I think a policy frame work would be great especially taking
it from two
perspectives.
One using a centralized regulatory model where policy
directives are
pushed out to other departments or business units. The
other based more
on the ISO and COBIT type standards.
The issue I see with mapping in an open source project is
that some of
these regulations specifically prohibit you from
reposting/sharing the
information, so there needs to be a way around that issue.
Jason Bevis
CISSP, ISSMP
-----Original Message-----
From: listbounce securityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of Doug Markiewicz
Sent: Wednesday, February 07, 2007 11:30 AM
To: seclists008hushmail.com; psrcsecurityfocus.com
Subject: RE: Food for Thought
> I hope people are going to wake up and smell the coffee
about
> compliance. You can't buy technical security tools to
help you achieve
> compliance against many of the regulations. As soon as
people realize
> that we can all focus on the important work.
You can't buy a bunch of tools to achieve compliance but you
can
certainly buy security tools to assist you in achieving
compliance
whether you're focused on your network or your information.
> Note PCI specifiying web application firewalls is
almost criminal.
Alrighty then.
> Someone releases some decent policies and standards for
free!
Hopefully that doesn't imply that one should be able to
download a set
of policies and be good to go. Certainly requires more work
than that.
I do agree though that an open source project to develop a
comprehensive
policy framework would be nice. Complete with mappings to
ISO,
regulations, etc. would be even better. Unless there's
something
already out there that I don't know about.
-----Original Message-----
From: seclists008hushmail.com [mailto:seclists008hushmail.com]
Sent: Wednesday, February 07, 2007 9:34 AM
To: psrcsecurityfocus.com
Subject: Re: Food for Thought
I hope people are going to wake up and smell the coffee
about
compliance. You can't buy technical security tools to help
you
achieve compliance against many of the regulations. As soon
as
people realize that we can all focus on the important work.
I hope finally people will stop focusing on the network and
focus
on the information.
5 Wishes
1. Someone would build a decent open source platform to
manage day
to day life in an info sec dept. I am tired of building
things
myself.
2. Someone will educate regulators / regulators will consult
the
industry about best practices. Note PCI specifiying web
application
firewalls is almost criminal
3. People will get back to basics and then tackle the cream
4. Someone releases some decent policies and standards for
free! 5. My
boss will roll up in a heap and keel over
ListStimulation(nudge);
Anyone playing the "Whats hot and whats not at RSA this
week"? More
NAC, less DAC or is it more red buttons and tools with
compliance
written on the box? Is there anything truly cool happening
in the
security industry today?
If not why not? If yes, what is it? If you had 5 wishes on
the
industry what would they be?
ListStimulation(relaxed);
--
Click for free info to become an interior designer & be
your own boss
http://tagline.hushmail.com/fc/CAaCXv1QGcWmKQwg4
WLEoonedZdjtvZT/
|
).
Regards,
Adrian