http://spiresecurity.com/?p=259 Risk and Cybersecurity Analysis Wed, 21 Aug 2013 23:28:51 +0000 hourly 1 http://wordpress.org/?v=3.5.1 http://spiresecurity.com/?p=259&cpage=1#comment-351 Alex Thu, 01 Nov 2007 14:17:11 +0000 http://spiresecurity.com/blog/?p=259#comment-351 I think you could make the case that there are “common” practices or even “lazy” practices, but for the same reasons above I challange the assertion that they are “best” or even just “good”.

]]> http://spiresecurity.com/?p=259&cpage=1#comment-350 Andy Willingham Thu, 01 Nov 2007 13:27:51 +0000 http://spiresecurity.com/blog/?p=259#comment-350 Pete,
The problem is that we try to tie best practices to technology and not concepts. Even saying “you need a firewall” is a technology best practice, in a conceptual sort of way. What we need to do is say “You need to ensure that your internal systems are protected from the external world.” How is that done? Usually a firewall but that may not be the best answer in every case. Just like PCI gets fairly specific on each step they at least leave some leeway with the “compensating controls” statements. Yes auditors needs something to compare you to but if you can prove that what you have works then why should you spend extra effort on something else that is considered “best practice”.

]]>