[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <j2q50e4ca0b1004071131h49dfbb07td21dd281f6adf574@mail.gmail.com>
Date: Wed, 7 Apr 2010 11:31:28 -0700
From: J Roger <securityhocus@...il.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Compliance Is Wasted Money, Study Finds
That's not entirely the case. Auditors aren't robots. It's their job to make
determinations about your organizations capabilities and how they map
against somewhat loosely defined compliance standards that have lots of
wiggle room and lots of gray areas. All the gray areas are extremely useful
to auditors so they can massage things around such that the organization can
pass and be happy and hire them again next year.
An auditor can very well see that your organization has a "throw alert on
exception" mechanism in place and determine that meets the "review logs"
requirement. box checked
On Wed, Apr 7, 2010 at 9:43 AM, <Valdis.Kletnieks@...edu> wrote:
> On Wed, 07 Apr 2010 10:24:00 EDT, Keith Tomler said:
> > BALONEY
>
> > As an Information Systems Auditor, it seems that if you have a valid
> > finding and a reasonable recommendation, management usually doesn't
> > act on it.
>
> > However, if you have the same finding and recommendation and then cite
> > a regulation, management is forced to act upon it.
>
> > I believe that the regulations were drafted in order to force entities
> > into doing what they should have done in the first place.
>
> I think the issue is a bit deeper than that - the way most regulations are
> drafted, they do *not* force entities to do what they should have done in
> the first place.
>
> What they *do* force is implementing a checkbox.
>
> Whether said checkbox is actually the best solution *for the actual
> problem*
> is the issue. I've seen cases where checkbox auditors insisted that a
> certain critical system "absolutely positively *HAD* to have a firewall".
>
> Even though the the owners of the system were *more* paranoid, and had
> done an even more thorough securing of the system by not even having a
> network connection to the machine.
>
> > I should not have to cite regulations in order to make sure logs are
> > being reviewed,
>
> Now stop for a moment - what is the *reason* for logs being reviewed?
>
> Is it acceptable to *not* review logs if there's a suitable "throw alert
> on exception" mechanism in place?
>
> Which is actually more long-term cost effective security for the
> organization?
>
> That's the problem with most of the regulations - they enforce checkboxes,
> not actually dealing with the overall security posture in a sane way.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists