Chris's Wiki :: blog/sysadmin/SecurityIncidentGrounding Commentshttps://utcc.utoronto.ca/~cks/space/blog/sysadmin/SecurityIncidentGrounding?atomcommentsDWiki2014-02-15T22:32:54ZRecent comments in Chris's Wiki :: blog/sysadmin/SecurityIncidentGrounding.By MikeP on /blog/sysadmin/SecurityIncidentGroundingtag:CSpace:blog/sysadmin/SecurityIncidentGrounding:71e2b2ea2c7aa8e68612dfc045d4aa0343fc43adMikePhttp://snowcrash.ca<div class="wikitext"><blockquote><p>At some point the right answer is 'more work to stop another incident is less important than what we were doing before'. However bad it may sound and feel, we'll need to simply live with the possibility of another incident happening (or there being undetected aspects to this one) and to move on.</p>
</blockquote>
<blockquote><p>(And then if (when) there is another incident, we don't beat ourselves up about this choice even though we can't say 'we did the best we could to prevent it'.)</p>
</blockquote>
<p>Your first statement contradicts the second. Of course you did the best you could to prevent - given all the constraints in the first segment I quoted. You can't say "we did <em>everything possible</em>" but that's not the same as "we did our best." Recognising that difference is to me the sign of a responsible system administrator: "I could have done X, but because of Y and Z, I didn't." When another breach happens, you may feel compelled to revisit your reasoning, but that doesn't necessarily mean that the reasoning in the first place was faulty.</p>
<p>signed, somebody who technically professional security incident responds</p>
</div>2014-02-15T22:32:54Z