Darkreading: compliance

[ljknews at mac.com (ljknews)]

At 9:29 AM -0400 3/30/07, Benjamin Tomhave wrote:

> SOX has been a complete waste, imo.  First, the majority of it was already
> covered in existing law.  Second, it really has nothing to do with security
> from a practical standpoint.  The only purpose SOX has served is to give
> auditors another source of revenue.  And, worse than that, it initially gave
> auditors the appearance of more power and responsibility, which I saw
> carried out in external auditors trying to dictate to businesses how the
> business should operate (and not in a good way).  Talk about a fundamental
> violation of independence and objectivity.  The pendulum has fortunately
> swung back on that trend.
>
> PCI DSS, on the other hand, has been a very good effort with real,
> meaningful results.  Why is this?  Well, for one thing, it's specific.  As
> opposed to SOX, which paints with broad strokes and focuses on truth in
> reporting (gross oversimplification), PCI DSS goes into technical detail on
> what activities must be implemented, what minimum measures are for adequate
> security in a system, etc.  Perhaps the best example of this thought is
> section 3.6 in DSS v1.1, where it details the minimum requirements for key
> management.  It makes my job much easier having this level of detail, with
> much less left to interpretation (again, unlike SOX, where almost everything
> is open to interpretation and the whim of your auditors).

That parenthetical comment is almost verbatim the description of SOX
I received from someone who is subject to SOX audits.

My own nomination for specificity in security standards is NIST Special
Publication 800-53 (currently at Revision 1).

   http://csrc.nist.gov/publications/nistpubs/index.html#sp800-53-Rev1

Through all the controls there is only one requirement with which I disagree.
-- 
Larry Kilgallen