Firewall Wizards mailing list archives

Re: tunnel vs open a hole

From: Duncan Sharp <drsharp () pacbell net>
Date: Thu, 10 Apr 2003 18:24:23 -0700

George Capehart wrote:

On Thursday 10 April 2003 05:19 pm, Joseph S D Yao wrote:


<snip>

Well, yes.  Aren't all things, in the end?

We are all of us accountable for governing our own actions.  This is
such a horrifying notion to many that they duck and run for cover.

Corporate identities, having no souls, must be governed and held
accountable by a BoD.  Which may also have no souls.


The members each have souls, but the sum of these souls is usually zero
when
described as a BoD.

How does one get the attention of a BoD?  Two ways.  The smell of
money, and the smell of litigation.  The carrot and the stick.  In
the BoD of too many of today's companies, as Marcus has alluded to,
the Ds don't care about the company, the product, or the worker.
They care about the revered "bottom line".  And this doesn't even
refer to the actual worth of the company, its products, or its
revenues - nobody looks at that, nowadays.  When they report the
"worth" of a company, it's the price of a share of stock times the
number of shares.  A truly fake number!  But it directly impacts the
"bottom line" about which the directors are concerned - how much
THEIR shares are worth, and those of the share holders who are only
concerned about how much THEIR shares are worth.


Ahhhhh.  *Now* we're getting to the root cause (or "of all evil" . . .
sorry 'bout that.  Couldn't resist . . .  :-> )  In the end, it is all
an exercise in risk management . . . in every sense of the phrase.  And
the problem is, "M"anagement is not managing all its risks.  To
compound the problem, the stockholders are not managing the Board.
This seems like a sales opportunity for those of us who are InfoSec
professionals.  There *does* exist a well-defined IT governance model:
see http://www.isaca.org/cobit.htm.


Which looks good as it says something (being a .ORG) by its mission
statement:

    To research, develop, publicise and PROMOTE A AUTHORITIVE up-to-date,
international set of generally accepted IT Control Objectives for
DAY-TO-DAY USE ...

Fine until you read the fine "Disclaimer" print:

"The Information Systems Audit and Control Foundation and the sponsors of
COBIT: Control Objectives for Information and Related Technology have
designed the product primarily as an educational resource for controls
professionals. The Information Systems Audit and Control Foundation and
the sponsors make no claim that use of this product will assure a
successful outcome. This product should not be considered inclusive of any
proper procedures and tests or exclusive of other procedures and tests
that are reasonably directed to obtaining the same results.
In determining the propriety of any specific procedure or test, the
controls professional should apply his or her own professional judgment to
the specific control circumstances presented by the particular systems or
information technology environment. "
(Copyright 2001 Information Systems Audit and Control Assoc.)


    In trying to better understand Risk, COBIT eliminated "Risk
Statements" from
    its Control Objectives in favor of "the pro-active approach (objects
are to be
    achieved) over the reactive approach (risks are to be mitigated)".

    Having just read some but not all, leaves me at "some risk" of over
simplification
    of stating some conclusion(s).

    In order to be blunt, they have some ideas on how to better control
IS systems,
    but don't hold them to it.

There is also a model for
accountability that I personally like (but at which everyone would like
to duck and run for cover) . . . see
http://csrc.nist.gov/sec-cert/SP-800-37-v1.0.pdf (the certification and
accreditation process).  So there *does* exist a model for oversight
and a mechanism for accountability and assurance.  Just can't figure
out how to sell them.  Problem is, there is a tremendous educational
process that needs to happen before the patients realize they're sick,
and I haven't figured out how to fund the process . . .  8-(  It gets
back to Paul's analogy of the IT department as the Electoral College,
to which I subscribe, but it's *still* an educational process . . .


    Which is good for governement IS systems, but what about private
sector
    IS systems?


Sorry to be so cynical, but ...


Heh.  Don't think you're any more cynical than anyone who has been in
the business for a while . . .

--
George Capehart


Yours,
Duncan Sharp

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: tunnel vs open a hole, (continued)
- - - Re: tunnel vs open a hole R. DuFresne (Apr 10)
    - Re: tunnel vs open a hole Bill Royds (Apr 10)
    - Re: tunnel vs open a hole Marcus J. Ranum (Apr 10)
    - Re: tunnel vs open a hole Dave Piscitello (Apr 10)
    - Re: tunnel vs open a hole Adam Shostack (Apr 09)
    - Re: tunnel vs open a hole Mike Frantzen (Apr 10)
    - Re: tunnel vs open a hole R. DuFresne (Apr 10)
    - Re: tunnel vs open a hole George Capehart (Apr 10)
    - Re: tunnel vs open a hole Joseph S D Yao (Apr 10)
    - Re: tunnel vs open a hole George Capehart (Apr 10)
    - Re: tunnel vs open a hole Duncan Sharp (Apr 10)
    - Re: tunnel vs open a hole George Capehart (Apr 14)
    - Re: tunnel vs open a hole Duncan Sharp (Apr 14)
    - Re: tunnel vs open a hole Duncan Sharp (Apr 16)
    - Re: tunnel vs open a hole Magosányi Árpád (Apr 11)
    - Re: tunnel vs open a hole Gary Flynn (Apr 10)
    - Re: tunnel vs open a hole Paul Robertson (Apr 10)
    - Re: tunnel vs open a hole Paul Robertson (Apr 10)
    - Re: tunnel vs open a hole George Capehart (Apr 14)
- RE: tunnel vs open a hole Carroll, Shawn (Apr 10)
- RE: tunnel vs open a hole Carroll, Shawn (Apr 10)

(Thread continues...)