Secure Coding mailing list archives
Darkreading: compliance
From: ljknews at mac.com (ljknews)
Date: Fri, 30 Mar 2007 09:25:07 -0500
At 9:29 AM -0400 3/30/07, Benjamin Tomhave wrote:
SOX has been a complete waste, imo. First, the majority of it was already covered in existing law. Second, it really has nothing to do with security from a practical standpoint. The only purpose SOX has served is to give auditors another source of revenue. And, worse than that, it initially gave auditors the appearance of more power and responsibility, which I saw carried out in external auditors trying to dictate to businesses how the business should operate (and not in a good way). Talk about a fundamental violation of independence and objectivity. The pendulum has fortunately swung back on that trend. PCI DSS, on the other hand, has been a very good effort with real, meaningful results. Why is this? Well, for one thing, it's specific. As opposed to SOX, which paints with broad strokes and focuses on truth in reporting (gross oversimplification), PCI DSS goes into technical detail on what activities must be implemented, what minimum measures are for adequate security in a system, etc. Perhaps the best example of this thought is section 3.6 in DSS v1.1, where it details the minimum requirements for key management. It makes my job much easier having this level of detail, with much less left to interpretation (again, unlike SOX, where almost everything is open to interpretation and the whim of your auditors).
That parenthetical comment is almost verbatim the description of SOX I received from someone who is subject to SOX audits. My own nomination for specificity in security standards is NIST Special Publication 800-53 (currently at Revision 1). http://csrc.nist.gov/publications/nistpubs/index.html#sp800-53-Rev1 Through all the controls there is only one requirement with which I disagree. -- Larry Kilgallen
Current thread:
- Darkreading: compliance Gary McGraw (Mar 12)
- Darkreading: compliance bugtraq at cgisecurity.net (Mar 12)
- Darkreading: compliance Michael Silk (Mar 12)
- Darkreading: compliance Steven M. Christey (Mar 12)
- Darkreading: compliance Bruce Ediger (Mar 13)
- Darkreading: compliance Benjamin Tomhave (Mar 30)
- Darkreading: compliance ljknews (Mar 30)
- <Possible follow-ups>
- Darkreading: compliance Gary McGraw (Mar 12)
- Darkreading: compliance Gary McGraw (Mar 13)
- Darkreading: compliance Michael Silk (Mar 13)