funsec mailing list archives

why is certification useful anyway? [was: PCI]

From: Gadi Evron <ge () linuxbox org>
Date: Tue, 24 Mar 2009 14:29:19 +0100

nick hatch wrote:

Until the details are known in full, it seems a bit premature to debate 
the effectiveness of PCI and use Heartland as evidence one way or 
another. Even if the transactions were encrypted on the wire, a lack of 
internal controls could still allow a theoretical insider to run amok.


It seems like one of the main arguments against PCI in this thread, is 
that you can simply fake it and pass auditing.

I believe that is true of any security certification or regulation 
(which I've seen).

The organization can create a few documents, appoint a couple of people 
with some extra titles such as "CSO", and they're done.

On the other hand, I believe certification provides with a clear plan on 
where to go with security for those without the knowledge, as well as a 
measurement criterion by which to see success and allocate resources. 
The latter is especially important when dealing with the board and 
fighting for a bigger (or uncut) budget.

I find standardization as very useful as far as outsourcing, partners, 
and even ad services go, certification is one of the only ways by which 
we can know what level of security "the other guys" who are outside our 
sphere of influence have.

Certification *can* be useless, but it does help if you *want* to use 
it. It allows your organization to potentially mature in how it handles 
information security, and forces others to invest *something* in security.

The question of whether investing *something* in security is a Good or 
Bad thing over investing nothing, seems outside of the current 
discussion, and sounds like academic masturbation to me (no offense to 
the academics among us).

Conversely, it reminds me of a discussion in Israeli science fiction 
circles whether self-published books are good because someone actually 
did scifi, and they raise awareness to the genre, or whether having a 
Bad example of scifi on the shelves is negative to begin with.

Anyway, certification feeds a lot of consluttants and auditors. Job 
security? :)

        Gadi.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: The PCI sky *isn't* falling!, (continued)
- - - Re: The PCI sky *isn't* falling! Justin Scott (Mar 24)
    - Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
    - security theater is useful, stop abusing it [was: PCI] Gadi Evron (Mar 24)
    - Re: security theater is useful, stop abusing it [was: PCI] Benjamin April (Mar 24)
    - Re: security theater is useful, stop abusing it [was: PCI] Imri Goldberg (Mar 24)
    - Re: security theater is useful, stop abusing it [was: PCI] nick hatch (Mar 24)
  - Re: The PCI sky *isn't* falling! Kaegler, Mike (Mar 24)
    - Re: The PCI sky *isn't* falling! David Harley (Mar 24)
    - Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- Re: The PCI sky *isn't* falling! nick hatch (Mar 23)
  - why is certification useful anyway? [was: PCI] Gadi Evron (Mar 24)
- Re: The PCI sky *isn't* falling! Valdis . Kletnieks (Mar 23)
  - Re: The PCI sky *isn't* falling! Rob, grandpa of Ryan, Trevor, Devon & Hannah (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 23)
  - Re: The PCI sky *isn't* falling! Gadi Evron (Mar 24)
- Re: The PCI sky *isn't* falling! Jay Singala (Mar 25)