http://blogs.technet.com/b/jesper_johansson/archive/2006/07/19/441848.aspxI've been trying to come up with a list of attributes that a security solution needs to have to be complete and sufficient. The idea is to develop a set of attributes that can be used when analyzing security to see if it fulfills the needs of the situationen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/jesper_johansson/archive/2006/07/19/441848.aspx#2952686Sun, 02 Mar 2008 22:15:39 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:2952686Required Attributes of Security Solutions | Secure Software Engineering Blog<p>PingBack from <a rel="nofollow" target="_new" href="http://www.secure-software-engineering.com/2008/03/02/required-attributes-of-security-solutions/">http://www.secure-software-engineering.com/2008/03/02/required-attributes-of-security-solutions/</a></p> <img src="http://blogs.technet.com/aggbug.aspx?PostID=2952686" width="1" height="1">http://blogs.technet.com/b/jesper_johansson/archive/2006/07/19/441848.aspx#443538Wed, 26 Jul 2006 22:40:50 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:443538Josh MaherThis is great, sounds just like the requirements of an accounting system. Although one of the requirements is missing, Relevancy. It isn’t surprising though that the same requirements would exist; you are effectively doing the same thing. In accounting you have a system that is required to know everything about business transactions and effectively report to management and external sources the information that is relevant to them. This is the same basic requirement for a security system. I had never really thought about the two this way (until I saw this list). Additionally an accounting and a security system can have other requirements, like enable faster responses to changing… security threats or economic environments. Hmm, way more similarities then I have room for in a comment… I’ll post a better write up later joshmaher.wordpress.com<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=443538" width="1" height="1">http://blogs.technet.com/b/jesper_johansson/archive/2006/07/19/441848.aspx#442986Sun, 23 Jul 2006 22:43:42 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:442986UMACF24I like Lazy and Robust for security. Typically, security systems are delivering a policy, and if a policy is going to work, it has to be Lazy and Robust. <br> <br>Lazy -- it's easier to obey than to ignore or bypass <br> <br>Robust -- whatever the current compliance status is, application of the solution will tend to improve it over time <br> <br>Is that too pessimistic?<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=442986" width="1" height="1">http://blogs.technet.com/b/jesper_johansson/archive/2006/07/19/441848.aspx#442814Fri, 21 Jul 2006 20:14:06 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:442814SusanNot sure where this fits.. but a solution needs to be 'delegat-able'.. such that parts can be delegated to members of the team in a manner that only those parts/rights/modules, etc that are deemed needed for that person/team member to perform the task are given to them. &nbsp; <br> <br>But is that part of adaptable?<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=442814" width="1" height="1">http://blogs.technet.com/b/jesper_johansson/archive/2006/07/19/441848.aspx#442560Thu, 20 Jul 2006 01:37:28 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:442560Keith B. RosenbergHow about affordable? If small organizations with extremely limited budgets cannot afford the solution, then it is of no use to them. And they need it the most precisely because they have fewer resources and any downtime might bring the end of the organization. <br> <br>There are only 500 companies in the Fortune 500, but hundreds of thousands of organizations at the other end of the spectrum who are desperate for inexpensive and robust solutions!<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=442560" width="1" height="1">