Full Disclosure mailing list archives
Re: Compliance Is Wasted Money, Study Finds
From: J Roger <securityhocus () gmail com>
Date: Wed, 7 Apr 2010 11:31:28 -0700
That's not entirely the case. Auditors aren't robots. It's their job to make determinations about your organizations capabilities and how they map against somewhat loosely defined compliance standards that have lots of wiggle room and lots of gray areas. All the gray areas are extremely useful to auditors so they can massage things around such that the organization can pass and be happy and hire them again next year. An auditor can very well see that your organization has a "throw alert on exception" mechanism in place and determine that meets the "review logs" requirement. box checked On Wed, Apr 7, 2010 at 9:43 AM, <Valdis.Kletnieks () vt edu> wrote:
On Wed, 07 Apr 2010 10:24:00 EDT, Keith Tomler said:BALONEYAs an Information Systems Auditor, it seems that if you have a valid finding and a reasonable recommendation, management usually doesn't act on it.However, if you have the same finding and recommendation and then cite a regulation, management is forced to act upon it.I believe that the regulations were drafted in order to force entities into doing what they should have done in the first place.I think the issue is a bit deeper than that - the way most regulations are drafted, they do *not* force entities to do what they should have done in the first place. What they *do* force is implementing a checkbox. Whether said checkbox is actually the best solution *for the actual problem* is the issue. I've seen cases where checkbox auditors insisted that a certain critical system "absolutely positively *HAD* to have a firewall". Even though the the owners of the system were *more* paranoid, and had done an even more thorough securing of the system by not even having a network connection to the machine.I should not have to cite regulations in order to make sure logs are being reviewed,Now stop for a moment - what is the *reason* for logs being reviewed? Is it acceptable to *not* review logs if there's a suitable "throw alert on exception" mechanism in place? Which is actually more long-term cost effective security for the organization? That's the problem with most of the regulations - they enforce checkboxes, not actually dealing with the overall security posture in a sane way. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Compliance Is Wasted Money, Study Finds Ivan . (Apr 05)
- Re: Compliance Is Wasted Money, Study Finds Bert Knabe (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds John Morrison (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds Keith Tomler (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds J Roger (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds Valdis . Kletnieks (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds J Roger (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds Valdis . Kletnieks (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds Stephen Mullins (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds Tracy Reed (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds Valdis . Kletnieks (Apr 07)
- Re: Compliance Is Wasted Money, Study Finds Digital X (Apr 08)
- Re: Compliance Is Wasted Money, Study Finds Tracy Reed (Apr 09)
- Re: Compliance Is Wasted Money, Study Finds Nick FitzGerald (Apr 10)
- Re: Compliance Is Wasted Money, Study Finds Thor (Hammer of God) (Apr 10)
- Re: Compliance Is Wasted Money, Study Finds Valdis . Kletnieks (Apr 10)