[funsec] why is certification useful anyway? [was: PCI]

Gadi Evron ge at linuxbox.org
Tue Mar 24 08:29:19 CDT 2009


nick hatch wrote:
> Until the details are known in full, it seems a bit premature to debate 
> the effectiveness of PCI and use Heartland as evidence one way or 
> another. Even if the transactions were encrypted on the wire, a lack of 
> internal controls could still allow a theoretical insider to run amok.

It seems like one of the main arguments against PCI in this thread, is 
that you can simply fake it and pass auditing.

I believe that is true of any security certification or regulation 
(which I've seen).

The organization can create a few documents, appoint a couple of people 
with some extra titles such as "CSO", and they're done.

On the other hand, I believe certification provides with a clear plan on 
where to go with security for those without the knowledge, as well as a 
measurement criterion by which to see success and allocate resources. 
The latter is especially important when dealing with the board and 
fighting for a bigger (or uncut) budget.

I find standardization as very useful as far as outsourcing, partners, 
and even ad services go, certification is one of the only ways by which 
we can know what level of security "the other guys" who are outside our 
sphere of influence have.

Certification *can* be useless, but it does help if you *want* to use 
it. It allows your organization to potentially mature in how it handles 
information security, and forces others to invest *something* in security.

The question of whether investing *something* in security is a Good or 
Bad thing over investing nothing, seems outside of the current 
discussion, and sounds like academic masturbation to me (no offense to 
the academics among us).

Conversely, it reminds me of a discussion in Israeli science fiction 
circles whether self-published books are good because someone actually 
did scifi, and they raise awareness to the genre, or whether having a 
Bad example of scifi on the shelves is negative to begin with.

Anyway, certification feeds a lot of consluttants and auditors. Job 
security? :)

	Gadi.


More information about the funsec mailing list