In some email I received from Bennett Todd, sie wrote: > > 1998-04-28-12:58:51 Anton Aylward: > > 1997-09-22-18:37:11 Tina Bird: > > >I know the ISSA offers some sort of IS security certification, but I have > > >a vague recollection that it's pretty mainframe oriented. > > You'll find many vocal people --- Anton in the lead --- who will come > charging out to deny this. You won't find anyone else who knows anything > detailed about it --- they don't advertise enough detail to evaluate > whether the test is worth anything or not --- so their word has to stand > unchallenged, at least on this point. I really look forward to hearing > what you have to say about this program. Hmm. I've sat down with one of the ICSA guys and been through what they do. They do a lot of useful things and it is more than just running ISS a couple of times. Best of all, there's a great big wad of paper at the end with a complete report - just what management like to see so they know a job has been well done. They've spent time on it and are continuing to do so and I believe that it will be worthwhile. It's content is very interesting. >From an insurance point of view, the most important thing is that they have to sign for the status of their own network and accept its state for whatever it is. There were some remarks about the cost of insurance and who'll be able to pay for it. Well, lets see. To me, those who have the most to lose are those who can afford to pay the big bucks (I've no idea of actual costs of anything here either so that's just a hypothetical). If IBM's firewall gets defaced/hacked, how much do they stand to lose, not just in time/materials, but also face ? What if NFR's or TIS's WWW page was defaced ? What does that say about them ? What it gets down to is that there is risk involved in "being on the 'net". Quite a considerable risk, if you were to ask me, given that we've heard recently about claims of people getting into classified computers. What companies want to be able to do is take out insurance that "covers" that risk. What insurance companies need is some way to quantify that risk. This topic has been brought up before (of firewalls, I think) but at that stage, there was no real cases. So why should we trust the ICSA ? Well, we've got to trust _someone_ and if the "experts" such as Marcus are too cynical/biased (not that I can blame him :-) then there needs to be some sort of body of people who are willing to take up that and run with it. If your boss walked in tomorrow and asked you how you knew your firewall was protecting you, what would you use as evidence ? (If you are your own boss, pretend you're not). If before you connected your site to the 'net you were required to have a detailed report of your firewall's strength, what would you do ? Sure, there's a handful of people running around who can do this, but what assurance do you have that you're getting the right people ? Do you look for ISO qualifiactions for their reporting or CISSP exams passed or 10 years spent hacking on sendmail or 10 years spent breaking into .mil sites ? I'm not saying that I've been "converted", but, I think there's part of this reality which a lot of us are ignoring for one reason or another. Whilst a lot of us know and realise what these certifications can really be worth, I'm almost just as sure we don't stop to think about why people want them and accept that perhaps from where they sit, they do have a need for this. Hmmm, I think I've just opened a great big can of worms :-) Cheers, Darren p.s. please don't just flame or respond but think your reply through so at least the argument is substantiative.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:24 PDT