Re: Compliance Is Wasted Money, Study Finds

[Michael Holstein <michael.holstein () csuohio edu>]

> Some people in the information security industry actually care about
> securing systems and the information they contain rather than filling
> in check boxes.  

So what's the problem? .. if you have done it according to (or
exceeding) the spec .. check the box, buy a box of donuts for the
auditor .. let them look it over, and be done with it.


> Compliance may ensure a minimum standard is met, but
> it does not ensure or imply that real security is being maintained at
> an organization.
>
>   

If VISA (et.al.) could define "real security" and write it down, they
would. What is "real security" exactly? .. I'd argue the only "secure"
computer is one that's still sealed in the factory carton. Break the
seal, game over .. just like it says on a box of Band-Aids "Sterility
guaranteed until opened".

> As you say, PCI has become a cost of doing business whereas having a
> secure network is apparently not a cost of doing business.  This is a
> problem.
>   

The thinking goes .. that if you implement the PCI standards and aim to
actually do as it suggests (meaning doing what the documents suggests
*correctly* .. not just having a blinkinlight in place so you can check
a box) .. you're already down the right path.

Even so .. the problem with securing networks/systems is there's
millions of "them" and only a few of "you". Also .. you have to be right
100% of the time, and "they" only have to get lucky once.

My $10.02 ($10 minimum purchase on all credit cards). **

Cheers,

Michael Holstein
Cleveland State University

** : yes, I know this goes against the merchant agreement .. sarcasm.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/