At 9:29 AM -0400 3/30/07, Benjamin Tomhave wrote: > SOX has been a complete waste, imo. First, the majority of it was already > covered in existing law. Second, it really has nothing to do with security > from a practical standpoint. The only purpose SOX has served is to give > auditors another source of revenue. And, worse than that, it initially gave > auditors the appearance of more power and responsibility, which I saw > carried out in external auditors trying to dictate to businesses how the > business should operate (and not in a good way). Talk about a fundamental > violation of independence and objectivity. The pendulum has fortunately > swung back on that trend. > > PCI DSS, on the other hand, has been a very good effort with real, > meaningful results. Why is this? Well, for one thing, it's specific. As > opposed to SOX, which paints with broad strokes and focuses on truth in > reporting (gross oversimplification), PCI DSS goes into technical detail on > what activities must be implemented, what minimum measures are for adequate > security in a system, etc. Perhaps the best example of this thought is > section 3.6 in DSS v1.1, where it details the minimum requirements for key > management. It makes my job much easier having this level of detail, with > much less left to interpretation (again, unlike SOX, where almost everything > is open to interpretation and the whim of your auditors).
That parenthetical comment is almost verbatim the description of SOX I received from someone who is subject to SOX audits. My own nomination for specificity in security standards is NIST Special Publication 800-53 (currently at Revision 1). http://csrc.nist.gov/publications/nistpubs/index.html#sp800-53-Rev1 Through all the controls there is only one requirement with which I disagree. -- Larry Kilgallen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
