Firewall Wizards mailing list archives

Re: How do we do our job? (was Re: Network Security Certification)

From: darrenr () reed wattle id au
Date: Thu, 30 Apr 1998 02:01:00 +1000 (EST)

In some email I received from Bennett Todd, sie wrote:


1998-04-29-12:59:54 Darren:

If your boss walked in tomorrow and asked you how you knew your
firewall was protecting you, what would you use as evidence?


I'd point to our security policy.

[...]

So what ?  Who's verified that your security policy is any good ?
Anyone ?  Maybe it's just full of mumbo jumbo that looks impressive
but is full of loop holes ?  The need for 3rd party review simply
cannot be ignored.

Sure, there's a handful of people running around who can do this, but
what assurance do you have that you're getting the right people?


The same assurance you have when getting any kind of people. If you have
the expertise in house to grill the candidate, then you do; if you don't
have that expertise then evaluate candidates based on how well you like
them and the extent and relevance of their claimed experience, then
check their references carefully. This is an old problem with an old and
well-trusted solution.


I don't trust the interview method.  I've come across one person who was
employed on the basis that they did well in cross examination but when
put in the field...well...they failed mine :-)

Do you look for ISO qualifiactions for their reporting or CISSP exams
passed [...]


I sure wouldn't, any more than I'd look for certificates when picking a
systems administrator, or a programmer, or anybody else. Certificates
demonstrate a desire to get certificates and a skill at getting
certificates; I've never had any use for that desire and ability.


Do they ?

What about cases where there's a need to get certificates in order to
get business ?  If you wanted to get in on a Government Contract but
in order to do so you needed ISO 9000, would you decide to turn it down
based on that ?  In my mind, it is reasonable to expect that some
certificates are there because they don't represent just a desire to
get the certificates, but a desire to do the work required to get them
too and a desire to meet a client's needs.

Darren

Current thread:

Re: Network Security Certification Anton J Aylward (Apr 28)
- Re: Network Security Certification Bennett Todd (Apr 28)
  - Re: Network Security Certification darrenr (Apr 29)
    - How do we do our job? (was Re: Network Security Certification) Bennett Todd (Apr 29)
    - Re: How do we do our job? (was Re: Network Security Certification) darrenr (Apr 29)
    - Re: How do we do our job? Bennett Todd (Apr 29)
    - Re: How do we do our job? (was Re: Network Security Certification) Marcus J. Ranum (Apr 29)
- Re: Network Security Certification Bruce K. Marshall (Apr 28)
- Re: Network Security Certification Alec Muffett - SunLabs (Apr 28)
  - Re: Network Security Certification Paul D. Robertson (Apr 28)
  - Re: Network Security Certification David Collier-Brown (Apr 29)
- Re: Network Security Certification Paul D. Robertson (Apr 28)
  - Re: Network Security Certification Bruce K. Marshall (Apr 29)
- <Possible follow-ups>
- Re: Network Security Certification Shane Mason (Apr 29)
- Re: Network Security Certification Marcus J. Ranum (Apr 29)