Re: Interest in ISO 27001 audit/certification for the Debian Project?
Tollef Fog Heen <tfheen@err.no> writes:
> ]] Russ Allbery
>> Certification compliance is not something I would ever work on without
>> being paid, personally. It is not enjoyable or fun; it's a job whose
>> only real benefit is the paycheck you get for doing it. That's of
>> course just my personal opinion; maybe someone out there finds filling
>> out ISO 27001 paperwork a great way to spend a lazy Saturday afternoon.
> I'm obviously not going to tell you what you enjoy or not, but I think
> that's a poor (but sadly quite common) way of doing compliance
> work. Compliance work should be like running make check – it's a way of
> testing that your procedures are actually as expected and provide
> verification that the security properties you put into the system still
> hold. If it's compliance for compliance's sake, it'll be thrown out the
> window at the first opportunity.
I'm not sure I understand what you're characterizing as a poor way of
doing compliance work. Oh, maybe you're saying that compliance shouldn't
only be a paperwork exercise?
Sure, that's certainly true, and when I worked on compliance, it wasn't.
We built as much of compliance as possible into our software and automated
generating the information required for proof of compliance. The goal was
to ensure, wherever possible (it's not possible everywhere), that a
computer was enforcing the correct process rather than a human having to
remember it, and a computer was keeping all the necessary audit trails and
generating the compliance reports.
I think this was doing compliance properly? I don't think it was a poor
job. There was still a lot of paperwork (which, lucky for me, was mostly
done by other people).
Nonetheless, it was work, for which I was paid, and which was not
interesting or satisfying in its own right, and while some of it is simply
necessary to do a good job (similar to how writing a test suite can be
tedious but is necessary to do a good job of software development), a lot
of the necessary outputs (and audit meetings!) are just annoying or
involve effort to reward trade-offs that are hard to justify unless you
care about the compliance certification specifically.
> As an example, and as someone who holds some keys in Debian (such as the
> cert used to sign uploads to MS for shim signatures), I'd not be
> particularly interested in spending time proving documenting or proving
> to an auditor what my security controls for that key particular is.
See, right, this is exactly my point. I have done work like this before,
but it's not something I'm going to do for free, because it's tedious and
annoying. If we want some sort of make test for our procedures, which is
certainly a rational thing to want, we'll need to figure out some way to
do it that's less tedious and annoying than (at least my experience with)
audit and compliance frameworks.
There is to some extent a reason for why those audit and compliance
frameworks do things the way they do, and not all of it is an outgrowth of
formalism or bureaucracy. They probably do catch some things that less
formal and more streamlined approaches don't. But locking down those last
few percentage points of security is a lot of work that we are going to
have a pretty hard time finding someone to do for free. People who really
care about that should be prepared to pay for it, which also has
implications for who should be doing it and how to structure that work.
--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>
Reply to: