Firewall Wizards mailing list archives
Re: iso 17799
From: George Capehart <capegeo () opengroup org>
Date: Wed, 21 Jul 2004 15:20:40 -0400
On Wednesday 21 July 2004 06:13, Paul D. Robertson allegedly wrote:
On Tue, 20 Jul 2004, Marcus J. Ranum wrote:
<snip>
Let me try to explain it a different way: Computer security, as it's done today by most practitioners, is fundamentally a con. It's a con the same way that most diet foodsI don't think it's that pointed. The products generally do what they're supposed to (unless they're new, then they generally do some of what they're supposed to, but not nearly enough to be complete...) efficient way to reduce risk.
I think you're both right. Cons happen because the victim is: a) naive, b) stupid, or c) is ordered to buy the product by a PHM who just read an airplane magazine or who just attended a "technology conference." Products *do* mostly do what they're supposed to do . . . Problem is, the people buying the product think/assume that the product does *everything*. They don't know enough about the problem space, the capability of the product and the iceberg that they only see the tip of to know they're being conned . . . and that they only have themselves to blame for it. <snip>
Here's the typical conversation at my last company: Supplicant: "Hey! I've got a great idea that'll save us money and make new business and be really cool!" Paul: "No." Supplicant's boss: "Hey! $luser's got this great idea..." Paul: "No." Whining chorus: "Whyyyyyy not?????" Paul: "It's against my security policy." $flackey: "$CEO wants to be able to IM his kids..." Paul: "No." $flackey: "But he's the CEO!" Paul: "Yes, he is. No." See, that single syllable is seen as "politically expensive," and rather than uttering it to folks far and wide, there's a drive to go buy something that makes $dangerous_thing possible, and either tells you when something bad happened, or tries to stop something bad from happening.
IMHO, it is cases like this where a Certification and Accreditation process is handy. I *know* that DITSCAP, NIST 800-37 and NIACAP are seen my some as being overkill, and in some cases, they are. However, the general principle is still valid. Theoretically, the selection of controls is driven by policy which is formulated as a result of the risk assessment process and which reflects the organization's risk tolerance. The policy is not the security person's policy, it is the organization's policy. The very lite version of a C&A process could be having $flackey sign a short document that describes the policy, the risks it addresses, and a short statement that the undersigned understands that those risks will be left unmanaged and that he/she authorizes the system to be used anyway. I've been overruled many, many times by the cowboys who just don't care . . . At least that has let me cover myself . . . And in organizations in which the cowboy mentality reaches all the way to the top, it's almost mandantory, 'cause stuff *will* blow up, and when it does, the lynch mob starts looking for someone to hang . . . <snip>
I think it's just a logic flaw: We don't know what to do, so we need someone to tell us- if they tell us the same thing every time, it must be right- let's make that a standard, because if everyone else does it, it must be right! Only in IT is everyone else doing it a good reason for jumping off a cliff.
That's part of it . . . the other part of it is that it saves a lot of work. Instead of actually taking the time to really understand what it takes to implement a really robust Information Security and Assurance program and then take the time to "do it right," it's much easier to hire some consultants to come in and do a CobiT/17799/yadda, yadda audit. Then, when something blows up, the response can be: "Well, we were 17799 certified, so the consultants must have missed something." Cheers, George _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: iso 17799, (continued)
- Re: iso 17799 J. Oquendo (Jul 19)
- Re: iso 17799 Bennett Todd (Jul 19)
- Re: iso 17799 Dana Nowell (Jul 20)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 20)
- Re: iso 17799 Devdas Bhagat (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Message not available
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 George Capehart (Jul 21)
- Re: iso 17799 Darren Reed (Jul 21)
- SMS ports Jyotish K Sen Gupta (Jul 21)
- Re: SMS ports John Adams (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 J. Oquendo (Jul 19)
- irc was Re: iso 17799 ArkanoiD (Jul 21)
- Re: irc was Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: irc was Re: iso 17799 ArkanoiD (Jul 21)
- Re: irc was Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 21)
- Message not available
- Re: iso 17799 Marcus J. Ranum (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 21)