How do functional users deal with situations like this where 'security' already has the IT system so locked down that they haven't done anything other than 'keep the lights on' for the last ten years?
Every time there is an 'OMG the sky is falling' type article or 'hack' in the news, security 'audits' things (which is really just them going in and taking away access to various things that they don't think users need, the head of their group has actually said, "Take it away, if the users don't ask for it back then obviously they didn't need it".... some of the things taken away are used once a year at year end.... know how annoying it is to search for something that you know 'should' be there, and was there when you used it last year, but due to security 'audits' is now gone.
I'm just venting, I understand the need for security as much if not more than our IT security group, but we get 'security theater' based on media reactions, while after working here for 10 years I'm still asking, "Can I have a sandbox of the system functionality and tools that we own but haven't turned on in the last 10 years to see if there is anything useful in there." With the answer being, "No. There is stuff in there that 'might' be a problem." Keep in mind I'm asking for a copy of the Vendor provided publicly available DEMO environment, and being told, "No, we don't know what we need to secure, but we know we can't give you access to a DEMO environment".
When the security group knows that they don't know enough to stop bad things, and that the only real 'secure' system is one that isn't connected to the internet and is turned off... you can end up with some messed up 'security policies' ..... I'm sure the TSA would be so proud if they could see us now.... Security Theater (without actual security) at it's finest.
0 comments:
Post a Comment