First, Can we stop pretending to be more intellectually honest by using “good” instead of “best” practices?
Despite the seeming rhetoric to the contrary a list of universally accepted “good” or “best” practices doesn’t exist. At best, practitioners use them similarly to what Justice Potter said about pornography – I can’t tell you what the best practices are, but I know one when I see one”. At worst, they are created on the fly to justify an ad-hoc risk analysis (playing cyber-cop) “best practices say you can’t do that, neener, neener, neener.” As this blog has mentioned before, the entire concept of “good practice” is simply a lazy man’s risk analysis. In as much as it would seem to be good and professional to the reader to do as Donn Parker suggests and hope that we could be standardized like accounting principles, the reality is that security is far too dynamic for that analogue to work (which is why I always find it odd that good practices are offered as a remedy by those who would suggest that risk analysis doesn’t work because attackers are “asymmetric”. I’m not sure this asymmetry is
Related Questions
- Do other federal agencies have Title VI regulations that prohibit both intentional discrimination and practices that have a discriminatory impact?
- Are the standards and practices under the Basel accords enforceable by law, and how are they enforced?
- Swoopo Manual Honest Review- Increase Your Chances At Winning Auctions Or A Scam?
