Administrative Control

By cliangNo Comments
Certain cybersecurity practitioners insist to impose technical controls to secure the infrastructure/system. To some degrees yes, basic technical controls will prohibit human error or low skill attacks. Adding technical controls will never secure the infrastructure/system more. At some points, more controls will even degrade the security due to a number of issues: People will find ways to circumvent controls because affecting productivity (writing down complex password)New control might introduce new system weaknessExtra efforts are required to sustain the control effectiveness (upgrade, backup, other housekeeping tasks: patch, patch, patch ...) These are always the neglected elements. Sometimes, exercise administrative control will enforce discipline internally while externally relying laws & regulations. ...
Read More

Dual Standards

By cliangNo Comments
It is no harm to have dual standard to fit specific use case. As long as the directive is clearly stated, it is fine. For badly written policies, the policy requirements are subject to interpretation creating chaos. This happens especially due to incompetent cybersecurity practitioners. Therefore, the outcome of any security assessment should not just look at how the system is designed, built and operate. Validating the policy statement if it is up to industry best practice and practically achievable in commercial world are also equally important. ...
Read More