At 07:14 PM 1/10/2003 -0500, Graham, Robert (ISS Atlanta) wrote:
>Common Criteria is for those who believe that "security is a process".
>
>Security is not a process. There is no silver bullet that will protect
>you. The Common Criteria process is not a silver bullet.

Security is very much a process. It has a scope that encompasses
many concepts that are not addressed from the understandably
narrowed focus found in vendor space. Here's just a few of the
many issues I'm dealing with these days:

- User education, awareness, and training
- Security policy - network and physical
- Application data flows
- Firewall rules
- HIDS deployment
- NIDS deployment
- Anti-virus deployment and management
- Incident response
- Router and switch hardening policies
- Life-cycle management of all the above and then some

Without a process view of a system like this, none of it
works together the way it was intended in the initial design.

Bruce Schneier speaks to the "security is a process"
position better than I, but I did want to take a moment to
point out some areas that many folks overlook when they
talk about security. The broad-scope view makes it all look
easy. It's the details that get you killed, figuratively speaking.

I agree there is no single "security silver bullet". If there
was one it certainly would not be Common Criteria. It wouldn't
it be just "IDS", "Firewall", or "Anti-Virus", either. Without a
process-oriented approach to security, the "gun" is in the hands
of the enemy rather than in ours.

Best regards,

Randy
-----
"If you are going to sin, sin against God, not the bureaucracy.
  God will forgive you but the bureaucracy won't."
  --- Hyman Rickover ---

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]