

Worst IT fail ever? US agency spends millions in useless security - denzil_correa
http://www.techrepublic.com/blog/it-security/worst-it-fail-ever-us-agency-spends-millions-in-useless-security/

======
BWStearns
"Any IT group needs strict procedures on what to do when something like that
happen, and the right balance must be maintained between reacting quickly, and
not doing things that are either useless or worsens the problem."

The problem here is that the people who would write the procedure are likely
to be the ones who acted so ridiculously in the first place. Even if the
policy was written, it would likely be so ridiculously detailed (probably
indicating which exact software to use to scan for example) that it would be
harmful. It would cripple the ability of the organization to respond to newer
threats which might not be considered by the authors of the policy, and it
would be used as a shield in a future event where an obvious, but not
stipulated, response could have solved a problem but went unimplemented.

Like most of the government's problems this could be cured by making the job
space in federal employment competitive (and firing uncompetitive employees),
however the myriad failed attempts at this in various corners of government
seem to indicate that this may be currently impossible.

