C & A Security

By Roger on September 16, 2005 9:03 PM | | Comments (0)

Certification and Accredidation. Is it the path to security? Does it even purport to be that? I find myself asking that question as I review the site security plan we are putting together where I work. I'm all for best practices. But one best practice is not applicable everywhere. As Jesper Johhanson has written, it is a myth that security check lists will protect you.

I liked what Richard Bejtlich said about this:
Millions of dollars and thousands of hours are spent on C&A, and C&A levels are used to assess security. In reality C&A is a 20-year-old paperwork exercise that does not yield improved security. The only real way to measure security is to track the numbers and types of compromise over time, and try to see that number decrease.

Categories

General

Leave a comment

Powered by Ajax Comments

About this Entry

This page contains a single entry by Roger published on September 16, 2005 9:03 PM.

Gartner: Move Beyond Passwords was the previous entry in this blog.

Awstats exploits is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Subscribe to feed Subscribe to this blog's feed
Add to Google
Please contact me by leaving a comment where appropriate. Otherwise, you can click here to reveal an email address for me.
Got Backups? Get Safe Online Remember Rick Rescorla Powered by Movable Type 4.2-en

Search