Full Disclosure mailing list archives
Re: Compliance Is Wasted Money, Study Finds
From: "Lyal Collins" <lyalc () swiftdsl com au>
Date: Tue, 27 Apr 2010 08:34:27 +1000
Has everyone on this list read the PCI DSS requirements? They are freely available, at www.pcisecuritystandards.org. AV is about 4 requirements out of over 230 requirements, covering secure coding/development, patching, network security, hardening systems, least privilege, robust authenticaiton, staff probity, physical security, obligations on third parties, annual risk assessments and improvements, pluss annually re validating all of these security control areas. Many views in this thread sound like drowning people who reject a lifeboat because it doesn't match their eye colour. PCI DSS isn't perfect, but it is fairly comprehensive about confidentiality. In terms of all organisational information security threats, PCI DSS lacks a focus on DR/BCP and integrity of data and system (other than that subset of threats affecting protection of card data). I posit that DR and data integrity are as much a commercial decision as a information security goals, for which simple, repeatable processes are already available and resonably well known amongst IT professionals. Anti-virus and anti-malware products are not perfect either, but they are better than the alternative of 'doing nothing until a perfect solution is found", an undertone I see so often in this list and among many well-intentioned but unsuccessful security professionals at sites I visit. Implementing any halfway decent solution is almost always better than doing nothing, when it comes to reducing risk and increasing assurance. Implementing ongoing improvements is cost effective spend of scarce security/IT dollars. Building the "perfect' security solution is too expensive and takes too long - by the time it's delviered, security threats have moved on, and you remain vulnerable. There are some dreadful compliance programs out there. There are some excellent compliance standards. The lyal _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Compliance Is Wasted Money, Study Finds, (continued)
- Compliance Is Wasted Money, Study Finds J Roger (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Paul Schmehl (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Michael Holstein (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Valdis . Kletnieks (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Pieter de Boer (Apr 26)
- Re: Compliance Is Wasted Money, Study Finds Valdis . Kletnieks (Apr 26)
- Re: Compliance Is Wasted Money, Study Finds Shaqe Wan (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Shaqe Wan (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Michel Messerschmidt (Apr 26)
- Re: Compliance Is Wasted Money, Study Finds Mike Hale (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Lyal Collins (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Christian Sciberras (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Lyal Collins (Apr 28)
- Re: Compliance Is Wasted Money, Study Finds Shaqe Wan (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Honer, Lance (Apr 27)
- Re: Compliance Is Wasted Money, Study Finds Michel Messerschmidt (Apr 28)
- Re: Compliance Is Wasted Money, Study Finds Michael Holstein (Apr 28)