I recently finished two books (OK one of them was audio), The Long Tail: Why the Future of Business is Selling More by Chris Anderson and Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks by Michael Zalewski. While they are both very different, they were both good reads and very appropriate topics for this blog. I would recommend both to regular readers here.
Ever since I finished the long tail a couple of weeks ago, I had been meaning to post on it and what it means to information security. Well while I was busy with other things a couple of people went it did just that. Over the weekend Mark Curphey wrote a 2 part post which sums up the book and how it relates to our field at a high level. Part 1 is here and Part 2 is here. I encourage you to read his posts if you have an interest in the economics of information security.
Another area that came to mind while reading this book (sorry, listening to this book) was the ever present topic these days of compliance. Organizations today have a number of regulations and laws that they must comply with in a given industry or geographic region. Some of these requirements make economic sense for the business, others are their to control the negative externalities of security. After reading (argh! LISTENING) to The Long Tail, I spent some time wondering how could a set of tools, processes, etc. make compliance economically sound and a choice organizations would make regardless of outside requirements (laws, regulations, etc).
I would like to challenge readers of this post to come up with some new ideas that would make these requirements that traditionally go against the rules of risk management and make them more sound for YOUR organization. The key here is every organization is different. What may make economic sense within mine, makes little to no sense in yours. That’s what makes the “one size fits all” approach of several regulations difficult on most companies today.
Have an idea? Post it here in a comment or send me an email!
Hi,
At Microsoft, we use a tool called SPIDER, to scan systems and map business compliance requirements to control objectives and different types of ‘evidence’ on a box. This evidence can range from patches, to certain revs of software or services running on a box.
Here is a reference to the tool
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004738
however, it hasn’t been “productized”. It is used in some of our consulting engagements for other customers.
The article doesn’t do the tool justice, as it looks just like some kind of host scanner.
The magic of the tool is that it lets you define any compliance metrics you like (SOX, HIPPA, PCI, etc) in the tool.
Every company is different here, so you can define your own complaince metrics as you like.
When the scan is complete, you get a report showing the results, and how many systems meet the compliance requirements you defined.
We currently license this tool through our ACE Security Services division.
BTW – I don’t represent Microsoft in this post (and I’m not a SalesGuy!)