There is no norm for ethics in IT I think
on
Ethics In IT
·
· Score: 4, Informative
I've had to familiarise myself with Sarbanes Oxley (which applies only to US listed companies anyway) and that is the only piece of legislation which I am aware of which requires regular sign off of ethical conduct, and that only applies to the board I belive. Elsewhere, for IT workers, both the CISSP and CISA certifications require that a standard of ethical conduct is maintained, and a declaration of such is made by the applicant.
I think ethics are only defined in this way, as a requirement for membership of specific professional organisations or for the holding of certain credentials, but these are the only ones I'm aware of. Beyond that, and this is the point, having conducted audits and reviews of a number of companies and the governance of their IT, I think this topic is universally ignored for IT staff specifically. I can not recall once seeing the discreet topic of "Ethics" enshrined within the IT policies and standards of any major company I have inspected. The best thing you can do is collect and review a number of general "End User" policies from different places and see to what degree promises to not view porn, sell secrets, access stuff you shouldn't, etc, etc, are reflected, and quantify them against the ethical requirements being taught on your MBA. IT User policies can be dredged up from the Internet ten a penny, and they should allow you to gather sufficient of them to launch an academic argument as to the provisions for ethical conduct they establish within companies or public bodies in general. The degree to which they are obeyed is impossible to measure, but you can certainly speculate on the need for regular training on ethics.
I have discovered a way of making a bomb that I can hide up my ass, it's the size of watch battery, and sends out telepathic waves which turn all pilots into priapic lunatics who will instantly wrestle with the controls, slavering with depraved lust while they turn the nearest convent school into a hideous fireball.
My method is simple. I am going to wait until such technology is made available on the Internet. You cant stop me John Law, you hear me! I'm a coming for ya!
The more you tighten your grip, the more star systems will slip through your fingers....
The article was dull, and mendacious(that car analogy is entertaining for a few seconds until you try and draw a parallel with anything other than whether Chewbacca lives on Endor or Kashyyk.)
Sure, there is crap security out there, but anyone who calls out 'best practice' as flawed is being deliberately obtuse. Bodies of Knowledge like ISO17799 and COBIT aren't pills to be swallowed whole, they are frameworks, and picking out recommendations within them with the purpose of showing them as ineffective is not very challenging. Hey here's one; your wifi must have WPA enabled, but 'we havent got wifi in our dept'...How we all laughed.... crazy IT monkeys!
Nothing to see here people.... oh, and don't bang on about the books you've read either mate, especially Sun Tzu and Machiavelli, if you're going to be a prick, be creative about it, don't rip it off from the business aisle!
720p doesnt look much better than standard def??? Are you kidding me? Do you even own a HD set? 1080p is indistinguishable from 720p on screens 40" or under in size, which is (I am guessing here) probably 90 per cent of all flat panels sold. maybe you have a 50" set, in which case, enjoy watching the news look like a psychotic tetris game.
Won't be buying this - contains FUDge
on
Security Metrics
·
· Score: 0
All assessments of IT controls today are, and should, be based upon a risk based approach. My understanding is that this is a dialogue where the business objectives are outlined and any threat to their successful acheivement are identified and countered through the implementation of measured controls. This is a continual process and forms the backbone of security management.
I read the review hopeful that it would indicate that this book offers something new and valuable in the area of quantitative assessment of security risks. "Trashing" ALE is not exactly hard, most shops I've been in don't use quant risk analysis but use qualitative risk analysis, which for better or worse let's us all formally agree and tackle what are frequently blindingly obvious threats in an efficient manner. This allows for the input of the professionals, managers, etc who have a responsibility for and clear idea of the risks to their systems, while allowing for the oversight of security / controls professionals who can winkle out the risks that the business and it's support functions may be either not willing to admit to, or simply ignorant of.
My main issue with the authors post is the following quotation about Risk Management:
"...simply a vendor excuse about how products help you "manage" risk by serially enumerating and eliminating defects without helping companies understand whether it makes any difference whatsoever."
You can't say that. It isn't true, and the briefest of alternate suggestions would be appropriate if you're going to be 'controversial'?... Risk management should and normally is a well defined form of dialogue between the business and the controls staff, whether IT audit, or security experts. While it is true that this oftentimes uses checklists, standards, best practices and assorted generic frameworks as a means of substantiating an approach, it clearly does not preclude but actually enables meaningful debate on the issues the business faces. Having worked in IT security as a penetration tester, an IT auditer, and governance and compliance manager, I find the comment to be either misguided or purposefully disengenous about the nature of the process at work, and if you cant't get the Risk assessment side of things right (which is not really too hard) then it's time for everyone to pack up and go home.
This book seems to be playing the same game the reviewer is so concerned with; the propogation of FUD. The only difference here appears to be that we aren't talking firewalls, but governance processes, and the author appears ill-equipped to comment on them...
uh, uh, ??? wtf good is it to have open office on something with a bloody wobbly stick and no keypad, and the whole VOIP thing over wi-fi sucks ass even when it's an official feature on dedicated hardware. PSP is just crap. I see them on the tube all the time, and everyone I see with one looks like a stupid prick who should still be in short trousers with a big fucking cone stamped D on their head. Just my 2 cents.
Well said,
I perceive two issues with IT SOX compliance that I would like to share, I've worked in info-sec and It audit now for about six years. I am largely in favour of SOX but the perception that it is not 100 pc yet may be due to the following;
1. SOX is not effective due to it's scope. You must monitor systems which relate purely to reporting the bottom line or general ledger, but then downstream systems which are being defrauded can legitimately be considered outside of this scope, and subsequently be utilised to further fraud with SOX impunity.
2. SOX auditors are, in my experience, technically challenged dunces, chancers, and bullshitters of the highest order, and they are far too expensive.
I think that the solution, over the next ten - twenty years or so, will come from the tech sector, and from technologists, when we have a de-facto, high profile set of standards and methodologies that ensure all systems and applications are developed and maintained securely. This will probably only happen when a tech security issue engages public and commercial consciences in spectacular fashion, eg DNS being pwned for weeks.
I think the solution, for IT, should come from inside, not outside.
Yep, thats pretty awful really, some dude drops 26 bill and its not enough. 26 Billion is WALKING AROUND money, it is a COLOSSAL sum of cash, and it must be worth even more in India, where I gather most of it ends up.
Yeah, there is a hint of PR about it, even some degree of strategic thinking in aligning your efforts with a software tiger economy. Given that Gates is so utterly maligned, and has been for years, can you really blame him for not keeping this utterly quiet? It would have been a task in itself.
Hats off to the guy, he is saving lives, and lots of them, and anyone who approaches this from the perspective of the Open Source v M$ debate should be properly ashamed of themselves. Really.
Finally, this is Slashdot, the community Bill would happily send his storm troopers into to demolish given half a chance, this is where we come to dump on old Borg - face himself, so it's interesting, heartening, and a measure of the consistent quality of debate found here, that most of the responses are quietly supportive of what he has done with his foundation.
Slashdot Mirror
I've had to familiarise myself with Sarbanes Oxley (which applies only to US listed companies anyway) and that is the only piece of legislation which I am aware of which requires regular sign off of ethical conduct, and that only applies to the board I belive. Elsewhere, for IT workers, both the CISSP and CISA certifications require that a standard of ethical conduct is maintained, and a declaration of such is made by the applicant. I think ethics are only defined in this way, as a requirement for membership of specific professional organisations or for the holding of certain credentials, but these are the only ones I'm aware of. Beyond that, and this is the point, having conducted audits and reviews of a number of companies and the governance of their IT, I think this topic is universally ignored for IT staff specifically. I can not recall once seeing the discreet topic of "Ethics" enshrined within the IT policies and standards of any major company I have inspected. The best thing you can do is collect and review a number of general "End User" policies from different places and see to what degree promises to not view porn, sell secrets, access stuff you shouldn't, etc, etc, are reflected, and quantify them against the ethical requirements being taught on your MBA. IT User policies can be dredged up from the Internet ten a penny, and they should allow you to gather sufficient of them to launch an academic argument as to the provisions for ethical conduct they establish within companies or public bodies in general. The degree to which they are obeyed is impossible to measure, but you can certainly speculate on the need for regular training on ethics.
I have discovered a way of making a bomb that I can hide up my ass, it's the size of watch battery, and sends out telepathic waves which turn all pilots into priapic lunatics who will instantly wrestle with the controls, slavering with depraved lust while they turn the nearest convent school into a hideous fireball. My method is simple. I am going to wait until such technology is made available on the Internet. You cant stop me John Law, you hear me! I'm a coming for ya! The more you tighten your grip, the more star systems will slip through your fingers....
The article was dull, and mendacious(that car analogy is entertaining for a few seconds until you try and draw a parallel with anything other than whether Chewbacca lives on Endor or Kashyyk.) Sure, there is crap security out there, but anyone who calls out 'best practice' as flawed is being deliberately obtuse. Bodies of Knowledge like ISO17799 and COBIT aren't pills to be swallowed whole, they are frameworks, and picking out recommendations within them with the purpose of showing them as ineffective is not very challenging. Hey here's one; your wifi must have WPA enabled, but 'we havent got wifi in our dept' ...How we all laughed.... crazy IT monkeys!
Nothing to see here people.... oh, and don't bang on about the books you've read either mate, especially Sun Tzu and Machiavelli, if you're going to be a prick, be creative about it, don't rip it off from the business aisle!
720p doesnt look much better than standard def??? Are you kidding me? Do you even own a HD set? 1080p is indistinguishable from 720p on screens 40" or under in size, which is (I am guessing here) probably 90 per cent of all flat panels sold. maybe you have a 50" set, in which case, enjoy watching the news look like a psychotic tetris game.
All assessments of IT controls today are, and should, be based upon a risk based approach. My understanding is that this is a dialogue where the business objectives are outlined and any threat to their successful acheivement are identified and countered through the implementation of measured controls. This is a continual process and forms the backbone of security management. I read the review hopeful that it would indicate that this book offers something new and valuable in the area of quantitative assessment of security risks. "Trashing" ALE is not exactly hard, most shops I've been in don't use quant risk analysis but use qualitative risk analysis, which for better or worse let's us all formally agree and tackle what are frequently blindingly obvious threats in an efficient manner. This allows for the input of the professionals, managers, etc who have a responsibility for and clear idea of the risks to their systems, while allowing for the oversight of security / controls professionals who can winkle out the risks that the business and it's support functions may be either not willing to admit to, or simply ignorant of. My main issue with the authors post is the following quotation about Risk Management: "...simply a vendor excuse about how products help you "manage" risk by serially enumerating and eliminating defects without helping companies understand whether it makes any difference whatsoever." You can't say that. It isn't true, and the briefest of alternate suggestions would be appropriate if you're going to be 'controversial'?... Risk management should and normally is a well defined form of dialogue between the business and the controls staff, whether IT audit, or security experts. While it is true that this oftentimes uses checklists, standards, best practices and assorted generic frameworks as a means of substantiating an approach, it clearly does not preclude but actually enables meaningful debate on the issues the business faces. Having worked in IT security as a penetration tester, an IT auditer, and governance and compliance manager, I find the comment to be either misguided or purposefully disengenous about the nature of the process at work, and if you cant't get the Risk assessment side of things right (which is not really too hard) then it's time for everyone to pack up and go home. This book seems to be playing the same game the reviewer is so concerned with; the propogation of FUD. The only difference here appears to be that we aren't talking firewalls, but governance processes, and the author appears ill-equipped to comment on them...
uh, uh, ??? wtf good is it to have open office on something with a bloody wobbly stick and no keypad, and the whole VOIP thing over wi-fi sucks ass even when it's an official feature on dedicated hardware. PSP is just crap. I see them on the tube all the time, and everyone I see with one looks like a stupid prick who should still be in short trousers with a big fucking cone stamped D on their head. Just my 2 cents.
Buy it and install it on your pc before we kill you.
am i first?
Ah, now this'll never work, a more sensible option would be a fleet of dvd delivery boys on Segways. Smell the future Jeffrey.
Just thought I'd day that, despite not wanting to use this service, I wish it ran on Linux.
Well said, I perceive two issues with IT SOX compliance that I would like to share, I've worked in info-sec and It audit now for about six years. I am largely in favour of SOX but the perception that it is not 100 pc yet may be due to the following; 1. SOX is not effective due to it's scope. You must monitor systems which relate purely to reporting the bottom line or general ledger, but then downstream systems which are being defrauded can legitimately be considered outside of this scope, and subsequently be utilised to further fraud with SOX impunity. 2. SOX auditors are, in my experience, technically challenged dunces, chancers, and bullshitters of the highest order, and they are far too expensive. I think that the solution, over the next ten - twenty years or so, will come from the tech sector, and from technologists, when we have a de-facto, high profile set of standards and methodologies that ensure all systems and applications are developed and maintained securely. This will probably only happen when a tech security issue engages public and commercial consciences in spectacular fashion, eg DNS being pwned for weeks. I think the solution, for IT, should come from inside, not outside.
Yep, thats pretty awful really, some dude drops 26 bill and its not enough. 26 Billion is WALKING AROUND money, it is a COLOSSAL sum of cash, and it must be worth even more in India, where I gather most of it ends up. Yeah, there is a hint of PR about it, even some degree of strategic thinking in aligning your efforts with a software tiger economy. Given that Gates is so utterly maligned, and has been for years, can you really blame him for not keeping this utterly quiet? It would have been a task in itself. Hats off to the guy, he is saving lives, and lots of them, and anyone who approaches this from the perspective of the Open Source v M$ debate should be properly ashamed of themselves. Really. Finally, this is Slashdot, the community Bill would happily send his storm troopers into to demolish given half a chance, this is where we come to dump on old Borg - face himself, so it's interesting, heartening, and a measure of the consistent quality of debate found here, that most of the responses are quietly supportive of what he has done with his foundation.