On 6/30/2010 4:39 PM, m.roth at 5-cent.us wrote: >> companies/business units/administrators police themselves so you need >> metrics for someone else to test with. And even internally you need to >> document why the failure of any standard check should be overlooked. > > No, the security people should have defined requirements specifically for > our environment, rather than using something that's designed, say, for a > std. corporate IT dept. I like the sentiment, but the people making the situation-specific rules would need to know more than the people actually doing the work which doesn't seem likely to happen. And there's some value in making everyone follow the same rules. -- Les Mikesell lesmikesell at gmail.com