« Charlie Munger on Governance | Main | Friend of the Devil and The Shostack Code »

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451c75869e201a73d8c0273970d

Listed below are links to weblogs that reference Chesterton's Fence, Compliance and Opportunities Part 1 - Outsource Compliance:

Comments

riskpundit

Interesting post. I like the dental care analogy. However, your point about commoditization is way off the mark. Toothbrushes do a poor job of preventing plaque build-up which causes periodontal disease. A good dentist will recommend Sonicare. The motor (reusable part is 50x the cost of a toothbrush and the brush part is 5x the cost of a toothbrush.

By the same token, commodity firewalls which only use IP, port, and protocol for policies are pretty much useless against moderately technical adversaries and controlling hundreds (thousands?) of off-the-shelf applications that port hop and/or share ports.

My point is that the security team needs to specify firewall requirements as well as audit the the results.

The comments to this entry are closed.