compromising OS/2 or Multix? So the primary remote access to our file server is TFTP; our spin is that any protocol that old is “time-tested.” So our password security policy requires LAST-NAME followed by YEAR; we emphasize that we have a rule for password expiration built right into our password security policy.

No baselines to measure, no checklists to distract us, no concern over best practices, no specific objectives to define. COBIT? Out the window. FISCAM? Who needs it? SOX, HIPAA, GLB? No thank you.

So the next time someone challenges your organization’s security model, rather than beating around the bush, making excuses, blaming budgetary woes, faulting management’s lack of vision, or chastising vendors, think outside the box. State up front that your security model is faith-based and take a swerve around all the minutiae. Treat these details like all of those log files you haven’t reviewed since you upgraded to NT Service Pack 2. Build in backward “time basing” to the ultimate IT apocalypse—the implosion of the commercial Internet. After that, who will care about digital security anyway? ^c

HAL BERGHEL is associate dean of the Howard R. Hughes College of Engineering at the University of Nevada-Las Vegas, the director of the Center for Cybersecurity Research ( ccr.i2.nscee.edu), and co-director of the Identity Theft and Financial Fraud Research and Operations Center ( www.itffroc.org).

© 2008 ACM 0001-0782/08/0400 $5.00

DOI: 10.1145/1330311.1330315

Coming Next Month in

COMMUNICATIONS OF THE ACM

Web Searching in a Multilingual World

How Intuitive is Object-Oriented Design? Words for Pictures for Dual Channel Processing Emerging Trends in M-Government

Taming Heterogeneous Agent Architectures Improving the Change Management Process Coordination in Emergency Response

Management

Reducing Internet Auction Fraud

Also: Meet the candidates running for ACM’s general election