Re: How do we do our job? (was Re: Network Security Certification)

From: darrenrat_private
Date: Wed Apr 29 1998 - 09:01:00 PDT

Next message: Steve Bellovin: "Re: Lloyds to offer hacker insurance"

Previous message: Shane Mason: "Re: Network Security Certification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In some email I received from Bennett Todd, sie wrote:
> 
> 1998-04-29-12:59:54 Darren:
> 
> > If your boss walked in tomorrow and asked you how you knew your
> > firewall was protecting you, what would you use as evidence?
> 
> I'd point to our security policy.
[...]

So what ?  Who's verified that your security policy is any good ?
Anyone ?  Maybe it's just full of mumbo jumbo that looks impressive
but is full of loop holes ?  The need for 3rd party review simply
cannot be ignored.

> > Sure, there's a handful of people running around who can do this, but
> > what assurance do you have that you're getting the right people?
> 
> The same assurance you have when getting any kind of people. If you have
> the expertise in house to grill the candidate, then you do; if you don't
> have that expertise then evaluate candidates based on how well you like
> them and the extent and relevance of their claimed experience, then
> check their references carefully. This is an old problem with an old and
> well-trusted solution.

I don't trust the interview method.  I've come across one person who was
employed on the basis that they did well in cross examination but when
put in the field...well...they failed mine :-)

> > Do you look for ISO qualifiactions for their reporting or CISSP exams
> > passed [...]
> 
> I sure wouldn't, any more than I'd look for certificates when picking a
> systems administrator, or a programmer, or anybody else. Certificates
> demonstrate a desire to get certificates and a skill at getting
> certificates; I've never had any use for that desire and ability.

Do they ?

What about cases where there's a need to get certificates in order to
get business ?  If you wanted to get in on a Government Contract but
in order to do so you needed ISO 9000, would you decide to turn it down
based on that ?  In my mind, it is reasonable to expect that some
certificates are there because they don't represent just a desire to
get the certificates, but a desire to do the work required to get them
too and a desire to meet a client's needs.

Darren

Next message: Steve Bellovin: "Re: Lloyds to offer hacker insurance"
Previous message: Shane Mason: "Re: Network Security Certification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:34 PDT