Re: Standards (was Re: SECURITY Listserv Instructions and ParticipationGu idelines)

[Gene Spafford <spaf () CERIAS PURDUE EDU>]

At 7:32 -0400 7/08/02, Laurie Zirkle wrote:
> I don't believe that they would be mandated as "this or nothing else".

That is what a standard is.   Standards are to be met, and metrics
are available to measure compliance.  Non-compliance, in the case of
the proposed legislation, would be funding freezes or cuts.

"Guidelines" give suggested practice for a particular application
area.   Unfortunately, I have not been successful in getting either
SANS or CIS (actually, Alan) to accept that standards in the hands of
the uninformed can do damage.

Clueless managers (we all know 'em) will see a "standard" and mandate
that it be followed.

> It would have been the MINUMUM that needed to be done.  If your site/machine/
> router was more tightened down, wonderful.

Yes, in conjunction with an IDS and some other things.   However, it
meant that we needed to "loosen" some elements that were in the
"security standard" that CIS issued.   If I was reporting on the MIS
side of the house, I would have had to adhere to the "standard" and
we would have a weaker position!

>   There were some of us here that had already went
> above and beyond those guidelines before they were ever published.  Did
> that mean we should undo what we had done?  I think not.

Precisely what I meant by the problem of "standards."

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/cg.html.