On Wed, Jun 30, 2010 at 5:02 PM, m.roth@5-cent.us wrote:
Frank, I'm not sure of the object of your part of the conversation, me, or the security team that I have to deal with. I'm also feeling as though we're talking past each other. They ran the scan. My manager handed the response handling of it to me. As part of what I did, I had to turn off the laser printers access to their own h/d/ramdisk, thus afflicting the printers. I did not turn the access back on, so some of the capabilities and speed of these printerSSS is utterly wasted, and for what? Someone might get through the gov't firewall, and fill up the h/d on the printer? Someone might run the trays out of paper?
The copy machine requirements are relatively recent, though the problem has been around for years. Apparently the hard drives inside the copiers store faxes and images going back for months (depends on capacity and configuration). Though I usually scoff at the latest "massive problems" that make the news, this one did have me worried. There was a TV expose' that showed how easily one could purchase a used copy machine, disassemble the hard drive, then have access to months of confidential information that got stored on the hard drive. I *never* considered that making a copy at a Kinko's could leave my private information in someone's hands.
To me, this indicates that they have *no* concept of what they're requiring, that they've included treating printers as though they were servers or workstations.
Right, the scanners rarely have any idea of what it is that they're requesting. They've often asked me for screenshots of a Putty session to "verify" that a setting is correct. In essence, they are trusting the person providing the information to comply with the requirement.
And of course the other problem is that the requirements are rather vague.
But then, they also had problems with several servers that another admin takes care of, complaining that they could allow certain kinds of access, which would be true of any *Nix variant... but don't exactly work in VMS. One size of security does *not* fit all.
For many compliance efforts, showing that a problem is mitigated by other controls is sometimes enough for compliance.