| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Apr 2010 14:44:35 -0700 From: Mike Hale <eyeronic.design@...il.com> To: "Ivan ." <ivanhec@...il.com> Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>, security-basics@...urityfocus.com Subject: Re: Compliance Is Wasted Money, Study Finds I actually disagree with the conclusions presented by this paper. I'm in the process of writing up a more thorough explanation, but my main issue lies with their key finding on compliance spending. According to the paper, roughly 40% is spend on directly securing secrets, and another 40% is spent on compliance of some type. They further suggest that half of this compliance spending is spent on internal compliance, and half on regulatory/external compliance. Internal security policies are designed to protect the network and the companys data. Therefore, reason would dictate that spending on internal compliance is money spent on securing your secrets (a fraction of that spending, anyway). Is it unreasonable to assume that half of money spent on compliance with internal policies postively affects security of your data? I find the findings completely flawed. Am I missing something? -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists