SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Security Regulations


Security Regulations

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (81K reputation)SSC Guru (81K reputation)SSC Guru (81K reputation)SSC Guru (81K reputation)SSC Guru (81K reputation)SSC Guru (81K reputation)SSC Guru (81K reputation)SSC Guru (81K reputation)

Group: Administrators
Points: 81782 Visits: 19212
Comments posted to this topic are about the item Security Regulations

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Ben Moorhouse
Ben Moorhouse
SSC Veteran
SSC Veteran (299 reputation)SSC Veteran (299 reputation)SSC Veteran (299 reputation)SSC Veteran (299 reputation)SSC Veteran (299 reputation)SSC Veteran (299 reputation)SSC Veteran (299 reputation)SSC Veteran (299 reputation)

Group: General Forum Members
Points: 299 Visits: 444
Whilst I agree that on one hand this would reduce the number of viruses and botnets floating around, it would also put rather large barrier on people connecting to the internet.
Both with older people not understanding it, and technophobe parents not wanting their kids to risk having their household fined.
pjdiller
pjdiller
SSC-Addicted
SSC-Addicted (457 reputation)SSC-Addicted (457 reputation)SSC-Addicted (457 reputation)SSC-Addicted (457 reputation)SSC-Addicted (457 reputation)SSC-Addicted (457 reputation)SSC-Addicted (457 reputation)SSC-Addicted (457 reputation)

Group: General Forum Members
Points: 457 Visits: 291
I find it difficult to believe that anyone would suggest that implementing security is a good idea, whatever one may mean by security. But I guess I look at it this way.

I wouldn't want my mortgage lender to come up with the detailed plan for wiring my house. I suspect they'd have good ideas, but I'd prefer to leave the details to my own electrician.

Neither do I appreciate government crafting the plans for computer security, for the reasons that you stated, Steve, and because it's outside the scope of what government is good for... in my humble opinion Smile
jay-h
jay-h
SSCrazy
SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)

Group: General Forum Members
Points: 2349 Visits: 2339
For one thing enforcing a 'patch level' for all machines on the internet will be entirely impossible.

Millions and millions of machines in different countries. Won't happen.

It's not easy even to accurately identify 'patch level' on machines (even in our corporate LAN there are many discrepancies). And of course, this assumes that everyone is running one of the 'official' operating systems. And what about internet connected appliances? How would you go about patching and checking these? How would you even KNOW what patches were appropriate or needed?

And relying on user machines for providing safety is inviting problems. The control must be at the gateway to the machines being protected.


Now as for standards organizations, there is definitely a place for voluntary standards that an organization or company can apply (similar to ISO9001) to assure their customers and others that they have met reasonable standards.

...

-- FORTRAN manual for Xerox Computers --
GSquared
GSquared
SSC-Dedicated
SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)SSC-Dedicated (30K reputation)

Group: General Forum Members
Points: 30191 Visits: 9730
If there's to be government-induced security on the internet, I'd rather see it in terms of encouragement than regulation.

If, for example, antivirus software were tax-deductible, for both corporations and individuals, that would be better than some complex set of rules on whether your computer should be allowed to connect.

Set up a certification standard, allow private companies to create sites that will test your computer for compliance, and if you pass certification every month or every quarter or whatever, you get $1000 off your tax bill, or added to your refund. Companies like Symantec already have sites that will test this stuff for you.

Would almost certainly result in a lot more secure computers. Wouldn't get everyone, but nothing will.

- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
John Langston
John Langston
Old Hand
Old Hand (332 reputation)Old Hand (332 reputation)Old Hand (332 reputation)Old Hand (332 reputation)Old Hand (332 reputation)Old Hand (332 reputation)Old Hand (332 reputation)Old Hand (332 reputation)

Group: General Forum Members
Points: 332 Visits: 525
This is not unexpected. Ninety percent of the "Internet" in the U.S. is privately owned as opposed to when it was born and the federal government was the owner. If businesses were taking care of business (Sarbanes Oxley anyone?) then there would be no need for the federal government to even hint at enforcing IT security.

The are a large number of NIST documents are all security related and are worth the perusal. They contain nothing draconian. But as guidelines, many business will ignore their content even if they are aware that these documents exist. Yes, Oracle and Microsoft have, in the past, issued problematic patches but I fail to see how that becomes an argument for not patching. I also fail to see the rationale for abdicating "patchiness" to a SANS Institute if the only point in their favor is that they are "private". Private yes, free no.

DBAs need to be aware of how their role fits into the overall "defense in depth" of their organization in ensuring confidentiality, integrity, and availability of corporate computing resources. Check out NIST Special Publication 800-30 and do your own risk assessment.

At the end of the day, if business doesn't take care of business, the federal government will.



john.campbell-1020429
john.campbell-1020429
SSC-Enthusiastic
SSC-Enthusiastic (136 reputation)SSC-Enthusiastic (136 reputation)SSC-Enthusiastic (136 reputation)SSC-Enthusiastic (136 reputation)SSC-Enthusiastic (136 reputation)SSC-Enthusiastic (136 reputation)SSC-Enthusiastic (136 reputation)SSC-Enthusiastic (136 reputation)

Group: General Forum Members
Points: 136 Visits: 336
Just going over my lecture notes on Citizenship in the Nation, which deals mainly with the US Constitution I somehow failed to find any reference to the federal govt.'s authority to regulate my computer. Please let me know which Article or Amendment this is so that I can point it out to the guys, since it sounds like they really need to know this.

Somehow I am a little skeptical of some "political entity" making rules for me to follow, for my own good. How many of us have seen the truckloads of money going down the drain for government regulated policies that we have to document and follow, and how easily they circumvented..... Anyone ever work in a place where credit card numbers were kept because "Accounting Needed the information"???

John.
Jim Lang ECCA
Jim Lang ECCA
Grasshopper
Grasshopper (23 reputation)Grasshopper (23 reputation)Grasshopper (23 reputation)Grasshopper (23 reputation)Grasshopper (23 reputation)Grasshopper (23 reputation)Grasshopper (23 reputation)Grasshopper (23 reputation)

Group: General Forum Members
Points: 23 Visits: 77
What's wrong with a private group offering low-cost or free "certification" of a site. When I was in industry, ISO 9000 was the big thing, and companies jumped to be ISO certified.

QS9000 (?) for automotive.

Why not a security standard, voluntarily supported and independently verified, such as Verisign does with SSL certificates?

No, I don't want government regulations imposed. THAT means more paperwork and overhead than is needed. I would MUCH rather deal with a vendor who proudly displays his "ISS9000" certification on his web site. THEN I would have confidence that the vendor WANTS to be secure, and is willing to take the steps to certify his qualifications.

Jim
Mike Byrd
Mike Byrd
SSC-Enthusiastic
SSC-Enthusiastic (145 reputation)SSC-Enthusiastic (145 reputation)SSC-Enthusiastic (145 reputation)SSC-Enthusiastic (145 reputation)SSC-Enthusiastic (145 reputation)SSC-Enthusiastic (145 reputation)SSC-Enthusiastic (145 reputation)SSC-Enthusiastic (145 reputation)

Group: General Forum Members
Points: 145 Visits: 389
While I am all in favor of security, I just don't want government involved on deciding what I can do and cannot do or must do. Remember this is the same government where the IRS took over a brothel in Nevada for back taxes and it subsequently went broke Sad. And you want the same bureaucracy to regulate our databases!

I think the private market will self-regulate itself -- after all you get what you pay for.

Mike Byrd
Ben Moorhouse
Ben Moorhouse
SSC Veteran
SSC Veteran (299 reputation)SSC Veteran (299 reputation)SSC Veteran (299 reputation)SSC Veteran (299 reputation)SSC Veteran (299 reputation)SSC Veteran (299 reputation)SSC Veteran (299 reputation)SSC Veteran (299 reputation)

Group: General Forum Members
Points: 299 Visits: 444
Jim Lang, I love that idea... I'm assuming you're thinking along the lines of the WCAG stuff for web design?
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search