In some email I received from Bennett Todd, sie wrote: > > 1998-04-29-16:01:00 Darren: > > So what ? Who's verified that your security policy is any good? > > How do you verify a security policy, anyway? Since a security policy is > just a written cache of decisions you've worked out the hard way (by > analysis and negotiation) it comes to, how do you verify a > decision-making process? Rotsa Ruck. Gotta have one to get the job done, > no way to prove you're doing it right. You write down why you make decisions, for a start. I know lots of people in this industry hate documentation (for one reason or another), but if you were to leave and someone else picked up your security policy and said "why is this here ?", they should be able to find the answer right there too and not feel like "well, I don't understand this, I want to change it so <delete>". > > What about cases where there's a need to get certificates in order to > > get business? > > Never worked in such a field. Some of my employers have, but never > anywhere near the computer side of operations. Really ? Never seen a job advert asking for a CNE or MCSE ? > > If you wanted to get in on a Government Contract but in order to do so > > you needed ISO 9000, would you decide to turn it down based on that? > > Put it more simply: are you a beltway bandit? I'm not, so I wouldn't > dream of pursuing ISO 9000, and I have trouble imaging me working at a > place that would pursue ISO 9000 certification. > > On the other hand, if I were an amoral leech hooked up to the federal > udder and sucking for all I was worth, I'd have my ISO 9000 > certification in a shiny frame, and have cerified copies printed up to > give away to prospective ``customers'', before I serviced them. Really ? Maybe it's true of some, but maybe there are those who aren't. Are you sure you want to make a generalisation like this ? It's not that I don't doubt that there are some who use those sort of plaques as show pieces, but someone has originally spent time and effort getting that. > > In my mind, it is reasonable to expect that some certificates > > are there because they don't represent just a desire to get the > > certificates, but a desire to do the work required to get them too and > > a desire to meet a client's needs. > > In some industries this is true. Such industries aren't places where > I'd work. Interestingly, such industries have been quite impressively > conspicuous for poor security. Hmm. You must be talking about the computer industry then :-) Darren
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:54 PDT