| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 7 Apr 2010 13:44:50 +0100 From: John Morrison <john.morrison101@...glemail.com> To: "Ivan ." <ivanhec@...il.com> Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>, security-basics@...urityfocus.com Subject: Re: Compliance Is Wasted Money, Study Finds That is not really surprising. Regulations are (fairly) clearly defined 'tick box' exercises. They avoid three difficult requirements: identifying what is important and should be protected; identifying what is an acceptable response; and persuading the executive it is worthwhile. If you have a regulation (like PCI and HIPAA, for example) it defines what should be protected and what is expected as a reasonable response. The weight of the law, or a regulatory authority, that defines fines and even makes CXOs personally responsible quickly gets attention. The best hope is that with a bit of innovative thinking infosec professionals can implement a programme that covers various regulations, finds synergy between them and properly protects valuable assets. It should then be possible to cover other information assets that are important to the organisation, but not covered by regulations, at only incremental costs. Personally I think the values created by Forrester are a bit suspect. They don't give any information about the mix of industries and sizes of the enterprises represented in the survey. My assumption is that they are all Forrester customers. This means they are large and they are extremely reliant on information and technology to run their businesses. On 6 April 2010 07:23, Ivan . <ivanhec@...il.com> wrote: > For those who don't frequent slashdot....... > > "Enterprises are spending huge amounts of money on compliance programs > related to PCI-DSS, HIPAA and other regulations, but those funds may > be misdirected in light of the priorities of most information security > programs, a new study has found. A paper by Forrester Research, > commissioned by Microsoft and RSA, the security division of EMC, found > that even though corporate intellectual property comprises 62 percent > of a given company's data assets, most of the focus of their security > programs is on compliance with various regulations. The study found > that enterprise security managers know what their companies' true data > assets are, but find that their security programs are driven mainly by > compliance, rather than protection (PDF)." > > http://www.rsa.com/products/DLP/ar/10844_5415_The_Value_of_Corporate_Secrets.pdf > > ------------------------------------------------------------------------ > Securing Apache Web Server with thawte Digital Certificate > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 > ------------------------------------------------------------------------ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists