Firewall Wizards mailing list archives
Re: tunnel vs open a hole
From: Duncan Sharp <drsharp () pacbell net>
Date: Sun, 13 Apr 2003 17:11:58 -0700
George Capehart wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 10 April 2003 09:24 pm, Duncan Sharp wrote:<snip> (I'm re-trying the reply to Duncan, the first time didn't make it through. He has raised some questions/issues that I think deserve to be addressed . . .)
Sorry got called to another issue... I'll skip the COBIT for this response. More on that later...
There is also a model for accountability that I personally like (but at which everyone would like to duck and run for cover) . . . see http://csrc.nist.gov/sec-cert/SP-800-37-v1.0.pdf (the certification and accreditation process). So there *does* exist a model for oversight and a mechanism for accountability and assurance. Just can't figure out how to sell them. Problem is, there is a tremendous educational process that needs to happen before the patients realize they're sick, and I haven't figured out how to fund the process . . . 8-( It gets back to Paul's analogy of the IT department as the Electoral College, to which I subscribe, but it's *still* an educational process . . .Which is good for governement IS systems, but what about private sector IS systems?Works very well for them, too. At least in the instances with which I am familiar. I just chose to reference the NIST document because I think it does a pretty good job of organizing and presenting the process.
I have read this through earlier, as a means to help sell it into one of the places I worked. Its just that in the dozen or so places I have has the privilege to be employeed, non used anything like the NIST document (or even some of its procedures). I think they have their proper place government, large private sector places. I do think there needs to be some "downsized" NIST procedures/standards for small to medium sized businesses. I am thinking about those businesses that are 100 to 500 employees in size. Where the complete IT/IS department is 8 or fewer individuals. Thanks, Duncan Sharp
BR - -- George Capehart PGP Key ID 63F0F642 at http://pgp.mit.edu
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: tunnel vs open a hole, (continued)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 10)
- Re: tunnel vs open a hole Dave Piscitello (Apr 10)
- Re: tunnel vs open a hole Adam Shostack (Apr 09)
- Re: tunnel vs open a hole Mike Frantzen (Apr 10)
- Re: tunnel vs open a hole R. DuFresne (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 10)
- Re: tunnel vs open a hole Joseph S D Yao (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 10)
- Re: tunnel vs open a hole Duncan Sharp (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 14)
- Re: tunnel vs open a hole Duncan Sharp (Apr 14)
- Re: tunnel vs open a hole Duncan Sharp (Apr 16)
- Re: tunnel vs open a hole Magosányi Árpád (Apr 11)
- Re: tunnel vs open a hole Gary Flynn (Apr 10)
- Re: tunnel vs open a hole Paul Robertson (Apr 10)
- Re: tunnel vs open a hole Paul Robertson (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 14)
- Re: tunnel vs open a hole George Capehart (Apr 10)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 10)