Re: iso 17799

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 13 Jul 2004, avraham shir-el (arthur sherman) wrote:

> i hope i'm not opening a pandora's box here, but-
>
> i'm following this list for ~ a year now and haven't seen any mention of
> iso 17799.
> it's defined on their website as
> "a comprehensive set of controls comprising best
> practices in IS"

You've likely not seen mention of ISO9000 either...

> i've seen lots on this list about best practices w/o
> any refrences to 17799.

One person's best practices are another's waste of time.  Best practices,
by definition strive to be uniform, and I think we've all got opinions on
what should be done versus what we usually do versus what everyone else is
doing.

Take passwords- I happen think that for non-dictionary attackable and
exposed interfaces, 6 of anything is a fine limit.  I happen to know
places that enforce the "explosion in a punctuation factory" requirements
for local access- and those places are exactly the sort of places where a
written password is more of a risk than a memorable one.  Now, if
suddenly the password that's local access only becomes used on a Web
server for checking e-mail, then obviously the risk goes up.  But people
who do best practices don't do them in a risk-based way, they go whole
hog out the gate- and that's onerous.

I can likely negate 90% of the same risk with 10% of most "Best
practices-" so it's really expensive to implement the other 90% of those
practices- without a good risk/reward scheme or legislation, people are
unlikely to go full-force on such systems.  I can also implement them
poorly or well- none of that seems to make them any easier.

Every time I've read a security standard document, I've disagreed with
parts of it, and thought other parts were not clear enough.  Mostly
though, I've be bored out of my skull dealing with the language barrier
between a standard and implementing it.

> any opinions on it?
> or does the extremely noticable lack of attention
> say it all?

In the US, we're stuck with a bunch of regulatory things that take
precedence over 71799- HIPPA, Sarbaines-Oxley, GLB and Basel II (or are
drivers for it, depending on the bent of whoever's implementing.)

I also think that there's a relative dislike for ISO standards here,
coupled with a market that doesn't proactively do much of anything.

As far as I can tell, ISO9000 only really worked for the ISO9000
consultants.  Can't see where 17799 is any different.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards