Protection does not equal prevention
Gunnar Peterson has a brief post up on the two most important rules in information security:
1) Protect your assets
2) See rule 1
I would like to add a rule 0 to that:
0) Do not store what you do not use
I know this is just about as perpendicular to the data warehousing approach that many organizations are taking, but face it: if you don't have it, you don't have to secure it.
Having said this; it is ignorant to assume that protection equals prevention, and any organization should also plan for failure in addition to protection its essential assets.
PS: I am not accusing Gunnar Peterson of being ignorant :-) Unlike many others, he seems to include prevention in protection.
1) Protect your assets
2) See rule 1
I would like to add a rule 0 to that:
0) Do not store what you do not use
I know this is just about as perpendicular to the data warehousing approach that many organizations are taking, but face it: if you don't have it, you don't have to secure it.
Having said this; it is ignorant to assume that protection equals prevention, and any organization should also plan for failure in addition to protection its essential assets.
PS: I am not accusing Gunnar Peterson of being ignorant :-) Unlike many others, he seems to include prevention in protection.