Tuesday, November 27, 2012

Typical Request to IT Security

This is what you sound like, people:

"I put up a new web app and I need your approval.  I already spent $250,000 dollars on it and five business units are running on it every day so we need to get this done quick.  It runs on IIS 2.0 and NT 4.0 but don't worry too much because it runs on the original unpatched versions, not those crazy, patched up, service pack versions that have all those holes.  It's really easy to install because it mostly uses default settings and everything runs on the same server; the app, the database, the authentication mechanism, the works.  And it's easy to manage because all of the programmers from the company we bought it from still have full admin rights to the box.  We don't have to worry about integrating with AD because all of the user ids and the passwords are managed right within the app.  And you can add new ones with a text editor so we don't need complex user management."

"There's only a little patient and doctor data so there shouldn't be any compliance issues.  It has addresses, some basic demographic data (age, sex, height, weight, that kind of stuff), and social security numbers but there are no test order codes or test results so we should be OK on the PHI front.  There's a module for people to enter their credit card numbers but we haven't told anyone about that so if they put their card numbers in, it's their own fault."

"Can you please approve this in the next couple of hours?  I already told people that you did so it's really just a formality."