In his article which opens the Feb 2013 issue of the /ISACA Journal/, Steven Ross tackles this problem quite insightfully. I like how he points out that standards which are often referred to as "best practice" are really "just okay practice". He points out that ISO/IEC 27001 as it currently stands is now more than seven years old and a lot has happened since. Further, by the time the updated standard is published this year, even that will be out of date as it will cover issues prevalent whilst the committee worked on the standard, not those as of its release date.
In my opinion, compliance is a necessary evil and is in many cases an excellent first step. At the very least, it raises awareness and puts certain critical issues on the table especially at the c-suite. In this regard I must respectfully disagree with Zak's view that there are cases where you can afford /not/ to comply. Whilst from a technical perspective I agree that mandating on-access anti-virus on GNU/Linux desktops (today) is for the most part useless, using this "technical uselessness" as a ticket to throwing out all the benefits of compliance would seem like throwing out the baby with the bathwater. What most people and companies miss is that whilst an excellent and necessary first step, compliance is not the end all and be all of it. It's surely no silver bullet but is merely the first step of many on a journey towards organisational maturity, necessitated by the hyperconnected era of The Internet of Things which we've already entered. Kind regards, Jijo -- *Federico Sevilla III*, CISM, CISSP, PMP, MACS CP Chief Executive Officer F S 3 Consulting Inc. http://www.fs3.ph On 03/06/13 09:45, Tito Mari Francis Escaño wrote: > The author of the thread discussion must be working in an organization > where strict compliance is a must have, like financial or credit card > processing companies. Even MasterCard and VISA require their partners > to comply to such requirements to be certified and graded accordingly > as affiliate. > However, considering Zak's expressed opinion on the matter, compliance > is not a fail-safe measure against being hacked or defaced online, but > it's a security blanket to setup an IT infrastructure that in itself > is secured to some level. Whether it will fail or not is in the hands > of the IT staff managing that infrastructure. As they say: a fool with > a tool is still a fool. > I once worked with a financial organization that's so compliant > working was a bore since I can't immediately install or deploy > software or changes that should be implemented. Last April 2012, they > were hacked and sensitive information were stolen from them, their IT > infrastructure compliance not withstanding. > > > On Wed, May 29, 2013 at 7:11 PM, Zak Elep <[email protected] > <mailto:[email protected]>> wrote: > > On Wed, May 29, 2013 at 7:02 PM, [email protected] > <mailto:[email protected]> > <[email protected] <mailto:[email protected]>> wrote: > > You know very well what you posted is personal opinion and won't > make sense > > to any high grade requirement like sox :-) > > Maybe. Most likely we're just dealing with different cases. I'm not > saying compliance is a bad thing, but there are the cases where you > can afford _not_ to comply. > > -- > Zak B. Elep || zakame.net <http://zakame.net> > 1486 7957 454D E529 E4F1 F75E 5787 B1FD FA53 851D >
signature.asc
Description: OpenPGP digital signature
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
