It kind of scares me that your are supposed to be a security expert. I have time for three comments:

1) Have you really considered if your policies are actually improving security? For instance, long passwords (especially with the non-security conscience) tend to encourage users to use easily guessable passwords such as words and phrases, or to write them down.

2) There is no such thing as "strong security". Security is always a risk-benefit tradeoff (otherwise why not use 500 firewalls?) and you have lost contact with reality. For instance, if it takes you an extra 3 minutes every time you boot your machine, and one hour to restore your machine from backups (I assume you have good backups?) then you are wasting your time after only 20 days. Although numbers may vary, and its not so mathematical to analyze the risk of identify theft, you should get the point. You bank and credit card probably limit the risk you take with online banking, do you understand what risk your are actually taking?

3) You didn't even mention one of the most important security measures: regular and historical backups, on and offsite. Although this won't prevent intrusions or identity thefts it will prevent data loss from not only hackers and virus's but also from fire; theft; acts-of-god, yourself, etc.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/320/31590#31590