Darkreading: compliance

[gem at cigital.com (Gary McGraw)]

Once again i'll ask.  Which vertical is the kind of company where you're seeing this awful behavior in?

BTW, sammy migues agrees with you in a thread we're having on the justice league blog www.cigital.com/justiceleague 
(look under SOX).

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com.



 -----Original Message-----
From:   Bruce Ediger [mailto:eballen1 at qwest.net]
Sent:   Tue Mar 13 12:10:42 2007
To:     
Cc:     SC-L at securecoding.org
Subject:        Re: [SC-L] Darkreading: compliance

On Tue, 13 Mar 2007, somebody wrote (attribution isn't clear to me):

> no. my feeling is that it focuses management on unimportant things like
> meeting checkpoints rather then actually doing useful things.

I heartily agree. "Compliance" almost always becomes (in the worst sense
of the word) a mantra to chant down all disagreement.  "Compliance" becomes
the *administrative* stick-and-carrot, rather like a driver's license in
the US.

That is, every US citizen has this set of nominal "rights" that nobody
can take away.  On the other hand, a driver's license is a privilege,
so you have to jump through some hoops to get it, and it comes with
mandatory behaviors, not all of them legal, most of them administrative.
Life in the US without a driver's license is marginal.  So, administrators
use driver's licenses to punish and guide behavior in ways nominally,
or legally, forbidden.  Wink wink, nudge nudge.

I'm most familiar with PCI, and some of the things that people put in
it are just downright stupid.  If you run your credit card processing
on Solaris, why should you put in a virus scanner?  Seriously, folks...

Since "compliance" becomes an administrative tool, the weapons against
actually paying for "compliance" become administrative, hence the focus
on meeting checklist items.  A checklist can't really contain all the
capability of a general purpose computing system, as checklists do not
have looping or decision making in them.  So, they'll always have weird
limits, and people will try to overcome those limitations by adding to
the checklists.

"Compliance" becomes a rallying point for the professional meeting
attenders, parasites and hangers on, hierarchy jockeys.
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________




----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------