May 7, 2011

"The Worst Information Security Advice Ever"

Get inspired from Lenny's post on "The Worst Information Security Advice Ever", I put a few here:


  • "We can save the money on firewall, because we will have an excellent IPS deployed next week.", said CIO.
  • "We hire the consultants to create the policy for us, and we will pay them to audit our PCI compliance status later on. So I know we are safe.", said CISO.
  • Disable the "change password" capability. This helps users from forgetting their password and save us from having to reset for them.
  • Limit the event log size to 3MB in order to avoid the hard disk full.
  • We're just too big to FAIL.

p/s: All the "advice" above are what I collected (in real life) over many years of working experience. This is not the recommendations they themselves made.