[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Interest in ISO 27001 audit/certification for the Debian Project?

]] Russ Allbery 

> Tollef Fog Heen <tfheen@err.no> writes:
>> ]] Russ Allbery 
>
>>> Certification compliance is not something I would ever work on without
>>> being paid, personally. It is not enjoyable or fun; it's a job whose
>>> only real benefit is the paycheck you get for doing it. That's of
>>> course just my personal opinion; maybe someone out there finds filling
>>> out ISO 27001 paperwork a great way to spend a lazy Saturday afternoon.
>
>> I'm obviously not going to tell you what you enjoy or not, but I think
>> that's a poor (but sadly quite common) way of doing compliance
>> work. Compliance work should be like running make check – it's a way of
>> testing that your procedures are actually as expected and provide
>> verification that the security properties you put into the system still
>> hold.  If it's compliance for compliance's sake, it'll be thrown out the
>> window at the first opportunity.
>
> I'm not sure I understand what you're characterizing as a poor way of
> doing compliance work. Oh, maybe you're saying that compliance shouldn't
> only be a paperwork exercise?

Yes.  A bit like you probably shouldn't be writing tests for trivial
getters and setters in languages that use those to get a high test
coverage percentage, but rather having tests for places where there's
actual risk.

> Sure, that's certainly true, and when I worked on compliance, it wasn't.
> We built as much of compliance as possible into our software and automated
> generating the information required for proof of compliance. The goal was
> to ensure, wherever possible (it's not possible everywhere), that a
> computer was enforcing the correct process rather than a human having to
> remember it, and a computer was keeping all the necessary audit trails and
> generating the compliance reports.

Somehow, I'm unsurprised by you doing compliance work in a good way. :-)
But also, you seem not to be doing/have done it in a way where the only
benefit is the paycheck, but rather where it drives actual benefits.

[...]

> See, right, this is exactly my point. I have done work like this before,
> but it's not something I'm going to do for free, because it's tedious and
> annoying. If we want some sort of make test for our procedures, which is
> certainly a rational thing to want, we'll need to figure out some way to
> do it that's less tedious and annoying than (at least my experience with)
> audit and compliance frameworks.

Yup.  (I'm not sure I'd want to do it for Debian even if I were paid,
but that's both a separate discussion and obviously a position of
privilege to be able to hold.)

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Reply to: