Comments on: Implications of The New School

By: dre

dre — Tue, 25 Mar 2008 11:34:55 +0000

@ Chris:

Are there others that have a FOIA in place for data breach information? Maybe it would be neat to map each of these state-by-state policies with the CSOonline.com interactive map, which is discussed and highlighted on this article regarding Data Breach Notification Laws. Another interesting idea would be to get this involved at the state/federal legislature on disclosure policies.

By: Chris

Chris — Thu, 20 Mar 2008 15:40:00 +0000

ITIL/COBIT are great to establish credibility, and for providing a common vocabulary/taxonomy across organizations, so that fruitful discussion can occur. It is easy, however, to get mired in process /bureaucracy, and lose sight of the objective. As a pragmatist, I found Visible Ops awesome for cutting to the chase, and providing the proverbial actionable guidance. This is purely on the ops side. With respect to building security in, I need to do more focused reading.

Unrelated note: I still have several hundred pages of breach reports to scan in, and I have letter to send to NY and NC for more. Now that I know you’re watching, I’ll try to get my ass in gear :^)

By: dre

dre — Wed, 19 Mar 2008 13:08:12 +0000

@ Adam & Shoaib:

I suggest that you both read my blog post on Building a security plan, where my issues with ITIL and COBIT are addressed.

Largely, they are too operational to be useful by themselves. A good security plan must be strategic and tactical as well an incorporate other operational aspects.

By: Shoaib Yousuf

Shoaib Yousuf — Tue, 18 Mar 2008 04:42:20 +0000

Dre,

Thanks for your valuable feedback on the book. I enjoyed reading your review.

I will definitely try to read this book.

I will slightly disagree with your comments on ITIL and COBIT as mentioned by Adam. I do agree, ITIL is a pest and much organization is using it with or without any benefits. I agree with Adam comments, if we properly test, analyse and implement it we will definitely get good benefits out of it.

Cheers

Shoaib

By: Adam

Adam — Tue, 18 Mar 2008 02:24:44 +0000

Thanks for the review Andre!

I wanted to respond to your question of why we didn’t talk about security in software development. I’m also passionate about it. Not only is it my day job, but as far back as 1996, I put a set of Code Review Guidelines online. My last startup was Reflective, and Reflective has some very happy customers. (I’m no longer involved, but hold an interest in the company.)

So all that said, the field is maturing. Over time, will it get mature enough that there will be data supporting it as a widespread practice? I think so. But if I’d said that, I’d have risked coming off as a shill for my day job. So we decided to leave it aside.

Second, regarding ITIL and COBIT, we don’t want to throw them out the door, we want to see them tested, analyzed, and improved. The work by the ITIL institute that we quote shows some have much higher value than others.

Again, thanks for the review, and we’re glad you enjoyed it!