Re: iso 17799

[Chuck Swiger <chuck () codefab com>]

avraham shir-el (arthur sherman) wrote:
> i hope i'm not opening a pandora's box here, but-
>
> i'm following this list for ~ a year now and haven't seen any mention of 
> iso 17799. it's defined on their website as "a comprehensive set of 
> controls comprising best practices in IS" i've seen lots on this list about
> best practices w/o any refrences to 17799.

You probably won't find references to ISO 17799 if you followed CERT's 
advisories, or BugTraq, or the securityfocus.com lists, either.

ISO standards seem to read like UN resolutions: "blah blah...resolved to take 
decisive action...blah blah...ideal security obtained through maximizing 
end-user satisfaction...blah blah...security policy must use the following 
terms to be ISO-compliant and be at least three times too complicated to make 
sense...blah blah...nomination and selection of ISO representives to oversee 
implementation of security policy must be done through approved ISO 
accrediting agency...blah blah..."

The level of paper-shuffling involved with ISO standards seems to be inversely 
related to actually doing anything useful with regard to security.

--
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards