Top
Navigation
The Black Book of Identity Access Mgmt
This form does not yet contain any fields.
    « IDM on the cheap | Main | Death of the Service Account? »
    Thursday
    Jun092011

    Secure? Compliant? PROVE it

    DateThursday, June 9, 2011 at 03:18PM

    For a recent trip with the family to Washington DC, we ended up in the line at O'Hare with the full body scanner. EVERYBODY associated with this thing was an IDIOT. In theory it should make things quicker, but the TSA staff acted like children with the thing, and our line quickly got backed up in a big way.

    Everyone in line was told, take EVERYTHING out of your pockets, metal or otherwise. Suffice it to say, hardly anybody understand the definition fo the word "everything." This further held things up.

    Then literally everybody who went throught the line was asked on the other side, "Do you have anything in your pockets?" By that time, the answer for everybody was no. And then the TSA geniuses frisked everybody ANYWAY. I always say, do what you gotta do, and let me outta here. My wife, on the other hand, wasn't too pleased with being groped by strangers.

    I had to ask them the rhetorical question, "If you're going to ask people about their pockets and then frisk everybody ANYWAY, what is the freaking point of the scanner?"

    There's only one place where this idiotic, paranoid approach to security really counts: regulatory compliance. I always say four things about compliance:

    1) reporting does not equal compliance

    2) being secure doesn't mean you're automatically compliant

    3) being compliant doesn't mean you're automatically secure

    4) it's not enough to BE compliant; you have to PROVE you're compliant

     

    Auditors don't care if you have all the policies in the owrld locking down your systems. They want to see the reports. Yo uhave be BE compliant, and you have to PROVE compliance. In fact, it may not be enough to generate the reports on successes and failures. They may very well want to see the proper time/date stamps on those reports, to indicate that you created them at the right points in time, and that presumably you looked at them. Remember, you create the policies to regulate behavior, report on that behavior, then refine those policies to deal with unexpected behavior. If you don't look at the reports when they're relevant, then you're not really doing the job.

    I'll say this much for auditors: at least they usually keep their hands to themselves.

    AuthorJeff the IAM Guy | CommentPost a Comment |

    PrintView Printer Friendly Version

    EmailEmail Article to Friend

    Reader Comments

    There are no comments for this journal entry. To create a new comment, use the form below.

    PostPost a New Comment

    Enter your information below to add a new comment.

    My response is on my own website »
    Author Email (optional):
    Author URL (optional):
    Post:
     
    Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

    Notify me of follow-up comments via email.