Re: security compliance vs. old software versions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Jun 30, 2010, at 6:03 PM, Les Mikesell <lesmikesell@xxxxxxxxx> wrote:

> On 6/30/2010 4:39 PM, m.roth@xxxxxxxxx wrote:
>>> companies/business units/administrators police themselves so you need
>>> metrics for someone else to test with.  And even internally you need to
>>> document why the failure of any standard check should be overlooked.
>> 
>> No, the security people should have defined requirements specifically for
>> our environment, rather than using something that's designed, say, for a
>> std. corporate IT dept.
> 
> I like the sentiment, but the people making the situation-specific rules 
> would need to know more than the people actually doing the work which 
> doesn't seem likely to happen.  And there's some value in making 
> everyone follow the same rules.

Plus, one can also write up a detailed report for any given exception explaining why it is either not applicable for a given platform (including exploit test results) or that there is a definitive business reason why the exception must exist and that there are mitigating controls around it.

-Ross



_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux