Comments on: Why does forum software has more security features than “enterprise” tool chains? http://www.greebo.net/2007/09/27/why-does-forum-software-has-more-security-features-than-enterprise-tool-chains/ mostly useless crap from me Thu, 04 Dec 2008 19:40:33 +0000 http://wordpress.org/?v=2.6.5 By: Big Red http://www.greebo.net/2007/09/27/why-does-forum-software-has-more-security-features-than-enterprise-tool-chains/#comment-14912 Big Red Tue, 16 Oct 2007 00:56:55 +0000 http://www.greebo.net/2007/09/27/why-does-forum-software-has-more-security-features-than-enterprise-tool-chains/#comment-14912 Not strictly related, but a good paper for the warm fuzzy old days from before you or I were born. PE Not strictly related, but a good paper for the warm fuzzy old days from before you or I were born.

PE

]]> By: Big Red http://www.greebo.net/2007/09/27/why-does-forum-software-has-more-security-features-than-enterprise-tool-chains/#comment-14535 Big Red Mon, 01 Oct 2007 01:31:18 +0000 http://www.greebo.net/2007/09/27/why-does-forum-software-has-more-security-features-than-enterprise-tool-chains/#comment-14535 "Accountability is simply missing. Yes, many systems have logs, but they are business irrelevant. My personal view is that if a business person doesn’t care about a log entry, it’s not worth collecting. Accountability is the key here, not 1 GB of logs per day " Couldn't agree more Nodster. There's a veritable shitload of wasted resource on collecting info that's never (going to be) used. As well as asking "Why?" and "How" questions around each datum, it's often worth getting a risk or legislative compliance person involved. Been to one client site recently where they were collecting (what seemed to me) the weirdest collection of stuff. When I asked why, it ended up they had gone through an extensive risk/legislative review (compared against business rather than technical ends) and found the bare minimum of stuff they needed to collect. The geeks added in a couple of other data, which they wanted to use for performance tuning purposes. Good post. PE “Accountability is simply missing. Yes, many systems have logs, but they are business irrelevant. My personal view is that if a business person doesn’t care about a log entry, it’s not worth collecting. Accountability is the key here, not 1 GB of logs per day ”

Couldn’t agree more Nodster. There’s a veritable shitload of wasted resource on collecting info that’s never (going to be) used.

As well as asking “Why?” and “How” questions around each datum, it’s often worth getting a risk or legislative compliance person involved. Been to one client site recently where they were collecting (what seemed to me) the weirdest collection of stuff. When I asked why, it ended up they had gone through an extensive risk/legislative review (compared against business rather than technical ends) and found the bare minimum of stuff they needed to collect. The geeks added in a couple of other data, which they wanted to use for performance tuning purposes.

Good post.

PE

]]>