Hi Vijay,
Absolutely agreed, however there are 2 main issues about the company
who got certified and got hacked,
1. Certifications stds are mearly framework, people and their
expertise will make or break the IT-SEcurity specially. Standards
like BS covers lot of other thing including IT-SEC. But frame work
complements the expertise it is not substitute for expertise
2. If Certifications are treated as just few check boxes which needs
to be checked without having Risk based approach will give u the
certification but not the desired security level.
All depends upon who is the 3rd party Auditor what are their
credential and how well informed and skilled people they have who can
guide the Organization to the right path.
There is lack of Standard threat vulnerablity and the Risk modelling
approach and more over finding right balance between the business and
the security is become more and more challaging in this fierce
competition.
To conclude I will not blame the certifiation but would definitely
look forward to some kind of a benchmark against which organization
can be tested for its readiness to different kind of threats, and
Risk.
Regards,
Vijay Upadhyaya
> On 5/25/07, Vijay Mukhi <vmukhi (at) vsnl (dot) com [email concealed]> wrote:
> > Dear All
> >
> > I know of companies that have been received the ISO 27001 certificate and
> > the next day been hacked or their security compromised. For some reason
> > there is the belief that if you are certified than you are more secure. At
> > least in India this is what senior management think. I believe that over
> > time this will give certifications a bad name. How do we delink the fact
> > that just because you are certified does not make you more secure. There is
> > and can be no magic bullet for e-security that can companies can bite. Any
> > responses.
> >
> > Vijay Mukhi
> > CEO
> > Counter Espionage Officer
> >
> >
> >
> >
>
>
>
> --
Absolutely agreed, however there are 2 main issues about the company
who got certified and got hacked,
1. Certifications stds are mearly framework, people and their
expertise will make or break the IT-SEcurity specially. Standards
like BS covers lot of other thing including IT-SEC. But frame work
complements the expertise it is not substitute for expertise
2. If Certifications are treated as just few check boxes which needs
to be checked without having Risk based approach will give u the
certification but not the desired security level.
All depends upon who is the 3rd party Auditor what are their
credential and how well informed and skilled people they have who can
guide the Organization to the right path.
There is lack of Standard threat vulnerablity and the Risk modelling
approach and more over finding right balance between the business and
the security is become more and more challaging in this fierce
competition.
To conclude I will not blame the certifiation but would definitely
look forward to some kind of a benchmark against which organization
can be tested for its readiness to different kind of threats, and
Risk.
Regards,
Vijay Upadhyaya
> On 5/25/07, Vijay Mukhi <vmukhi (at) vsnl (dot) com [email concealed]> wrote:
> > Dear All
> >
> > I know of companies that have been received the ISO 27001 certificate and
> > the next day been hacked or their security compromised. For some reason
> > there is the belief that if you are certified than you are more secure. At
> > least in India this is what senior management think. I believe that over
> > time this will give certifications a bad name. How do we delink the fact
> > that just because you are certified does not make you more secure. There is
> > and can be no magic bullet for e-security that can companies can bite. Any
> > responses.
> >
> > Vijay Mukhi
> > CEO
> > Counter Espionage Officer
> >
> >
> >
> >
>
>
>
> --
[ reply ]