Re: [fw-wiz] tunnel vs open a hole
From: Duncan Sharp (firstname.lastname@example.org)
From: Duncan Sharp <email@example.com> To: George Capehart <firstname.lastname@example.org> Date: Thu, 10 Apr 2003 18:24:23 -0700
George Capehart wrote:
> On Thursday 10 April 2003 05:19 pm, Joseph S D Yao wrote:
> > Well, yes. Aren't all things, in the end?
> > We are all of us accountable for governing our own actions. This is
> > such a horrifying notion to many that they duck and run for cover.
> > Corporate identities, having no souls, must be governed and held
> > accountable by a BoD. Which may also have no souls.
The members each have souls, but the sum of these souls is usually zero
described as a BoD.
> > How does one get the attention of a BoD? Two ways. The smell of
> > money, and the smell of litigation. The carrot and the stick. In
> > the BoD of too many of today's companies, as Marcus has alluded to,
> > the Ds don't care about the company, the product, or the worker.
> > They care about the revered "bottom line". And this doesn't even
> > refer to the actual worth of the company, its products, or its
> > revenues - nobody looks at that, nowadays. When they report the
> > "worth" of a company, it's the price of a share of stock times the
> > number of shares. A truly fake number! But it directly impacts the
> > "bottom line" about which the directors are concerned - how much
> > THEIR shares are worth, and those of the share holders who are only
> > concerned about how much THEIR shares are worth.
> Ahhhhh. *Now* we're getting to the root cause (or "of all evil" . . .
> sorry 'bout that. Couldn't resist . . . :-> ) In the end, it is all
> an exercise in risk management . . . in every sense of the phrase. And
> the problem is, "M"anagement is not managing all its risks. To
> compound the problem, the stockholders are not managing the Board.
> This seems like a sales opportunity for those of us who are InfoSec
> professionals. There *does* exist a well-defined IT governance model:
> see http://www.isaca.org/cobit.htm.
Which looks good as it says something (being a .ORG) by its mission
To research, develop, publicise and PROMOTE A AUTHORITIVE up-to-date,
international set of generally accepted IT Control Objectives for
DAY-TO-DAY USE ...
Fine until you read the fine "Disclaimer" print:
"The Information Systems Audit and Control Foundation and the sponsors of
COBIT: Control Objectives for Information and Related Technology have
designed the product primarily as an educational resource for controls
professionals. The Information Systems Audit and Control Foundation and
the sponsors make no claim that use of this product will assure a
successful outcome. This product should not be considered inclusive of any
proper procedures and tests or exclusive of other procedures and tests
that are reasonably directed to obtaining the same results.
In determining the propriety of any specific procedure or test, the
controls professional should apply his or her own professional judgment to
the specific control circumstances presented by the particular systems or
information technology environment. "
(Copyright 2001 Information Systems Audit and Control Assoc.)
In trying to better understand Risk, COBIT eliminated "Risk
its Control Objectives in favor of "the pro-active approach (objects
are to be
achieved) over the reactive approach (risks are to be mitigated)".
Having just read some but not all, leaves me at "some risk" of over
of stating some conclusion(s).
In order to be blunt, they have some ideas on how to better control
but don't hold them to it.
> There is also a model for
> accountability that I personally like (but at which everyone would like
> to duck and run for cover) . . . see
> http://csrc.nist.gov/sec-cert/SP-800-37-v1.0.pdf (the certification and
> accreditation process). So there *does* exist a model for oversight
> and a mechanism for accountability and assurance. Just can't figure
> out how to sell them. Problem is, there is a tremendous educational
> process that needs to happen before the patients realize they're sick,
> and I haven't figured out how to fund the process . . . 8-( It gets
> back to Paul's analogy of the IT department as the Electoral College,
> to which I subscribe, but it's *still* an educational process . . .
Which is good for governement IS systems, but what about private
> > Sorry to be so cynical, but ...
> Heh. Don't think you're any more cynical than anyone who has been in
> the business for a while . . .
> George Capehart
firewall-wizards mailing list