C & A Security

Certification and Accreditation. Is it the path to security? Does it even purport to be that? I find myself asking that question as I review the site security plan we are putting together where I work. I’m all for best practices. But one best practice is not applicable everywhere. As Jesper Johhanson has written, it is a myth that security check lists will protect you.
I liked what Richard Bejtlich said about this:
Millions of dollars and thousands of hours are spent on C&A, and C&A levels are used to assess security. In reality C&A is a 20-year-old paperwork exercise that does not yield improved security. The only real way to measure security is to track the numbers and types of compromise over time, and try to see that number decrease.