Re: iso 17799

[George Capehart <capegeo () opengroup org>]

On Wednesday 21 July 2004 06:13, Paul D. Robertson allegedly wrote:
> On Tue, 20 Jul 2004, Marcus J. Ranum wrote:

<snip>

> > Let me try to explain it a different way:
> >         Computer security, as it's done today by most
> > practitioners, is fundamentally a con. It's a con the same way that
> > most diet foods
>
> I don't think it's that pointed.  The products generally do what
> they're supposed to (unless they're new, then they generally do some
> of what they're supposed to, but not nearly enough to be complete...)
> efficient way to reduce risk.

I think you're both right.  Cons happen because the victim is:

a) naive,
b) stupid, or
c) is ordered to buy the product by a PHM who just read an airplane 
magazine or who just attended a "technology conference."

Products *do* mostly do what they're supposed to do . . . Problem is, 
the people buying the product think/assume that the product does 
*everything*.  They don't know enough about the problem space, the 
capability of the product and the iceberg that they only see the tip of 
to know they're being conned . . . and that they only have themselves 
to blame for it.

<snip>

> Here's the typical conversation at my last company:
>
> Supplicant:  "Hey!  I've got a great idea that'll save us money and
> make new business and be really cool!"
>
> Paul: "No."
>
> Supplicant's boss: "Hey!  $luser's got this great idea..."
>
> Paul: "No."
>
> Whining chorus: "Whyyyyyy not?????"
>
> Paul: "It's against my security policy."
>
> $flackey: "$CEO wants to be able to IM his kids..."
>
> Paul: "No."
>
> $flackey: "But he's the CEO!"
>
> Paul: "Yes, he is.  No."
>
> See, that single syllable is seen as "politically expensive," and
> rather than uttering it to folks far and wide, there's a drive to go
> buy something that makes $dangerous_thing possible, and either tells
> you when something bad happened, or tries to stop something bad from
> happening.

IMHO, it is cases like this where a Certification and Accreditation 
process is handy.  I *know* that DITSCAP, NIST 800-37 and NIACAP are 
seen my some as being overkill, and in some cases, they are.  However, 
the general principle is still valid.  Theoretically, the selection of 
controls is driven by policy which is formulated as a result of the 
risk assessment process and which reflects the organization's risk 
tolerance.  The policy is not the security person's policy, it is the 
organization's policy.  The very lite version of a C&A process could be 
having $flackey sign a short document that describes the policy, the 
risks it addresses, and a short statement that the undersigned 
understands that those risks will be left unmanaged and that he/she 
authorizes the system to be used anyway.  I've been overruled many, 
many times by the cowboys who just don't care . . . At least that has 
let me cover myself . . . And in organizations in which the cowboy 
mentality reaches all the way to the top, it's almost mandantory, 
'cause stuff *will* blow up, and when it does, the lynch mob starts 
looking for someone to hang . . .

<snip>

> I think it's just a logic flaw:  We don't know what to do, so we need
> someone to tell us- if they tell us the same thing every time, it
> must be right- let's make that a standard, because if everyone else
> does it, it must be right!
>
> Only in IT is everyone else doing it a good reason for jumping off a
> cliff.

That's part of it . . . the other part of it is that it saves a lot of 
work.  Instead of actually taking the time to really understand what it 
takes to implement a really robust Information Security and Assurance 
program and then take the time to "do it right," it's much easier to 
hire some consultants to come in and do a CobiT/17799/yadda, yadda 
audit.  Then, when something blows up, the response can be:  "Well, we 
were 17799 certified, so the consultants must have missed something."

Cheers,

George

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards