[thelist] how secure is reasonable

Joel D Canfield joel at streamliine.com
Sat Oct 6 10:13:16 CDT 2007


> Yeah define  reasonable???

Well, in the end, 'reasonable' *should* mean that you've explained the
options to the client, and *they* chose the level of security. Also
meaning, they chose the costs involved (you haven't already included
this in some other cost, have you?) Sure, if something goes wrong,
they'll blame you anyway, but do the due diligence; try to get them to
see their role in the choice. (Common mistake with this kind of thing is
to think we have to provide the answer; much better to provide
appropriate questions; see [1] below)

A secure location on a web server, with PGP/GPG encryption, would make
me comfortable with my tax forms being out there. I'll assume that if
someone can hack the web server security *and* break GPG's encryption,
they were gonna get it no matter what I did.

GPG was free last time I used it, and it adds just enough extra effort
to provide a convincing feeling of "I'm doing something important here"
(which mentality is an important part of the security process.)

It's not as fast, but a courier service could shuffle hard/digital
copies for them. Pretty difficult to intercept a CD without robbing the
courier.

By the way, unless he was talking about having the partners sit together
in the basement, I'm not sure how setting up a network in his basement
would accomplish anything. Musta missed something.

joel

[1] Last company I worked at put me in charge of the business recovery
plan. We came up with three levels of response (the 'zero loss' level,
the 'quick recovery of the basics' level, and the 'hope and pray' level)
and let upper management assess the risks vs. the costs, because in the
end, it wasn't an IT/technical decision, it was an Ops/business
decision. Puts the responsibility with the authority it's attached to.



More information about the thelist mailing list