lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 7 Apr 2010 17:19:37 -0400
From: Stephen Mullins <steve.mullins.work@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Compliance Is Wasted Money, Study Finds

You're right, they aren't robots, they're overpaid tech writers that
memorized just enough industry jargon and buzzwords to talk the talk
without being able to walk the walk.

http://www.computerweekly.com/Articles/2010/03/25/240719/Sans-founder-slams-39terribly-damaging39-US-cyber-security.htm

SANS Institute founder Alan Paller had some comments about FISMA
compliance and C&A professionals.

"[They] rewarded ineffective behavior and created a cadre of people
who call themselves security professionals but who proudly admit they
cannot implement security settings on systems and network devices or
find a programming flaw," he said.

"Fisma had created and rewarded a culture of compliance rather than
security," Paller said. Federal and state governments were "radically
short of money", but they were forced to spend it on reporting rather
than security, he said. "Writers who know how a few words about
security and federal regulations now make 50% to 80% more money than
the people who actually secure systems and networks and applications,"
he said. "It is as if we paid the compliance staff at a hospital more
than the surgeons."

He said the nation's attention should be on real-time monitoring of
its information systems and networks to prevent or mitigate attacks as
they happened. "Oversight must be focused on the effectiveness of the
agencies' real time defences," he said.


On Wed, Apr 7, 2010 at 2:52 PM,  <Valdis.Kletnieks@...edu> wrote:
> On Wed, 07 Apr 2010 11:31:28 PDT, J Roger said:
>
>> That's not entirely the case. Auditors aren't robots.
>
> Unfortunately, that's far too often not true.  Internal audit departments
> in particular seem to accumulate people with no real clue, because they
> *don't* rely on passing the client in order to get the job again next year.
> They stay around for the next fiscal year by showing a pretty list with "See
> all the things we found wrong", not by "See all the creative solutions we
> looked at and decided were in fact OK".
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ