View Poll Results: Which search engine do you use most?
- Voters
- 17. You may not vote on this poll
-
MSN
-
Yahoo
-
Google
-
Ask
-
Dogpile
-
AltaVista
-
Other
-
October 31st, 2005, 08:23 AM
#1
I use the TFM
How many here rely on good documentation?
"The importance of the TFM in supporting the operation of a secure computer system cannot be over estimated. Even if one assumes, hypothetically, that all users of a system and their applications are trusted, and that they will use all of the available protection mechanisms correctly, the system may still be administered and operated in an insecure manner. This may be especially true when administrative users lack the skill, the care, or the interest to use the system properly. ~ NCSC-TG-016 "
-
October 31st, 2005, 03:04 PM
#2
Yes.. I use TFM.. (isn't The TFM a bit double ?? (TFM == The F-ing Manual) right ??)
In my case:
http://www.slackbook.org/ (have the printed edition of Slackware Essentials from http://store.slackware.com/ )
O'Reilly: LPI Linux Certification in a nutshell
Ira Pohl & Al Kelley: A Book on C
Ira Pohl: C++ for C Programmers
SuSE books that came with the CD/DVD's
Some more O'Reilly books like Linux in a nutshell
And ofcourse: http://tldp.org/
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
October 31st, 2005, 03:23 PM
#3
Not sure but knowing !mitationrust a bit and looking at the text itself I do believe he means "Trusted Facility Manual" or "Trusted Facility Management".
Guide to understanding trusted facility management
Oliver's Law:
Experience is something you don't get until just after you need it.
-
October 31st, 2005, 04:12 PM
#4
Ah.. I knew I should have googled NCSC-TG-016
In that case.. Nope.. Our company will have to move to a different location to ever be a Trusted Facility..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
November 1st, 2005, 08:37 AM
#5
Nope. I don't trust anything that has the word "trusted" in its name.
I came in to the world with nothing. I still have most of it.
-
November 1st, 2005, 09:12 AM
#6
No I don't!
The TCSEC was originally published on 15 August 1983
How many viruses, trojans worms etc have we seen since then................and they hit places that should be compliant?
The importance of the TFM in supporting the operation of a secure computer system cannot be over estimated
As soon as I read a statement like that I switch off because I know the rest will be bullcrap...........if real life were like that it would be like painting by numbers, and I could replace most of you with a 286
The same can be said of design and development methodologies................follow them to the letter and you will design and develop nothing
Rules are made to be broken, corners to be cut................if you cannot handle that then you had better go live in an ivory tower, because you will not be able to hack it in the real world.
Whilst theoretical models are all well and good, the real world is driven by practicality affordability and acceptable risk; and those parameters are not within the ambit of the IT function.
In my experience, the best you can hope for is to get some of the most obvious concepts accepted. The only exception is legislatory compliance, of course.
My £ 0.02
If you have any problems with this, just read poor old HTRegz's thread regarding "advice".......that is the real world I am afraid.
-
November 1st, 2005, 09:17 AM
#7
Yes it's a manual, more specifically as noted above, the Trusted Facility Manual. I think DoD terminology intimidates people. Trusted Facilities, doesn't always mean nuclear silos. These manuals should reside inside the hands of the local library admin. It's just that they can go that far in terms of describing the systems limits in terms of security. Hence COTS.
"The manual shall describe the operator and administrator functions related to security, to include changing the security characteristics of a user. DoD 5200.28-STD"
Basically people (vendor) who know 1,000 times more about the system than you, have documented their knowledge so admins and operators don’t have to waste their time (money) to attempt their own research on the systems security configurations. It’s really helpful when the system is first released to the public. One of the manuals purposes.
I was just curious in the methods you guys use to run your ships. If you guys rely on good documentation.... If you rely on trial and error?
You will be assimilated RC.
To me this seems to be the smartest way to accomplish what you're paid to do.
-
November 1st, 2005, 10:30 AM
#8
Hi Rusty~
If you guys rely on good documentation.... If you rely on trial and error?
Those are not neccessarily antitheses?
As I feel that we may be talking at cross purposes here I will outline what I consider to be pretty normal or at least desirable.
There are 4 fundamental facets of security that must be considered:
Internal
External
Physical
Systems
You look at your processes and the procedures and applications that support them.
You look at your personnel and their responsibilities.
You allow your personnel sufficient access and authority to discharge those functions, AND ONLY THAT!
You establish appropriate checks and balances to monitor and manage your processes. By definition that includes the supporting procedures and applications.
The whole exercise should be conducted from the top down................."bottom up and you will belly up".
I say that because all organisations have a purpose or functionality. This is NOT to run processes, procedures or applications. They merely enable the organisation to achieve its objectives.
I do not set great store by vendor's manuals when it comes to processes or security. Firstly they are no substitute for a proper business analysis exercise and secondly, if they were that damn good, why do all these vendors keep releasing security patches (but never a patch for the manuals?)
-
November 1st, 2005, 11:04 AM
#9
We use BS7799 (ISO17799 soon to be ISO27000 series) and aim to be compliant with it but not certificated to it. Manuals/documentation/policies and procedures are all used and written in such a way as to be compliant with BS7799.
We also use a derestricted subset of documents from the 'Manual of Protective Security (MPS)'. The MPS is restricted though I can make a business case to request particular documents.
I also have to comply with various codes of conduct where we do have to deal with protectively marked documents and hardware is rated against Common Criteria.
-
November 1st, 2005, 11:12 AM
#10
Hi Aspman
The problem with BS/ISO and most other documentation standards is precisely what they say: "Documentation"
You can have the crappest policies, processes and procedures on earth, but so long as they are properly documented and adhered to, you will pass certification.
My point is that they deal with replication rather than quality
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|