Firewall Wizards mailing list archives
Re: How do we do our job? (was Re: Network Security Certification)
From: darrenr () reed wattle id au
Date: Thu, 30 Apr 1998 02:01:00 +1000 (EST)
In some email I received from Bennett Todd, sie wrote:
1998-04-29-12:59:54 Darren:If your boss walked in tomorrow and asked you how you knew your firewall was protecting you, what would you use as evidence?I'd point to our security policy.
[...] So what ? Who's verified that your security policy is any good ? Anyone ? Maybe it's just full of mumbo jumbo that looks impressive but is full of loop holes ? The need for 3rd party review simply cannot be ignored.
Sure, there's a handful of people running around who can do this, but what assurance do you have that you're getting the right people?The same assurance you have when getting any kind of people. If you have the expertise in house to grill the candidate, then you do; if you don't have that expertise then evaluate candidates based on how well you like them and the extent and relevance of their claimed experience, then check their references carefully. This is an old problem with an old and well-trusted solution.
I don't trust the interview method. I've come across one person who was employed on the basis that they did well in cross examination but when put in the field...well...they failed mine :-)
Do you look for ISO qualifiactions for their reporting or CISSP exams passed [...]I sure wouldn't, any more than I'd look for certificates when picking a systems administrator, or a programmer, or anybody else. Certificates demonstrate a desire to get certificates and a skill at getting certificates; I've never had any use for that desire and ability.
Do they ? What about cases where there's a need to get certificates in order to get business ? If you wanted to get in on a Government Contract but in order to do so you needed ISO 9000, would you decide to turn it down based on that ? In my mind, it is reasonable to expect that some certificates are there because they don't represent just a desire to get the certificates, but a desire to do the work required to get them too and a desire to meet a client's needs. Darren
Current thread:
- Re: Network Security Certification Anton J Aylward (Apr 28)
- Re: Network Security Certification Bennett Todd (Apr 28)
- Re: Network Security Certification darrenr (Apr 29)
- How do we do our job? (was Re: Network Security Certification) Bennett Todd (Apr 29)
- Re: How do we do our job? (was Re: Network Security Certification) darrenr (Apr 29)
- Re: How do we do our job? Bennett Todd (Apr 29)
- Re: How do we do our job? (was Re: Network Security Certification) Marcus J. Ranum (Apr 29)
- Re: Network Security Certification darrenr (Apr 29)
- Re: Network Security Certification Bennett Todd (Apr 28)
- Re: Network Security Certification Paul D. Robertson (Apr 28)
- Re: Network Security Certification David Collier-Brown (Apr 29)
- Re: Network Security Certification Bruce K. Marshall (Apr 29)
- <Possible follow-ups>
- Re: Network Security Certification Shane Mason (Apr 29)
- Re: Network Security Certification Marcus J. Ranum (Apr 29)