Bennett,
I hope you don't interpret this as a flame. I don't intend it that way,
some of these are probably going to be hard words for you to read.
At 04:10 AM 2/19/98 -0800, Bennett Todd wrote:
>1998-02-18-22:51:30 Anton J Aylward:
>> So when you do a security audit [...]
>
>I don't do security audits. I am a security administrator, and attempt
>to guide the development of security policy, and implement that security
>policy for our computer systems. I also find myself in the position of
>trying to interview potential auditors, from time to time.
>
>The audit teams include people who are grovelling through paper records.
If your view of that is "grovelling" it probably has a heavy influence on
how you will interpret the results, and the way you state a case based on
them.
>They don't tend to interact with me much, and the results they deliver
>don't seem to have much bearing on my work.
This could well be the result of you having very different viewpoints and
expectations, and almost nothing to do with the results themselves.
>
>If you're saying that the CISSP is a good test for everything about a
>computer security audit except the computer security part, well, cool,
>that may well be, but the people who don't do computer security are the
>people I don't interact with.
I've found that information security is so much a larger subject than the
technical details of an information network, that it is often a matter of
choice to manage the information network portion of the whole subject by
its inputs and outputs as a whole: the functional descriptions of the
people who run it and use it and fix it for example. And also to add
other considerations that deal with due process, physical access, waste
control, vendor contracting, and so on. If you try to do information
security in this day and age by micro-managing the technology, you are
in more potential trouble than you can imagine.
>
>> There's a lot more stuff which is very specific, things to do with
>> patents, tort and contract law. Of course this isn't 'techie'
>> stuff, but is still of direct relevance to INFORMATION SECURITY,
>> just as much as a UPS or a lock on the door, which are also not
>> things usually "on line".
>
>I can see the interest and use for these things, to other people in
>other parts of our organization. Out of curiosity, why are you jumping
>up and down screaming about how wonderful the CISSP is on the firewalls
>mailing list? Sounds like there's a nebulous connection at best between
>the job the CISSP does and the job a firewall admin is going to be
>doing.
It is a small part (firewalls) but the concept of a firewall is that it
reflects the information by its "meta-data" qualities to the policy and
management perspectives of the organization. And from that perspective,
I don't really care HOW a firewall performs in techie-detail, but as a
manager of information security issues, I very much care THAT it performs
to our specifications, and that we have realistic specifications.
(same with the techie that runs it)
>
>> A lot of the stuff on line might be inaccessible in the event of
>> a disaster, for example if the instructions to recover a server are
>> stored on-line, on the server....
>
>Boy, that would be a pretty weak disaster recovery situation. Most of us
>go for off-site replicated servers with enough info to cover the first
>few hours, and tapes to pick up from there.
...and doesn't _that_ fry your security picture if it hasn't been worked
out as well as the normal operation was, or better...
>
>> If you're limiting yourself to security alerts and software
>> vulnerabilities, then you're back in the domain which earlier
>> you've said certification can't deal with, that of the transient,
>> specific programs on specific machines at specific times; which
>> will all get outdated.
>
>Security alerts, software vulnerabilities, and techniques for protecting
>systems from threats are the domain I work in. They're pretty much the
>domain of your typical firewall admin.
>
I think there are some jargon problems here. The technical mind tends to
use the word domain in a technical sense. In management circles, span of
control is maybe a good relatable term. That span of control contains an
element in it called "a technical person and the firewall they run" which
is a sub-domain in the span. From the security management perspective, the
most important consideration is that the sub-domain I am referring to
_remains_ a sub-domain, and all its inputs and outputs and considerations
remain clear and manageable: that it has a good "fit" in the larger picture.
The "big picture" of authenticity for a person managing information
security issues well for an organization has so much in it. Detail, where
that detail changes so quickly, must be sacrificed to a greater god. That
doesn't mean throwing the baby out with the bathwater, it means building a
good integrity around it - protecting it at a higher level by managing the
concepts (inputs, outputs, design considerations, operation considerations)
well.
>> There are many things which the CISSP examines which are not technical.
>
>Yeah hoo. The problems I've had with poorly-qualified auditors were in
>missing or obsolete technical skills.
>
>So perhaps the CISSP isn't useless, it's just irrelevant to the area
>where we've been seeing problems.
>
or, perhaps it isn't being applied properly. (btw, I'm not a CISSP holder)
>> If you're restricting yourself to just the techie aspects,
>> you're not going to do much good as an auditor.
>
>If I were an auditor, I'd need additional skills. However, those
>additional skills aren't the place where the bad auditors I've seen
>showed up weak; it was in the computer skills.
>
If you don't have the skills, you may need to employ them. Auditing is
not always a first-hand thing, that's a misconception.
>> I'm sure there are many people - besides Mark T and myself - who can
>> quote you examples of all the technical parts being there, but the
>> policy, the procedural or the human aspects falling short.
>
>Could be. I don't recall seeing that sort of problem quoted before. But
>if non-computer-related general auditing skills are what the CISSP is
>good for, that's all fine, and irrelevant to my interests --- or to the
>problems and examples that were brought up earlier in this thread.
>
>I stand by my claim that a computer security professional requires a
>skill set that moves very rapidly; a test can only report whether an
>individual has a good grasp of a painfully obsolete body of knowlege.
>
The point you make is accurate. The testing must be on issues that are
at a high enough level in functional terms that they are humanly manageable.
(or broadly enough declared, depending on how you are spatially oriented in
your understanding - I have no wish to promote an argument over geometrics).
I assume since the CISSP exists, and is held by many people, that it must have
at least some kind of credibility to the overall subject of information
security, and as such must deal in some kind of adequate fashion with the
sub-domain of this that the post is about: firewalls and the design, technology
and operational considerations around them on a network.
Sincerely,
Larry Kwiat
Security Coordinator
Government of Yukon
Larry .
Kwiat @
gov .
yk .
ca
Phone: (867) 667-8081
Follow-Ups:
|
|
