Force BP to make an offer to it's competitors - if they can fix it before BP - they can have exclusive rights to the well and BP will still be held responsible for the cleanup effort.
Air conditioners work more effeciently w/ hotter air. If you contain the hot aisle and use it as input for your AC and have the cool air exhausted from the AC units into the cold area of the room you can reduce the power draw required for cooling.
Well-defined and documented security policies are practically useless if they are not technically enforced.
IT departments need to stop faulting the user as "They forgot X when handling information of Y type" because not every user who will be handling sensitive data will be capable of remembering and understanding how sensitive data should be handled. For example, do you think every person you talk to at a call-center at an health insurance company or hospital is a technical person, or are they a low-income, low-skill level employee? They are often handling sensitive information due to the nature of their job, but they are often not technically skilled and may not even be capable of learning technical skills.
IT departments are in place to make companies operate more efficiently while protecting the business. The IT department should be allowing the business to use a low-income/low-skill level employee to perform entry-level jobs like 'call-center operator', while minimizing business risk, because it is more efficient for the business to use the low-income/low-skill level employee as oppose to a high-income/high-skill level employee.
In order for the IT department to accomplish the goals defined by it's business role it needs to ensure that it's security policies are enforced automatically and with minimal impact to the end-user. The IT department has to make handling data the right way the easiest way.
Example Scenario:
If you know that an employee in X role is going to be handling sensitive information, define a policy that specifies various ways to protect the data. For example, in a policy you could state that transferring information via unencrypted protocals like FTP, SMTP (E-Mail), etc.. is not allowed. Once you have done this, ensure that you block outbound FTP access via the firewall and host a SSL encrypted FTP server at your site as an acceptable alternative for your end-user. Encrypt all outbound employee email using things like TLS, and force messages that are not destined for a pre-configured TLS partner to be forwarded via a TLS encrypted SMTP session to an independant service provider w/ a NDA that will host the messages for retrieval via a SSL secured web site while forwarding a non-sensitive email to notify the recipient that they need to login using their email address as a username and the previously agreed upon password. (One example of a service provider that will do this is Postini)
There are lots of ways to protect data to enforce policies with minimal user impact, but they require a creative IT department and a budget that allows them to be effective.
If a business is handling sensitive customer information, they have a responsibility to handle it well. IT departments should be tasked to implement things like Encrypting File System(EFS) for encrypting data on fileservers, backup tape encryption, 802.1x authentication for wired and wireless clients, two-factor authentication for network resources, segmented VLAN structure for various parts of networks (user, server, management, printers, etc..), OS and application deployment standardization, regular audits, IPSEC encryption of all network data, policy outlined and pre-defined patching cycles, etc...
In my experience many companies that should care about security don't. I have consistently made companies handling personal information (banks, insurance agencies...) aware of glaring inadequacies in their IT/physical security implementations, and provided recommendations on how to remedy the issues. The usual response to this is to be told that they aren't going fix them, so stop bringing it up. As I learn more in the areas of network engineering, programming, and database administration I see more and more vulnerabilities.
I see programmers taking shortcuts either due to ignorance, ineptitude, or unrealistic project deadlines being pushed on them. Most programmers don't have a very good understanding of security or network engineering/administration which often exacerbates the issue.
I see a pool of generally incompetent networking engineering/administration staff available every time I begin to interview to fill a position. I see network engineering/administration 'professionals' who eagerly drop responsibility like a hot potato by handing off projects to other business units (EX: development). Once the project is handed off they are often unwilling to work on educating employees in the other business units on items like security. To be a truly valuable network engineer you need to learn multiple technical disciplines and to work with them.
I see management make decisions without appropriately defining project scope, goals, and requirements. I have seen well-planned and thought out projects to enhance security denied simply on the basis that they provide no new shiny feature for management to fawn over or advertise. Management often views security as a cost and as much as they may love to throw around various business terms like Value-Added, Responsibility, Efficiency..., they don't really understand what they mean.
There usually isn't one department to blame. What I have seen is that there are not many 'jack of all trades, specialist of most' and unless your business is strongly compartmentalized with an excellent management team defining policies, procedures, project scope, requirements, goals etc... your business will suffer these issues. The problem being, very few companies can afford this type of configuration (HP, Dell, Defense contractors, etc..). Additionally, if you are a 'jack of all trades, specialist of most', you most likely have avoided working for these companies out of fear of being locked into one functional area, stunting your growth in others.
Based on the above, my question is where does a 'jack of all trades, specialist of most' go to be satisfied in their career?
1.) A large enterprise, where it is likely you will be focused on one functional area and bored. 2.) A small-mid size business where you are likely to see what you would consider atrociously handled sensitive data. 3.) A small-mid size business that doesn't handle sensitive data, but as a result doesn't pay very well and is often not very challenging from an IT perspective. 4.) Become an independant consultant at immense personal financial risk only to learn that you still have to work with the above companies? 5.) Other
to the other (IT focused) 'jack of all trades, specialist of most' out there, are you happy with your career? If so, what do you do - I am looking for some better options.
P.S. On a side-note I learned something about myself from posting this - I am a lot more bitter than I thought.
Slashdot Mirror
It can identify political dissidents 5x faster
What's the matter? Chicken? Buck Buck Buckaw! Sounds like a smoke-screen post from a 2nd-string programmer. (j/k - couldn't resist)
Force BP to make an offer to it's competitors - if they can fix it before BP - they can have exclusive rights to the well and BP will still be held responsible for the cleanup effort.
Air conditioners work more effeciently w/ hotter air. If you contain the hot aisle and use it as input for your AC and have the cool air exhausted from the AC units into the cold area of the room you can reduce the power draw required for cooling.
Thank you. I'm glad some people read the post despite the fact that it wasn't bumped up by moderators. :)
Well-defined and documented security policies are practically useless if they are not technically enforced.
IT departments need to stop faulting the user as "They forgot X when handling information of Y type" because not every user who will be handling sensitive data will be capable of remembering and understanding how sensitive data should be handled. For example, do you think every person you talk to at a call-center at an health insurance company or hospital is a technical person, or are they a low-income, low-skill level employee? They are often handling sensitive information due to the nature of their job, but they are often not technically skilled and may not even be capable of learning technical skills.
IT departments are in place to make companies operate more efficiently while protecting the business. The IT department should be allowing the business to use a low-income/low-skill level employee to perform entry-level jobs like 'call-center operator', while minimizing business risk, because it is more efficient for the business to use the low-income/low-skill level employee as oppose to a high-income/high-skill level employee.
In order for the IT department to accomplish the goals defined by it's business role it needs to ensure that it's security policies are enforced automatically and with minimal impact to the end-user. The IT department has to make handling data the right way the easiest way.
Example Scenario:
If you know that an employee in X role is going to be handling sensitive information, define a policy that specifies various ways to protect the data. For example, in a policy you could state that transferring information via unencrypted protocals like FTP, SMTP (E-Mail), etc.. is not allowed. Once you have done this, ensure that you block outbound FTP access via the firewall and host a SSL encrypted FTP server at your site as an acceptable alternative for your end-user. Encrypt all outbound employee email using things like TLS, and force messages that are not destined for a pre-configured TLS partner to be forwarded via a TLS encrypted SMTP session to an independant service provider w/ a NDA that will host the messages for retrieval via a SSL secured web site while forwarding a non-sensitive email to notify the recipient that they need to login using their email address as a username and the previously agreed upon password. (One example of a service provider that will do this is Postini)
There are lots of ways to protect data to enforce policies with minimal user impact, but they require a creative IT department and a budget that allows them to be effective.
If a business is handling sensitive customer information, they have a responsibility to handle it well. IT departments should be tasked to implement things like Encrypting File System(EFS) for encrypting data on fileservers, backup tape encryption, 802.1x authentication for wired and wireless clients, two-factor authentication for network resources, segmented VLAN structure for various parts of networks (user, server, management, printers, etc..), OS and application deployment standardization, regular audits, IPSEC encryption of all network data, policy outlined and pre-defined patching cycles, etc...
In my experience many companies that should care about security don't. I have consistently made companies handling personal information (banks, insurance agencies...) aware of glaring inadequacies in their IT/physical security implementations, and provided recommendations on how to remedy the issues. The usual response to this is to be told that they aren't going fix them, so stop bringing it up. As I learn more in the areas of network engineering, programming, and database administration I see more and more vulnerabilities.
I see programmers taking shortcuts either due to ignorance, ineptitude, or unrealistic project deadlines being pushed on them. Most programmers don't have a very good understanding of security or network engineering/administration which often exacerbates the issue.
I see a pool of generally incompetent networking engineering/administration staff available every time I begin to interview to fill a position. I see network engineering/administration 'professionals' who eagerly drop responsibility like a hot potato by handing off projects to other business units (EX: development). Once the project is handed off they are often unwilling to work on educating employees in the other business units on items like security. To be a truly valuable network engineer you need to learn multiple technical disciplines and to work with them.
I see management make decisions without appropriately defining project scope, goals, and requirements. I have seen well-planned and thought out projects to enhance security denied simply on the basis that they provide no new shiny feature for management to fawn over or advertise. Management often views security as a cost and as much as they may love to throw around various business terms like Value-Added, Responsibility, Efficiency..., they don't really understand what they mean.
There usually isn't one department to blame. What I have seen is that there are not many 'jack of all trades, specialist of most' and unless your business is strongly compartmentalized with an excellent management team defining policies, procedures, project scope, requirements, goals etc... your business will suffer these issues. The problem being, very few companies can afford this type of configuration (HP, Dell, Defense contractors, etc..). Additionally, if you are a 'jack of all trades, specialist of most', you most likely have avoided working for these companies out of fear of being locked into one functional area, stunting your growth in others.
Based on the above, my question is where does a 'jack of all trades, specialist of most' go to be satisfied in their career?
1.) A large enterprise, where it is likely you will be focused on one functional area and bored.
2.) A small-mid size business where you are likely to see what you would consider atrociously handled sensitive data.
3.) A small-mid size business that doesn't handle sensitive data, but as a result doesn't pay very well and is often not very challenging from an IT perspective.
4.) Become an independant consultant at immense personal financial risk only to learn that you still have to work with the above companies?
5.) Other
to the other (IT focused) 'jack of all trades, specialist of most' out there, are you happy with your career? If so, what do you do - I am looking for some better options.
P.S.
On a side-note I learned something about myself from posting this - I am a lot more bitter than I thought.