Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Security Regulations


Security Regulations

Author
Message
Steve Jones
Steve Jones
SSC-Forever
SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)

Group: Administrators
Points: 42340 Visits: 18876
Comments posted to this topic are about the item Security Regulations

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Ben Moorhouse
Ben Moorhouse
SSC-Enthusiastic
SSC-Enthusiastic (183 reputation)SSC-Enthusiastic (183 reputation)SSC-Enthusiastic (183 reputation)SSC-Enthusiastic (183 reputation)SSC-Enthusiastic (183 reputation)SSC-Enthusiastic (183 reputation)SSC-Enthusiastic (183 reputation)SSC-Enthusiastic (183 reputation)

Group: General Forum Members
Points: 183 Visits: 444
Whilst I agree that on one hand this would reduce the number of viruses and botnets floating around, it would also put rather large barrier on people connecting to the internet.
Both with older people not understanding it, and technophobe parents not wanting their kids to risk having their household fined.
pjdiller
pjdiller
SSC-Addicted
SSC-Addicted (423 reputation)SSC-Addicted (423 reputation)SSC-Addicted (423 reputation)SSC-Addicted (423 reputation)SSC-Addicted (423 reputation)SSC-Addicted (423 reputation)SSC-Addicted (423 reputation)SSC-Addicted (423 reputation)

Group: General Forum Members
Points: 423 Visits: 291
I find it difficult to believe that anyone would suggest that implementing security is a good idea, whatever one may mean by security. But I guess I look at it this way.

I wouldn't want my mortgage lender to come up with the detailed plan for wiring my house. I suspect they'd have good ideas, but I'd prefer to leave the details to my own electrician.

Neither do I appreciate government crafting the plans for computer security, for the reasons that you stated, Steve, and because it's outside the scope of what government is good for... in my humble opinion Smile
jay-h
jay-h
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1173 Visits: 2257
For one thing enforcing a 'patch level' for all machines on the internet will be entirely impossible.

Millions and millions of machines in different countries. Won't happen.

It's not easy even to accurately identify 'patch level' on machines (even in our corporate LAN there are many discrepancies). And of course, this assumes that everyone is running one of the 'official' operating systems. And what about internet connected appliances? How would you go about patching and checking these? How would you even KNOW what patches were appropriate or needed?

And relying on user machines for providing safety is inviting problems. The control must be at the gateway to the machines being protected.


Now as for standards organizations, there is definitely a place for voluntary standards that an organization or company can apply (similar to ISO9001) to assure their customers and others that they have met reasonable standards.

...

-- FORTRAN manual for Xerox Computers --
GSquared
GSquared
SSCoach
SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)

Group: General Forum Members
Points: 16759 Visits: 9729
If there's to be government-induced security on the internet, I'd rather see it in terms of encouragement than regulation.

If, for example, antivirus software were tax-deductible, for both corporations and individuals, that would be better than some complex set of rules on whether your computer should be allowed to connect.

Set up a certification standard, allow private companies to create sites that will test your computer for compliance, and if you pass certification every month or every quarter or whatever, you get $1000 off your tax bill, or added to your refund. Companies like Symantec already have sites that will test this stuff for you.

Would almost certainly result in a lot more secure computers. Wouldn't get everyone, but nothing will.

- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
John Langston
John Langston
SSC Veteran
SSC Veteran (226 reputation)SSC Veteran (226 reputation)SSC Veteran (226 reputation)SSC Veteran (226 reputation)SSC Veteran (226 reputation)SSC Veteran (226 reputation)SSC Veteran (226 reputation)SSC Veteran (226 reputation)

Group: General Forum Members
Points: 226 Visits: 514
This is not unexpected. Ninety percent of the "Internet" in the U.S. is privately owned as opposed to when it was born and the federal government was the owner. If businesses were taking care of business (Sarbanes Oxley anyone?) then there would be no need for the federal government to even hint at enforcing IT security.

The are a large number of NIST documents are all security related and are worth the perusal. They contain nothing draconian. But as guidelines, many business will ignore their content even if they are aware that these documents exist. Yes, Oracle and Microsoft have, in the past, issued problematic patches but I fail to see how that becomes an argument for not patching. I also fail to see the rationale for abdicating "patchiness" to a SANS Institute if the only point in their favor is that they are "private". Private yes, free no.

DBAs need to be aware of how their role fits into the overall "defense in depth" of their organization in ensuring confidentiality, integrity, and availability of corporate computing resources. Check out NIST Special Publication 800-30 and do your own risk assessment.

At the end of the day, if business doesn't take care of business, the federal government will.



john.campbell-1020429
john.campbell-1020429
Valued Member
Valued Member (66 reputation)Valued Member (66 reputation)Valued Member (66 reputation)Valued Member (66 reputation)Valued Member (66 reputation)Valued Member (66 reputation)Valued Member (66 reputation)Valued Member (66 reputation)

Group: General Forum Members
Points: 66 Visits: 336
Just going over my lecture notes on Citizenship in the Nation, which deals mainly with the US Constitution I somehow failed to find any reference to the federal govt.'s authority to regulate my computer. Please let me know which Article or Amendment this is so that I can point it out to the guys, since it sounds like they really need to know this.

Somehow I am a little skeptical of some "political entity" making rules for me to follow, for my own good. How many of us have seen the truckloads of money going down the drain for government regulated policies that we have to document and follow, and how easily they circumvented..... Anyone ever work in a place where credit card numbers were kept because "Accounting Needed the information"???

John.
Jim Lang ECCA
Jim Lang ECCA
Grasshopper
Grasshopper (23 reputation)Grasshopper (23 reputation)Grasshopper (23 reputation)Grasshopper (23 reputation)Grasshopper (23 reputation)Grasshopper (23 reputation)Grasshopper (23 reputation)Grasshopper (23 reputation)

Group: General Forum Members
Points: 23 Visits: 77
What's wrong with a private group offering low-cost or free "certification" of a site. When I was in industry, ISO 9000 was the big thing, and companies jumped to be ISO certified.

QS9000 (?) for automotive.

Why not a security standard, voluntarily supported and independently verified, such as Verisign does with SSL certificates?

No, I don't want government regulations imposed. THAT means more paperwork and overhead than is needed. I would MUCH rather deal with a vendor who proudly displays his "ISS9000" certification on his web site. THEN I would have confidence that the vendor WANTS to be secure, and is willing to take the steps to certify his qualifications.

Jim
Mike Byrd
Mike Byrd
SSC Journeyman
SSC Journeyman (97 reputation)SSC Journeyman (97 reputation)SSC Journeyman (97 reputation)SSC Journeyman (97 reputation)SSC Journeyman (97 reputation)SSC Journeyman (97 reputation)SSC Journeyman (97 reputation)SSC Journeyman (97 reputation)

Group: General Forum Members
Points: 97 Visits: 389
While I am all in favor of security, I just don't want government involved on deciding what I can do and cannot do or must do. Remember this is the same government where the IRS took over a brothel in Nevada for back taxes and it subsequently went broke Sad. And you want the same bureaucracy to regulate our databases!

I think the private market will self-regulate itself -- after all you get what you pay for.

Mike Byrd
Ben Moorhouse
Ben Moorhouse
SSC-Enthusiastic
SSC-Enthusiastic (183 reputation)SSC-Enthusiastic (183 reputation)SSC-Enthusiastic (183 reputation)SSC-Enthusiastic (183 reputation)SSC-Enthusiastic (183 reputation)SSC-Enthusiastic (183 reputation)SSC-Enthusiastic (183 reputation)SSC-Enthusiastic (183 reputation)

Group: General Forum Members
Points: 183 Visits: 444
Jim Lang, I love that idea... I'm assuming you're thinking along the lines of the WCAG stuff for web design?
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search