Security Idiocy Story
From the Dilbert blog:
They then said that I could not fill it out—my manager had to. I told them that my manager doesn’t work in the building, nor does anyone in my management chain. This posed a problem for the crack security team. At last, they formulated a brilliant solution to the problem. They told me that if I had grocery bag in my office I could put the laptop in it and everything would be okay . Of course, I don’t have grocery bags in my office. Who would? I did have a windbreaker, however. So I went up to my office, wrapped up the laptop in my windbreaker, and went back down.
People put in charge of implementing a security policy are more concerned with following the letter of the policy than they are about improving security. So even if what they do makes no sense—and they know it makes no sense—they have to do it in order to follow “policy.”
jtimberman • August 6, 2008 2:23 PM
This is certainly true. When I worked at IBM, the focus for security was not on making systems secure, but on being “audit compliant.” Customers could have any settings they want that weren’t secure as long as there was a proper paper trail signed off.
Note that the security policy certainly had many settings that actually were secure. However due to the exception process, these were easily circumvented for convenience.