Firewall Wizards mailing list archives

Re: tunnel vs open a hole

From: Duncan Sharp <drsharp () pacbell net>
Date: Sun, 13 Apr 2003 17:11:58 -0700

George Capehart wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 10 April 2003 09:24 pm, Duncan Sharp wrote:


<snip>  (I'm re-trying the reply to Duncan, the first time didn't make
it through.  He has raised some questions/issues that I think deserve
to be addressed . . .)


Sorry got called to another issue...

I'll skip the COBIT for this response. More on that later...

There is also a model for
accountability that I personally like (but at which everyone would
like to duck and run for cover) . . . see
http://csrc.nist.gov/sec-cert/SP-800-37-v1.0.pdf (the certification
and accreditation process).  So there *does* exist a model for
oversight and a mechanism for accountability and assurance.  Just
can't figure out how to sell them.  Problem is, there is a
tremendous educational process that needs to happen before the
patients realize they're sick, and I haven't figured out how to
fund the process . . .  8-(  It gets back to Paul's analogy of the
IT department as the Electoral College, to which I subscribe, but
it's *still* an educational process . . .


    Which is good for governement IS systems, but what about private
sector
    IS systems?


Works very well for them, too.  At least in the instances with which I
am familiar.  I just chose to reference the NIST document because I
think it does a pretty good job of organizing and presenting the
process.


    I have read this through earlier, as a means to help sell it into one
of the places I worked. Its just that in the dozen or so places I have
has the privilege to be employeed, non used anything like the NIST
document (or even some of its procedures).

    I think they have their proper place government, large private
sector places.

    I do think there needs to be some "downsized" NIST procedures/standards

for small to medium sized businesses. I am thinking about those businesses
that
are 100 to 500 employees in size. Where the complete IT/IS department
is 8 or fewer individuals.

Thanks,
Duncan Sharp


BR
- --
George Capehart

PGP Key ID 63F0F642 at http://pgp.mit.edu


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: tunnel vs open a hole, (continued)
- - - Re: tunnel vs open a hole Marcus J. Ranum (Apr 10)
    - Re: tunnel vs open a hole Dave Piscitello (Apr 10)
    - Re: tunnel vs open a hole Adam Shostack (Apr 09)
    - Re: tunnel vs open a hole Mike Frantzen (Apr 10)
    - Re: tunnel vs open a hole R. DuFresne (Apr 10)
    - Re: tunnel vs open a hole George Capehart (Apr 10)
    - Re: tunnel vs open a hole Joseph S D Yao (Apr 10)
    - Re: tunnel vs open a hole George Capehart (Apr 10)
    - Re: tunnel vs open a hole Duncan Sharp (Apr 10)
    - Re: tunnel vs open a hole George Capehart (Apr 14)
    - Re: tunnel vs open a hole Duncan Sharp (Apr 14)
    - Re: tunnel vs open a hole Duncan Sharp (Apr 16)
    - Re: tunnel vs open a hole Magosányi Árpád (Apr 11)
    - Re: tunnel vs open a hole Gary Flynn (Apr 10)
    - Re: tunnel vs open a hole Paul Robertson (Apr 10)
    - Re: tunnel vs open a hole Paul Robertson (Apr 10)
    - Re: tunnel vs open a hole George Capehart (Apr 14)
- RE: tunnel vs open a hole Carroll, Shawn (Apr 10)
- RE: tunnel vs open a hole Carroll, Shawn (Apr 10)
  - Re: tunnel vs open a hole George Capehart (Apr 10)
    - Re: tunnel vs open a hole Marcus J. Ranum (Apr 10)

(Thread continues...)