Re: Re: Importance of being a QSA

[mr.nasty () ix netcom com]

I can't help myself here but this type of idiocy kills me.

The reason for regulatory bodies is because there are those in the business who can't seem to follow a set of 
guidelines to provide at least a basic level of trust to keep their customers identity private. Now I don't want to get 
off on a rant here but the opportunity is there.

The latest headline on SF is "A Hard Lesson in Privacy". Now I realize this is about a young blond TV talking head and 
her sexual antics but the point is that even the most harden CEO's (no pun) have slipped a time or two on the life's 
banana peel and tried to make it look like they meant to do that.

These people (even SANS) sound like the same group of tax protesters I had to face in the 80's. They didn't feel the 
IRS regulations had bearing on them, they didn't vote for the tax so they should be exempt. Or they would look at these 
auditors as if they had some low life job like inspecting elevators. (Not that inspecting elevators is a bad thing - 
which sounds like BS, go back in the refrigerated computer room in your Wal-Mart dress for success Dickies.)

No my IT Security buddies out there who think you don't need regulations, believe me from my point of view not only do 
you need them over 80% of this population need some way to have your work reviewed.

Who better than regulatory bodies to provide some type of framework? These bodies keep IT and IT Security accountable. 
That should probably have been a four-letter word considering the groans and moans it causes. Who do you people think 
you are that you don't have to be accountable? You're only IT people.

This is a growing area as long as there are new and improved business practices and technologies there will be an 
amendment or regulatory body to keep that part of business for the consumer safe.

As an individual who has to examine corporate computer systems forensically it pains me each time I have to talk with a 
big headed dim wit system admin who can tout his high scores on Everquest but can't seem to understand the concept of a 
freaking log configuration, and the nim rod makes 85 grand a year, doing what?

Yes people I'm sorry but the fact of the matter is that there are and will be regulatory bodies as long as there is 
business. IRS is a regulatory body in some ways as well as the SEC and all the rest. It's all part of 'doing business'.

So you might want to consider that opening with Otis. I apologize about this out burst but the more I hear the whining 
here about regulations this and regulations that and comparing my colleagues to elevators inspectors it winds me up 
real tight.

I used to be an IT auditor. That's how I became the IT security officer for two agencies. I do what you guys can't 
because I learned the right way to do it from those check lists.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------