[funsec] why is certification useful anyway? [was: PCI]
ge at linuxbox.org
Tue Mar 24 08:29:19 CDT 2009
nick hatch wrote:
> Until the details are known in full, it seems a bit premature to debate
> the effectiveness of PCI and use Heartland as evidence one way or
> another. Even if the transactions were encrypted on the wire, a lack of
> internal controls could still allow a theoretical insider to run amok.
It seems like one of the main arguments against PCI in this thread, is
that you can simply fake it and pass auditing.
I believe that is true of any security certification or regulation
(which I've seen).
The organization can create a few documents, appoint a couple of people
with some extra titles such as "CSO", and they're done.
On the other hand, I believe certification provides with a clear plan on
where to go with security for those without the knowledge, as well as a
measurement criterion by which to see success and allocate resources.
The latter is especially important when dealing with the board and
fighting for a bigger (or uncut) budget.
I find standardization as very useful as far as outsourcing, partners,
and even ad services go, certification is one of the only ways by which
we can know what level of security "the other guys" who are outside our
sphere of influence have.
Certification *can* be useless, but it does help if you *want* to use
it. It allows your organization to potentially mature in how it handles
information security, and forces others to invest *something* in security.
The question of whether investing *something* in security is a Good or
Bad thing over investing nothing, seems outside of the current
discussion, and sounds like academic masturbation to me (no offense to
the academics among us).
Conversely, it reminds me of a discussion in Israeli science fiction
circles whether self-published books are good because someone actually
did scifi, and they raise awareness to the genre, or whether having a
Bad example of scifi on the shelves is negative to begin with.
Anyway, certification feeds a lot of consluttants and auditors. Job
More information about the funsec