On Jun 30, 2010, at 6:03 PM, Les Mikesell <lesmikesell at gmail.com> wrote: > On 6/30/2010 4:39 PM, m.roth at 5-cent.us wrote: >>> companies/business units/administrators police themselves so you need >>> metrics for someone else to test with. And even internally you need to >>> document why the failure of any standard check should be overlooked. >> >> No, the security people should have defined requirements specifically for >> our environment, rather than using something that's designed, say, for a >> std. corporate IT dept. > > I like the sentiment, but the people making the situation-specific rules > would need to know more than the people actually doing the work which > doesn't seem likely to happen. And there's some value in making > everyone follow the same rules. Plus, one can also write up a detailed report for any given exception explaining why it is either not applicable for a given platform (including exploit test results) or that there is a definitive business reason why the exception must exist and that there are mitigating controls around it. -Ross