Wednesday, 7 January 2009

Today I am frustrated...

I have spent the day helping a customer to write a new security policy. In that policy there was a section about how new security functions should be security cleared before they where released. The thinking behind this was shorten the time for testing and implementation.
Other parts of the policy included a definition of what and why something needed protection, who should have access to the information and during which circumstances? In this company everything related to their customers is regarded to be extra sensitive. This comes as no surprise as this is a company in the service sector and their relationship to their customers is the only real asset they have. They would loose a lot of business if their customers secrets where revealed.
Now the reason for my frustration…during the meeting the CFO of the company came into the meeting, all fired up. He had attended a seminar about “cloud computing” and now he had seen the light. Out with the old…bring in the new….
It was fairly easy to see that this “brand new “ idea not really was in conjunction with their security policy. I would call it stupid to outsource this information but I on the other hand do not trust anyone…and WHY do we always jump on the latest ideas…without thinking about the security implications. Now they have an internal battle with the CFO who thinks that security people do not understand the reality of business…and security people that thinks the CFO is a moron.
My tip of the day….always ask outsourcing companies for SLA:s and their security policies.

No comments: