Slashdot Mirror

← Back to Stories (view on slashdot.org)

Industry IT Security Certification Proposed

Posted by Soulskill on from the measuring-and-documenting-your-weaknesses dept.

Roberto123 writes "The US can build defenses against 'cyberwar' by having government and the private sector work together to confront the threat, a panel of experts said at RSA Conference 2011 in San Francisco this week. 'Chertoff called for a regulatory framework where company executives and board members sign on the dotted line, certifying what steps they have taken to secure their network, what backup systems they have in place and what level of resiliency is built into their IT system. “People take that seriously. Is it dramatic? No, but it moves the ball down the field,” Chertoff said. Schneier concurred, noting that holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley, the post-Enron law that requires directors and executives to certify their financial results.'"

3 of 102 comments (clear)

  1. Re:Oh good. by causality · · Score: 3, Interesting

    This will change nothing, and push us further towards a "Standards and Compliance" posture, and not a real security posture.

    -Someone who does this for a living

    Organizational types, suits, institution men, whatever you want to call them just love bureaucratic measures of compliance. They honesty believe the world is a better place when you do what you're told because the policy says so, and not when you take action because as a thinking man you can see that it's a reasonable step towards a worthy goal. That way they can measure down to fractions of a percentage point just how obedient you are and sanction you accordingly.

    Is it any surprise that whenever government systems are audited for security they tend to do so poorly? Security is something that simply has to be right and declaration by fiat won't change what the right thing is. More than most other subjects, it exposes the crippling weaknesses of the top-down authoritarian approach and reveals the strengths of hiring people for their expertise and then listening to them so long as they remain reasonable.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  2. About as effective as Sarbanes-Oxley? by rta · · Score: 3, Interesting

    Ok. If you're proposing something that will be as good as Sarbanes-Oxley... you probably need to find a better idea. Sarbox was a knee jerk response to Enron and has done nothing but drive up costs.

    Good thing that those tight accountability rules prevented the massive credit / derivatives bubble.

  3. Re:Oh good. by nurb432 · · Score: 5, Interesting

    It will raise costs for IT services and create another ecosystem for 'certification holders' to milk.

    Reminds me of iso9000..

    --
    ---- Booth was a patriot ----