Firewall Wizards mailing list archives
Re: tunnel vs open a hole
From: Duncan Sharp <drsharp () pacbell net>
Date: Thu, 10 Apr 2003 18:24:23 -0700
George Capehart wrote:
On Thursday 10 April 2003 05:19 pm, Joseph S D Yao wrote:<snip>Well, yes. Aren't all things, in the end? We are all of us accountable for governing our own actions. This is such a horrifying notion to many that they duck and run for cover. Corporate identities, having no souls, must be governed and held accountable by a BoD. Which may also have no souls.
The members each have souls, but the sum of these souls is usually zero when described as a BoD.
How does one get the attention of a BoD? Two ways. The smell of money, and the smell of litigation. The carrot and the stick. In the BoD of too many of today's companies, as Marcus has alluded to, the Ds don't care about the company, the product, or the worker. They care about the revered "bottom line". And this doesn't even refer to the actual worth of the company, its products, or its revenues - nobody looks at that, nowadays. When they report the "worth" of a company, it's the price of a share of stock times the number of shares. A truly fake number! But it directly impacts the "bottom line" about which the directors are concerned - how much THEIR shares are worth, and those of the share holders who are only concerned about how much THEIR shares are worth.Ahhhhh. *Now* we're getting to the root cause (or "of all evil" . . . sorry 'bout that. Couldn't resist . . . :-> ) In the end, it is all an exercise in risk management . . . in every sense of the phrase. And the problem is, "M"anagement is not managing all its risks. To compound the problem, the stockholders are not managing the Board. This seems like a sales opportunity for those of us who are InfoSec professionals. There *does* exist a well-defined IT governance model: see http://www.isaca.org/cobit.htm.
Which looks good as it says something (being a .ORG) by its mission statement: To research, develop, publicise and PROMOTE A AUTHORITIVE up-to-date, international set of generally accepted IT Control Objectives for DAY-TO-DAY USE ... Fine until you read the fine "Disclaimer" print: "The Information Systems Audit and Control Foundation and the sponsors of COBIT: Control Objectives for Information and Related Technology have designed the product primarily as an educational resource for controls professionals. The Information Systems Audit and Control Foundation and the sponsors make no claim that use of this product will assure a successful outcome. This product should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, the controls professional should apply his or her own professional judgment to the specific control circumstances presented by the particular systems or information technology environment. " (Copyright 2001 Information Systems Audit and Control Assoc.) In trying to better understand Risk, COBIT eliminated "Risk Statements" from its Control Objectives in favor of "the pro-active approach (objects are to be achieved) over the reactive approach (risks are to be mitigated)". Having just read some but not all, leaves me at "some risk" of over simplification of stating some conclusion(s). In order to be blunt, they have some ideas on how to better control IS systems, but don't hold them to it.
There is also a model for accountability that I personally like (but at which everyone would like to duck and run for cover) . . . see http://csrc.nist.gov/sec-cert/SP-800-37-v1.0.pdf (the certification and accreditation process). So there *does* exist a model for oversight and a mechanism for accountability and assurance. Just can't figure out how to sell them. Problem is, there is a tremendous educational process that needs to happen before the patients realize they're sick, and I haven't figured out how to fund the process . . . 8-( It gets back to Paul's analogy of the IT department as the Electoral College, to which I subscribe, but it's *still* an educational process . . .
Which is good for governement IS systems, but what about private sector IS systems?
Sorry to be so cynical, but ...Heh. Don't think you're any more cynical than anyone who has been in the business for a while . . . -- George Capehart
Yours, Duncan Sharp _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: tunnel vs open a hole, (continued)
- Re: tunnel vs open a hole R. DuFresne (Apr 10)
- Re: tunnel vs open a hole Bill Royds (Apr 10)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 10)
- Re: tunnel vs open a hole Dave Piscitello (Apr 10)
- Re: tunnel vs open a hole Adam Shostack (Apr 09)
- Re: tunnel vs open a hole Mike Frantzen (Apr 10)
- Re: tunnel vs open a hole R. DuFresne (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 10)
- Re: tunnel vs open a hole Joseph S D Yao (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 10)
- Re: tunnel vs open a hole Duncan Sharp (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 14)
- Re: tunnel vs open a hole Duncan Sharp (Apr 14)
- Re: tunnel vs open a hole Duncan Sharp (Apr 16)
- Re: tunnel vs open a hole Magosányi Árpád (Apr 11)
- Re: tunnel vs open a hole Gary Flynn (Apr 10)
- Re: tunnel vs open a hole Paul Robertson (Apr 10)
- Re: tunnel vs open a hole Paul Robertson (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 14)