Re: [fw-wiz] tunnel vs open a hole

From: Duncan Sharp (
Date: 04/11/03

  • Next message: Crispin Cowan: "Re: [fw-wiz] tunnel vs open a hole"
    From: Duncan Sharp <>
    To: George Capehart <>
    Date: Thu, 10 Apr 2003 18:24:23 -0700

    George Capehart wrote:

    > On Thursday 10 April 2003 05:19 pm, Joseph S D Yao wrote:
    > >
    > <snip>
    > > Well, yes. Aren't all things, in the end?
    > >
    > > We are all of us accountable for governing our own actions. This is
    > > such a horrifying notion to many that they duck and run for cover.
    > >
    > > Corporate identities, having no souls, must be governed and held
    > > accountable by a BoD. Which may also have no souls.
    > >

    The members each have souls, but the sum of these souls is usually zero
    described as a BoD.

    > > How does one get the attention of a BoD? Two ways. The smell of
    > > money, and the smell of litigation. The carrot and the stick. In
    > > the BoD of too many of today's companies, as Marcus has alluded to,
    > > the Ds don't care about the company, the product, or the worker.
    > > They care about the revered "bottom line". And this doesn't even
    > > refer to the actual worth of the company, its products, or its
    > > revenues - nobody looks at that, nowadays. When they report the
    > > "worth" of a company, it's the price of a share of stock times the
    > > number of shares. A truly fake number! But it directly impacts the
    > > "bottom line" about which the directors are concerned - how much
    > > THEIR shares are worth, and those of the share holders who are only
    > > concerned about how much THEIR shares are worth.
    > Ahhhhh. *Now* we're getting to the root cause (or "of all evil" . . .
    > sorry 'bout that. Couldn't resist . . . :-> ) In the end, it is all
    > an exercise in risk management . . . in every sense of the phrase. And
    > the problem is, "M"anagement is not managing all its risks. To
    > compound the problem, the stockholders are not managing the Board.
    > This seems like a sales opportunity for those of us who are InfoSec
    > professionals. There *does* exist a well-defined IT governance model:
    > see

    Which looks good as it says something (being a .ORG) by its mission

        To research, develop, publicise and PROMOTE A AUTHORITIVE up-to-date,
    international set of generally accepted IT Control Objectives for
    DAY-TO-DAY USE ...

    Fine until you read the fine "Disclaimer" print:

    "The Information Systems Audit and Control Foundation and the sponsors of
    COBIT: Control Objectives for Information and Related Technology have
    designed the product primarily as an educational resource for controls
    professionals. The Information Systems Audit and Control Foundation and
    the sponsors make no claim that use of this product will assure a
    successful outcome. This product should not be considered inclusive of any
    proper procedures and tests or exclusive of other procedures and tests
    that are reasonably directed to obtaining the same results.
    In determining the propriety of any specific procedure or test, the
    controls professional should apply his or her own professional judgment to
    the specific control circumstances presented by the particular systems or
    information technology environment. "
    (Copyright 2001 Information Systems Audit and Control Assoc.)

        In trying to better understand Risk, COBIT eliminated "Risk
    Statements" from
        its Control Objectives in favor of "the pro-active approach (objects
    are to be
        achieved) over the reactive approach (risks are to be mitigated)".

        Having just read some but not all, leaves me at "some risk" of over
        of stating some conclusion(s).

        In order to be blunt, they have some ideas on how to better control
    IS systems,
        but don't hold them to it.

    > There is also a model for
    > accountability that I personally like (but at which everyone would like
    > to duck and run for cover) . . . see
    > (the certification and
    > accreditation process). So there *does* exist a model for oversight
    > and a mechanism for accountability and assurance. Just can't figure
    > out how to sell them. Problem is, there is a tremendous educational
    > process that needs to happen before the patients realize they're sick,
    > and I haven't figured out how to fund the process . . . 8-( It gets
    > back to Paul's analogy of the IT department as the Electoral College,
    > to which I subscribe, but it's *still* an educational process . . .

        Which is good for governement IS systems, but what about private
        IS systems?

    > >
    > > Sorry to be so cynical, but ...
    > Heh. Don't think you're any more cynical than anyone who has been in
    > the business for a while . . .
    > --
    > George Capehart

    Duncan Sharp

    firewall-wizards mailing list

  • Next message: Crispin Cowan: "Re: [fw-wiz] tunnel vs open a hole"

    Relevant Pages

    • Re: Science Fiction and Fantasy
      ... the power to hurt or kill at will and no accountability to ... if you really can't control yourself from killing people every ...
    • RE: [fw-wiz] Stanford break in
      ... surveillance for accountability -- rather than access control. ... audit records as it is to active access control. ... If there is a fixed minimum cost to maintaining a check in each box, ...
    • Re: Licia Kuenning
      ... there is nothing wrong with holding those who predict the ... predictions to try to control others. ... Such accountability avoids error when it is ...
    • Re: The Catholic Church
      ... >>be judged by my fellow humans" ... >>There is no judgment with out accountability and no accountability with out ... > We need religion to keep primitve folks such as yourself under control. ... > Intelligent people with a clear set of moral values have no need for God. ...