-----Original Message-----
From: Graham, Robert (ISS Atlanta)
To: Randy Taylor; focus-idssecurityfocus.com; idsmailman.vet.com.au
Sent: 1/17/03 1:37 PM
Subject: RE: [IDS] IDS Common Criteria

>From: Randy Taylor [mailto:gnucharm.net]
>>I agree with you that CC and a process-oriented security approach
>>are different "things" in and of themselves.

>They are the same. It seems you haven't understood either of my previous
>messages (sorry, I probably phrased them poorly).

>My argument is essentially: Common Criteria Evaluation is an example of
>good process, but it is generally bad -- therefore process is generally
>bad.

So if A is B, and A is C, B is C???? I don't think so. That thinking isn't
even close. Especially since a good over-arching security process is not A,
not B and not C, but D. This is the crux of the problem. There is one
general security process with many sub-processes. The CC is but one
sub-process. It is a good sub-process for some situations. The fact that
it is not workable for all situations does not mean the over-arching
security process is bad. It only means the CC is not universally practical.

>A small amount of process is worth the cost. However, many have jumped
>on "security is a process" in order to burden their organizations with
>overweight processes. Moreover, narrow minded bureaucrats often use
>"security is a process" to prevent talented/educated people from
>actually getting their job done -- with a detriment to an organization's
>security. I see organization after organization where process is the
>enemy of security.

There are many poor processes in the world. There are also many good
processes. It sounds to me like you are not distinguishing between the
two.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]