Slashdot Mirror

← Back to Stories (view on slashdot.org)

Industry IT Security Certification Proposed

Posted by Soulskill on from the measuring-and-documenting-your-weaknesses dept.

Roberto123 writes "The US can build defenses against 'cyberwar' by having government and the private sector work together to confront the threat, a panel of experts said at RSA Conference 2011 in San Francisco this week. 'Chertoff called for a regulatory framework where company executives and board members sign on the dotted line, certifying what steps they have taken to secure their network, what backup systems they have in place and what level of resiliency is built into their IT system. “People take that seriously. Is it dramatic? No, but it moves the ball down the field,” Chertoff said. Schneier concurred, noting that holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley, the post-Enron law that requires directors and executives to certify their financial results.'"

11 of 102 comments (clear)

  1. War Cap by causality · · Score: 5, Insightful

    As a nation, we are fighting either politically or violently on too many fronts here. We have too many wars going on. To name a few:

    • War on (some) Drugs
    • War on Poverty
    • War on Terror
    • War on Obesity

    Now there's "cyberwar". There should be no new wars until we declare victory or admit defeat on some of the existing ones. Actually when I consider how successful the ones in the (incomplete) list above have been, I think we can save a great deal of time just admitting defeat on all of them. Then, instead of a retaliatory "cyberwar" we can do something rational like secure our systems.

    Is that really so much to ask? It'd be easier than what we are doing now.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  2. Re:Oh good. by causality · · Score: 3, Interesting

    This will change nothing, and push us further towards a "Standards and Compliance" posture, and not a real security posture.

    -Someone who does this for a living

    Organizational types, suits, institution men, whatever you want to call them just love bureaucratic measures of compliance. They honesty believe the world is a better place when you do what you're told because the policy says so, and not when you take action because as a thinking man you can see that it's a reasonable step towards a worthy goal. That way they can measure down to fractions of a percentage point just how obedient you are and sanction you accordingly.

    Is it any surprise that whenever government systems are audited for security they tend to do so poorly? Security is something that simply has to be right and declaration by fiat won't change what the right thing is. More than most other subjects, it exposes the crippling weaknesses of the top-down authoritarian approach and reveals the strengths of hiring people for their expertise and then listening to them so long as they remain reasonable.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  3. About as effective as Sarbanes-Oxley? by rta · · Score: 3, Interesting

    Ok. If you're proposing something that will be as good as Sarbanes-Oxley... you probably need to find a better idea. Sarbox was a knee jerk response to Enron and has done nothing but drive up costs.

    Good thing that those tight accountability rules prevented the massive credit / derivatives bubble.

  4. Re:Oh good. by nurb432 · · Score: 5, Interesting

    It will raise costs for IT services and create another ecosystem for 'certification holders' to milk.

    Reminds me of iso9000..

    --
    ---- Booth was a patriot ----
  5. what I've learned from the I.T. industry... by MickyTheIdiot · · Score: 4, Insightful

    All "certifications" are scams at some level. Some worse than others, but at some point it's about wanting to get your money while doing very little. It will create a nice new market for testing centers, book writers and publishers, and study material makers, but will ultimately do very little. Think how much Microsoft Certified Engineer....

  6. another boondoggle? by sribe · · Score: 3, Funny

    Hey, I bet HB Gary will want to get a piece of this action!

  7. I fully support this by the_Bionic_lemming · · Score: 3, Insightful

    I fully support this - as long as we can hold policy makers to the exact same standards of punishment when things go wrong (like recessions, budget shortfalls, and other issues).

    --
    _ _ _ Go for the eyes Boo! GO FOR THE EYES!
  8. and while they are busy doing that ... by Zemran · · Score: 3, Insightful

    ... I will be busy building a new wooden fence around my property to keep out flies. I think that I will be about as successful ...

    --
    I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
  9. Re:Oh good. by ozmanjusri · · Score: 3, Insightful

    push us further towards a "Standards and Compliance" posture, and not a real security posture.

    There's a reason for that.

    Echoing the comments of Microsoft security chief Scott Charney from his Tuesday keynote calling for a “collective defense” of the Internet

    The manufacturer of the deeply flawed system at the hear of most security problems wants everybody else to pay for the consequences, so they're lobbying lawmakers. They'd also be pretty happy if it props up a few buggy whip businesses on the way.

    What's the bet the certification requirements will read like:

    1. Microsoft IIS Server (TM) is current and patched.
    2. McAfee Antivirus (TM) installed and updated.
    3. Microsoft .NET (TM) registered with Microsoft update and verification tool.
    4. All online systems systems pass Microsoft WGA (TM) checks.
    5. ...
    6. Profit.
    --
    "I've got more toys than Teruhisa Kitahara."
  10. Sarbenes-Oxley? They cited S-O? by SlappyBastard · · Score: 3

    OMFG . . . when cluelessness attacks. How can anyone say that the post-Enron regulatory framework was anything except a clusterfuck? Show me the goddamned accountability in terms of real jail time.

    --
    I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
  11. Coming From Microsoft .. by AftanGustur · · Score: 3
    To any idea calling for a "collective" something and coming from Microsoft or any of the other big Commercial IT players, I would like to add the requirement:

    No patents will be enforceable when it comes to implementing Microsoft's proposed "collective cyberdefence".

    --
    echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc