|

 
|
| | Name : | Matt Bishop | Organization : | University of California Davis | Post Date : | 9/30/2005 |
| Section : | 6.2.1 | Page no. : | 2-6 | Line no.: | | Comment : | Further, the standards choose language to avoid constraining the vendor’s choice in access control policy and
enforcement mechanisms. This potentially allows vendors to use practices that are considered poor.
For example, one section [7, Vol I §6.2.1 g] requires vendors to “provide a description of recommended policies for . . . segregation of duties,” while it would not have been much harder to require that the vendor’s policy adhere to the principle of separation of duty wherever applicable. The incorporation of this best practice in a security
policy should not be left to the vendor’s judgement. | |
|
|