funsec mailing list archives
why is certification useful anyway? [was: PCI]
From: Gadi Evron <ge () linuxbox org>
Date: Tue, 24 Mar 2009 14:29:19 +0100
nick hatch wrote:
Until the details are known in full, it seems a bit premature to debate the effectiveness of PCI and use Heartland as evidence one way or another. Even if the transactions were encrypted on the wire, a lack of internal controls could still allow a theoretical insider to run amok.
It seems like one of the main arguments against PCI in this thread, is that you can simply fake it and pass auditing. I believe that is true of any security certification or regulation (which I've seen). The organization can create a few documents, appoint a couple of people with some extra titles such as "CSO", and they're done. On the other hand, I believe certification provides with a clear plan on where to go with security for those without the knowledge, as well as a measurement criterion by which to see success and allocate resources. The latter is especially important when dealing with the board and fighting for a bigger (or uncut) budget. I find standardization as very useful as far as outsourcing, partners, and even ad services go, certification is one of the only ways by which we can know what level of security "the other guys" who are outside our sphere of influence have. Certification *can* be useless, but it does help if you *want* to use it. It allows your organization to potentially mature in how it handles information security, and forces others to invest *something* in security. The question of whether investing *something* in security is a Good or Bad thing over investing nothing, seems outside of the current discussion, and sounds like academic masturbation to me (no offense to the academics among us). Conversely, it reminds me of a discussion in Israeli science fiction circles whether self-published books are good because someone actually did scifi, and they raise awareness to the genre, or whether having a Bad example of scifi on the shelves is negative to begin with. Anyway, certification feeds a lot of consluttants and auditors. Job security? :) Gadi. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: The PCI sky *isn't* falling!, (continued)
- Re: The PCI sky *isn't* falling! Justin Scott (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- security theater is useful, stop abusing it [was: PCI] Gadi Evron (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Benjamin April (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Imri Goldberg (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] nick hatch (Mar 24)
- Re: The PCI sky *isn't* falling! David Harley (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- why is certification useful anyway? [was: PCI] Gadi Evron (Mar 24)
- Re: The PCI sky *isn't* falling! Rob, grandpa of Ryan, Trevor, Devon & Hannah (Mar 23)
- Re: The PCI sky *isn't* falling! Gadi Evron (Mar 24)