.
Post #884448
Posted Wednesday, March 17, 2010 6:25 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Saturday, March 15, 2014 1:45 PM
Points: 405, Visits: 286
I find it difficult to believe that anyone would suggest that implementing security is a good idea, whatever one may mean by security. But I guess I look at it this way.

I wouldn't want my mortgage lender to come up with the detailed plan for wiring my house. I suspect they'd have good ideas, but I'd prefer to leave the details to my own electrician.

Neither do I appreciate government crafting the plans for computer security, for the reasons that you stated, Steve, and because it's outside the scope of what government is good for... in my humble opinion :)
Post #884588
Posted Wednesday, March 17, 2010 6:34 AM
Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: Tuesday, December 16, 2014 12:11 PM
Points: 771, Visits: 1,971
For one thing enforcing a 'patch level' for all machines on the internet will be entirely impossible.

Millions and millions of machines in different countries. Won't happen.

It's not easy even to accurately identify 'patch level' on machines (even in our corporate LAN there are many discrepancies). And of course, this assumes that everyone is running one of the 'official' operating systems. And what about internet connected appliances? How would you go about patching and checking these? How would you even KNOW what patches were appropriate or needed?

And relying on user machines for providing safety is inviting problems. The control must be at the gateway to the machines being protected.


Now as for standards organizations, there is definitely a place for voluntary standards that an organization or company can apply (similar to ISO9001) to assure their customers and others that they have met reasonable standards.




...

-- FORTRAN manual for Xerox Computers --
Post #884595
Posted Wednesday, March 17, 2010 6:36 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Thursday, December 18, 2014 9:58 AM
Points: 13,872, Visits: 9,600
If there's to be government-induced security on the internet, I'd rather see it in terms of encouragement than regulation.

If, for example, antivirus software were tax-deductible, for both corporations and individuals, that would be better than some complex set of rules on whether your computer should be allowed to connect.

Set up a certification standard, allow private companies to create sites that will test your computer for compliance, and if you pass certification every month or every quarter or whatever, you get $1000 off your tax bill, or added to your refund. Companies like Symantec already have sites that will test this stuff for you.

Would almost certainly result in a lot more secure computers. Wouldn't get everyone, but nothing will.


- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Post #884600
Posted Wednesday, March 17, 2010 6:39 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Monday, December 22, 2014 2:05 PM
Points: 187, Visits: 389
This is not unexpected. Ninety percent of the "Internet" in the U.S. is privately owned as opposed to when it was born and the federal government was the owner. If businesses were taking care of business (Sarbanes Oxley anyone?) then there would be no need for the federal government to even hint at enforcing IT security.

The are a large number of NIST documents are all security related and are worth the perusal. They contain nothing draconian. But as guidelines, many business will ignore their content even if they are aware that these documents exist. Yes, Oracle and Microsoft have, in the past, issued problematic patches but I fail to see how that becomes an argument for not patching. I also fail to see the rationale for abdicating "patchiness" to a SANS Institute if the only point in their favor is that they are "private". Private yes, free no.

DBAs need to be aware of how their role fits into the overall "defense in depth" of their organization in ensuring confidentiality, integrity, and availability of corporate computing resources. Check out NIST Special Publication 800-30 and do your own risk assessment.

At the end of the day, if business doesn't take care of business, the federal government will.



Post #884604
Posted Wednesday, March 17, 2010 6:59 AM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Monday, August 18, 2014 10:57 AM
Points: 56, Visits: 335
Just going over my lecture notes on Citizenship in the Nation, which deals mainly with the US Constitution I somehow failed to find any reference to the federal govt.'s authority to regulate my computer. Please let me know which Article or Amendment this is so that I can point it out to the guys, since it sounds like they really need to know this.

Somehow I am a little skeptical of some "political entity" making rules for me to follow, for my own good. How many of us have seen the truckloads of money going down the drain for government regulated policies that we have to document and follow, and how easily they circumvented..... Anyone ever work in a place where credit card numbers were kept because "Accounting Needed the information"???

John.
Post #884626
Posted Wednesday, March 17, 2010 7:03 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Friday, August 5, 2011 5:36 AM
Points: 23, Visits: 77
What's wrong with a private group offering low-cost or free "certification" of a site. When I was in industry, ISO 9000 was the big thing, and companies jumped to be ISO certified.

QS9000 (?) for automotive.

Why not a security standard, voluntarily supported and independently verified, such as Verisign does with SSL certificates?

No, I don't want government regulations imposed. THAT means more paperwork and overhead than is needed. I would MUCH rather deal with a vendor who proudly displays his "ISS9000" certification on his web site. THEN I would have confidence that the vendor WANTS to be secure, and is willing to take the steps to certify his qualifications.

Jim
Post #884633
Posted Wednesday, March 17, 2010 7:06 AM


SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: Tuesday, November 25, 2014 1:49 PM
Points: 81, Visits: 372
While I am all in favor of security, I just don't want government involved on deciding what I can do and cannot do or must do. Remember this is the same government where the IRS took over a brothel in Nevada for back taxes and it subsequently went broke . And you want the same bureaucracy to regulate our databases!

I think the private market will self-regulate itself -- after all you get what you pay for.


Mike Byrd
Post #884634
Posted Wednesday, March 17, 2010 7:17 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Thursday, October 31, 2013 3:11 AM
Points: 171, Visits: 444
Jim Lang, I love that idea... I'm assuming you're thinking along the lines of the WCAG stuff for web design?
Post #884640
« Prev Topic | Next Topic »

Add to briefcase 12345»»»

Permissions Expand / Collapse