On Tue, 13 Mar 2007, somebody wrote (attribution isn't clear to me): > no. my feeling is that it focuses management on unimportant things like > meeting checkpoints rather then actually doing useful things.
I heartily agree. "Compliance" almost always becomes (in the worst sense of the word) a mantra to chant down all disagreement. "Compliance" becomes the *administrative* stick-and-carrot, rather like a driver's license in the US. That is, every US citizen has this set of nominal "rights" that nobody can take away. On the other hand, a driver's license is a privilege, so you have to jump through some hoops to get it, and it comes with mandatory behaviors, not all of them legal, most of them administrative. Life in the US without a driver's license is marginal. So, administrators use driver's licenses to punish and guide behavior in ways nominally, or legally, forbidden. Wink wink, nudge nudge. I'm most familiar with PCI, and some of the things that people put in it are just downright stupid. If you run your credit card processing on Solaris, why should you put in a virus scanner? Seriously, folks... Since "compliance" becomes an administrative tool, the weapons against actually paying for "compliance" become administrative, hence the focus on meeting checklist items. A checklist can't really contain all the capability of a general purpose computing system, as checklists do not have looping or decision making in them. So, they'll always have weird limits, and people will try to overcome those limitations by adding to the checklists. "Compliance" becomes a rallying point for the professional meeting attenders, parasites and hangers on, hierarchy jockeys. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________