Hi Doug,
Look for an announcement to this list about the
"ISM-Community" before the
end of the week.
Essentially it is a free to join community based project for
people
interested in Information Security Management. I started
OWASP back in the
day and so we will use much of what I learnt about
communities there. Well
be inviting people to lead projects (such as a policy
framework), start
local chapters and lots more. We plan to have some online
applications such
as a Threats and Countermeasures database as well in time. A
few of us have
already been working on a simple fast and efficient
qualitative risk
assessment methodology.
Also I posted a link to an interesting page
cross-referencing regulations.
You have to register in their site to use it but it seems OK
so far.
http://securitybuddha.com/2007/02/06/
security-regulations-cross-referenced/
Blue skies!
-----Original Message-----
From: listbounce securityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of Doug Markiewicz
Sent: Wednesday, February 07, 2007 5:30 PM
To: seclists008hushmail.com; psrcsecurityfocus.com
Subject: RE: Food for Thought
> I hope people are going to wake up and smell the coffee
about
> compliance. You can't buy technical security tools to
help you
> achieve compliance against many of the regulations. As
soon as
> people realize that we can all focus on the important
work.
You can't buy a bunch of tools to achieve compliance but you
can
certainly buy security tools to assist you in achieving
compliance
whether you're focused on your network or your information.
> Note PCI specifiying web application firewalls is
almost criminal.
Alrighty then.
> Someone releases some decent policies and standards for
free!
Hopefully that doesn't imply that one should be able to
download a set
of policies and be good to go. Certainly requires more work
than that.
I do agree though that an open source project to develop a
comprehensive
policy framework would be nice. Complete with mappings to
ISO,
regulations, etc. would be even better. Unless there's
something
already out there that I don't know about.
-----Original Message-----
From: seclists008hushmail.com [mailto:seclists008hushmail.com]
Sent: Wednesday, February 07, 2007 9:34 AM
To: psrcsecurityfocus.com
Subject: Re: Food for Thought
I hope people are going to wake up and smell the coffee
about
compliance. You can't buy technical security tools to help
you
achieve compliance against many of the regulations. As soon
as
people realize that we can all focus on the important work.
I hope finally people will stop focusing on the network and
focus
on the information.
5 Wishes
1. Someone would build a decent open source platform to
manage day
to day life in an info sec dept. I am tired of building
things
myself.
2. Someone will educate regulators / regulators will consult
the
industry about best practices. Note PCI specifiying web
application
firewalls is almost criminal
3. People will get back to basics and then tackle the cream
4. Someone releases some decent policies and standards for
free! 5. My
boss will roll up in a heap and keel over
ListStimulation(nudge);
Anyone playing the "Whats hot and whats not at RSA this
week"? More
NAC, less DAC or is it more red buttons and tools with
compliance
written on the box? Is there anything truly cool happening
in the
security industry today?
If not why not? If yes, what is it? If you had 5 wishes on
the
industry what would they be?
ListStimulation(relaxed);
--
Click for free info to become an interior designer & be
your own boss
http://tagline.hushmail.com/fc/CAaCXv1QGcWmKQwg4
WLEoonedZdjtvZT/
|