Yesterday, I posted on The Value of Security Audit and Bruce Schneir's recent writings on the topic. Today, Richard Stiennon posted on the topic in an expansion of his three security laws.
He writes (abbreviated):
"...the first two rules could be simplified to 1. Don’t trust the network. 2. Don’t trust end points. But that level of simplicity does not transfer to people. You have to trust your users. So, borrowing from Ronald Reagan’s immortal words Trust but verify, you have to apply the following...He continues and suggests that making security achievable requires all three. The idea that monitoring and alerting is required has finally become mainstream. More and more smart people seem to be listing it as a necessary component of a secure environment.
1. Strong authentication and granular access controls.
2. A published policy on acceptable use of resources.
3. A monitoring and alerting system that informs the user of policy violations."
..our little baby is all grown up (sniff).