In Depth
Five Mistakes Security Pros Would Make Again
Whether it's getting fired for standing up for what's right or making a network configuration mistake that leads to better security, there are some mistakes worth making. Five security pros offer personal examples.
By Bill Brenner, Senior Editor
- 2. STICKING A SOX IN IT
- Mistake maker: Anonymous
- Position: Director of information security
- Location: Northwestern U.S.
- The incident: Botched initial Sarbanes-Oxley (SOX) compliance initiative
"In year one of SOX, we had outlined a compliance plan and set of controls that we thought would meet the requirements. Of course, in year one, every company was making educated guesses about what their auditors would require. Because of the timing of our fiscal year, we were among the first companies to have to comply, so we had very little concrete information from other companies.
"When our auditors showed up several months before year's end, they delivered some very bad news: We had gotten it all wrong. Our controls would not meet their minimum requirements. We had to start over with only a few months to implement and test our entire SOX compliance plan and most of our controls. This was a task that had taken many companies two years to complete.
"We dropped everything, rallied the entire organization, and put in place an extremely lean and effective set of SOX controls. Not only did we pass, our auditors later said that our program was among the best and most efficient they had seen.
"While other companies built massive and complex SOX compliance programs that they would spend the next few years trying to pare down, we had built a minimalist program from the beginning out of absolute necessity. We simply did not have time to over-engineer the SOX program, so we focused on meeting the minimum requirements.
"Our error in the initial design of our SOX program and subsequent focused and hurried redesign resulted in an industry-leading program that was later praised by peers at much larger companies who had spent many times more on their programs."
- 3. CRASHING THE FIREWALL
- Mistake maker: Christine Wanta
- Position: CSO at IntraISP, a Clearwire company
- Location: Greater St. Louis area
- The incident: Suffered a firewall crash and had to rebuild rulebase from scratch
"I had a firewall rulebase crash on me while I was in it, and since I was the one in the rulebase I had to fix the situation. We did have a strong backup procedure prior to any changes, but I either did not create the backup or screwed it up or was being taught a lesson from one of my fellow admins. I don't recall.
"I had to rebuild the rulebase from scratch basically using a not-so-friendly output of a backup, going through the rulebase change requests and basically cleaning the rulebase up as I went.
security mistakes
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- FISMA Prescriptive Guide
- The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
- Beyond PCI Checklists: Securing Cardholder Data with Tripwire's Enhanced File Integrity Monitoring
- IDC White Paper: CCM for IT Compliance and Risk Management
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
