Firewall Wizards mailing list archives
Re: iso 17799
From: "Paul D. Robertson" <paul () compuwar net>
Date: Mon, 19 Jul 2004 15:47:49 -0400 (EDT)
On Tue, 13 Jul 2004, avraham shir-el (arthur sherman) wrote:
i hope i'm not opening a pandora's box here, but- i'm following this list for ~ a year now and haven't seen any mention of iso 17799. it's defined on their website as "a comprehensive set of controls comprising best practices in IS"
You've likely not seen mention of ISO9000 either...
i've seen lots on this list about best practices w/o any refrences to 17799.
One person's best practices are another's waste of time. Best practices, by definition strive to be uniform, and I think we've all got opinions on what should be done versus what we usually do versus what everyone else is doing. Take passwords- I happen think that for non-dictionary attackable and exposed interfaces, 6 of anything is a fine limit. I happen to know places that enforce the "explosion in a punctuation factory" requirements for local access- and those places are exactly the sort of places where a written password is more of a risk than a memorable one. Now, if suddenly the password that's local access only becomes used on a Web server for checking e-mail, then obviously the risk goes up. But people who do best practices don't do them in a risk-based way, they go whole hog out the gate- and that's onerous. I can likely negate 90% of the same risk with 10% of most "Best practices-" so it's really expensive to implement the other 90% of those practices- without a good risk/reward scheme or legislation, people are unlikely to go full-force on such systems. I can also implement them poorly or well- none of that seems to make them any easier. Every time I've read a security standard document, I've disagreed with parts of it, and thought other parts were not clear enough. Mostly though, I've be bored out of my skull dealing with the language barrier between a standard and implementing it.
any opinions on it? or does the extremely noticable lack of attention say it all?
In the US, we're stuck with a bunch of regulatory things that take precedence over 71799- HIPPA, Sarbaines-Oxley, GLB and Basel II (or are drivers for it, depending on the bent of whoever's implementing.) I also think that there's a relative dislike for ISO standards here, coupled with a market that doesn't proactively do much of anything. As far as I can tell, ISO9000 only really worked for the ISO9000 consultants. Can't see where 17799 is any different. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- iso 17799 avraham shir-el (arthur sherman) (Jul 15)
- Re: iso 17799 Rachel Rosencrantz (Jul 19)
- RE: iso 17799 Wes Noonan (Jul 19)
- Re: iso 17799 Bennett Todd (Jul 19)
- Re: iso 17799 Chuck Swiger (Jul 19)
- Re: iso 17799 Devdas Bhagat (Jul 19)
- Re: iso 17799 George Capehart (Jul 19)
- Re: iso 17799 Chuck Swiger (Jul 19)
- Re: iso 17799 Paul D. Robertson (Jul 19)
- Re: iso 17799 Marcus J. Ranum (Jul 19)
- Re: iso 17799 George Capehart (Jul 20)
- Re: iso 17799 Marcus J. Ranum (Jul 19)
- Re: iso 17799 Christine Kronberg (Jul 20)
- <Possible follow-ups>
- Re: iso 17799 J. Oquendo (Jul 19)
- Re: iso 17799 Bennett Todd (Jul 19)
- Re: iso 17799 Dana Nowell (Jul 20)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 Dana Nowell (Jul 20)
- Re: iso 17799 Devdas Bhagat (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
- Re: iso 17799 Paul D. Robertson (Jul 21)
(Thread continues...)
- Re: iso 17799 Rachel Rosencrantz (Jul 19)