Compliance

That's what it means to "get it"--you tie what
you are doing
security-wise back into what it means to you as a business
or
organization.

If you are the US Coast Guard, we say that your business is
protecting
the ports and seaways, and this is how a particular security
control
ties into what you do and if you need it or not.  That's
the crucial
step into governance that most people won't make.  We're
usually too
busy fixing vulnerabilities or the worm of the week.

If you are a credit card processing company, we identify the
type of
data that you transmit and identify the risks to the data
and to your
business, then each risk is evaluated on a cost-benefit
basis.  The
problem is in trying to evaluate qualitatives like
"loss of customer
trust", but if you can look at what your business is,
that will help you
make reasonable risk-based decisions.

I always use the mission statement.  It's one of those
trendy MBA things
that irks techies, but it does serve a purpose.  "Our
aim is to be the
nation's foremost supplier of frobulators" translates
directly into me
that all the IT security I do has to be focused on that one
goal.  If
the security makes that mission impossible, then the problem
is mine and
security needs to take a back seat.

The problem with regulations and standards is that they are
generic in
purpose, so it's relatively easy to be compliant with them
without any
true impact on what you do as a business.  I think that's
the gist of
your original question.  The easiest way to explain it is if
you are
doing everything right (getting it), then compliance (doing
it) is easy,
but compliance doesn't make you do everything right.

HTH
--Mike




Michael J Smith, CISSP-ISSEP michael.j.smithunisys.com
Information Security Architect
703.855.0890 C
"Those who do not understand Unix are condemned to
reinvent it, poorly."

--Henry Spencer 

> -----Original Message-----
> From: Mark Curphey [mailto:markcurphey.com] 
> Sent: Thursday, June 08, 2006 8:05 AM
> To: Smith, Michael J.; psrcsecurityfocus.com
> Subject: RE: Compliance
> 
> So how do "you" go about selling the
virtues of getting it to 
> companies?
> Does "getting it" save you money? Does
"getting it" improve 
> customer loyalty? 
> 
> I agree with you but playing devils advocate as I am 
> interested in others approaches to this.
> 
> -----Original Message-----
> From: Smith, Michael J. [mailto:Michael.J.Smithunisys.com]
> Sent: Thursday, June 08, 2006 7:48 AM
> To: Mark Curphey; psrcsecurityfocus.com
> Subject: RE: Compliance
> 
> I talk about this all the time when I teach
Certification and 
> Accreditation.
> It's compliance versus IT security governance.
> 
> There are people who "do it" and the people
who "get it".  
> The people who "do it" go through the
motions and they just 
> want to check a box on a list of compliance
requirements.  
> The people who "get it" understand the
reasoning behind why 
> these requirements exist in the first place.
> 
> Unfortunately for us, there are more of the former and
less 
> of the latter.
> 
> 
> Cheers
> --Mike
> 
> 
> Michael J Smith, CISSP-ISSEP michael.j.smithunisys.com 
> Information Security Architect 703.855.0890 C
"Those who do 
> not understand Unix are condemned to reinvent it,
poorly."
> 
> --Henry Spencer 
> 
> > -----Original Message-----
> > From: Mark Curphey [mailto:markcurphey.com]
> > Sent: Thursday, June 08, 2006 7:03 AM
> > To: psrcsecurityfocus.com
> > Subject: Compliance
> > 
> > OK great debate earlier this week. Heres another
food for thought 
> > comment to stimulate the packet flow.
> > 
> > I propose people are not interested in complying
with 
> regulations and 
> > standards, but are interested in not being caught
out of compliance.
> > 
> > Thoughts? Opinions?
> > 
> > 
> 
> 

Clearly, Michael gets it.

Compliance is a forcing function - but if all you are doing
is  
separating some duties to meet an administrative need, then
you will  
not do adequate separation to mitigate the aggregated risks 

associated with excessive control by individuals or small
groups. The  
auditors won't understand your business and make decisions
about  
things for you - they will only find places where you have
failed to  
meet minimal compliance mandates. If your process is poor at
 
identifying risks, you will continue to have lots of them
that the  
auditors will not find.

FC

On Jun 8, 2006, at 6:16 AM, Smith, Michael J. wrote:

> That's what it means to "get it"--you tie
what you are doing
> security-wise back into what it means to you as a
business or
> organization.
>
> If you are the US Coast Guard, we say that your
business is protecting
> the ports and seaways, and this is how a particular
security control
> ties into what you do and if you need it or not. 
That's the crucial
> step into governance that most people won't make. 
We're usually too
> busy fixing vulnerabilities or the worm of the week.
>
> If you are a credit card processing company, we
identify the type of
> data that you transmit and identify the risks to the
data and to your
> business, then each risk is evaluated on a cost-benefit
basis.  The
> problem is in trying to evaluate qualitatives like
"loss of customer
> trust", but if you can look at what your business
is, that will  
> help you
> make reasonable risk-based decisions.
>
> I always use the mission statement.  It's one of those
trendy MBA  
> things
> that irks techies, but it does serve a purpose. 
"Our aim is to be the
> nation's foremost supplier of frobulators"
translates directly into me
> that all the IT security I do has to be focused on that
one goal.  If
> the security makes that mission impossible, then the
problem is  
> mine and
> security needs to take a back seat.
>
> The problem with regulations and standards is that they
are generic in
> purpose, so it's relatively easy to be compliant with
them without any
> true impact on what you do as a business.  I think
that's the gist of
> your original question.  The easiest way to explain it
is if you are
> doing everything right (getting it), then compliance
(doing it) is  
> easy,
> but compliance doesn't make you do everything right.
>
> HTH
> --Mike
>
>
>
>
> Michael J Smith, CISSP-ISSEP michael.j.smithunisys.com
> Information Security Architect
> 703.855.0890 C
> "Those who do not understand Unix are condemned
to reinvent it,  
> poorly."
>
> --Henry Spencer
>
>> -----Original Message-----
>> From: Mark Curphey [mailto:markcurphey.com]
>> Sent: Thursday, June 08, 2006 8:05 AM
>> To: Smith, Michael J.; psrcsecurityfocus.com
>> Subject: RE: Compliance
>>
>> So how do "you" go about selling the
virtues of getting it to
>> companies?
>> Does "getting it" save you money? Does
"getting it" improve
>> customer loyalty?
>>
>> I agree with you but playing devils advocate as I
am
>> interested in others approaches to this.
>>
>> -----Original Message-----
>> From: Smith, Michael J. [mailto:Michael.J.Smithunisys.com]
>> Sent: Thursday, June 08, 2006 7:48 AM
>> To: Mark Curphey; psrcsecurityfocus.com
>> Subject: RE: Compliance
>>
>> I talk about this all the time when I teach
Certification and
>> Accreditation.
>> It's compliance versus IT security governance.
>>
>> There are people who "do it" and the
people who "get it".
>> The people who "do it" go through the
motions and they just
>> want to check a box on a list of compliance
requirements.
>> The people who "get it" understand the
reasoning behind why
>> these requirements exist in the first place.
>>
>> Unfortunately for us, there are more of the former
and less
>> of the latter.
>>
>>
>> Cheers
>> --Mike
>>
>>
>> Michael J Smith, CISSP-ISSEP michael.j.smithunisys.com
>> Information Security Architect 703.855.0890 C
"Those who do
>> not understand Unix are condemned to reinvent it,
poorly."
>>
>> --Henry Spencer
>>
>>> -----Original Message-----
>>> From: Mark Curphey [mailto:markcurphey.com]
>>> Sent: Thursday, June 08, 2006 7:03 AM
>>> To: psrcsecurityfocus.com
>>> Subject: Compliance
>>>
>>> OK great debate earlier this week. Heres
another food for thought
>>> comment to stimulate the packet flow.
>>>
>>> I propose people are not interested in
complying with
>> regulations and
>>> standards, but are interested in not being
caught out of compliance.
>>>
>>> Thoughts? Opinions?
>>>
>>>
>>
>>
>

-- This communication is confidential to the parties it is
intended  
to serve --
Security Posture            securityposture.com         
tel/fax
University of New Haven               unhca.com       
925-454-0171
Fred Cohen & Associates                 all.net      572
Leona Drive
ASP Press                         asp-press.com   
Livermore, CA 94550