Unethical Security Professional is a contradiction in terms

This is a post I never thought I would write. That I never thought I would have to write. Let me start with a quote from the CISSP Code of Ethics

Code of Ethics Canons:

• Act honorably, honestly, justly, responsibly, and legally.
  
• Provide diligent and competent service to principals.
  
• Advance and protect the profession.
  

Time flies...

It's hard to believe I haven't updated this in over six months! You might wonder why that is, though I suspect most people who read this read my personal blogs and already know about the whirlwind that is latter-2010.

If you pay attention to things like author bios, you will have noticed that mine changed in July: I have a new job. I'm now the guy hiring the consultants to perform assessments rather than the consulting auditor, and there have been a million things to learn about my new environment. There have also been a million things happening in my personal life -- nearly all good -- that have also required my attention.

I'm not saying things are stabilizing, but I am saying I have been doing more writing of late, and if I can I'll be picking things back up, here. In the meantime, if you're a newcomer, why not read through the past articles? I've tried to choose topics that will take some time to go stale.

Something different: An information security parable

Usually, when we write about risk management, we talk about money. Lots of risk has to do with money, so that makes sense. But there's something lost, as well. This occurred to me this morning:

Death is the only promise we have in this life. Many religions make promises about life after, but I'm talking about this life, death is the only promise we have in this life. Some say taxes are promised, but even governments fall. I tell you three times: Death is the only promise we have in this life. To paraphrase Freddy Mercury, "Who dares to love, when love must die?"

And yet, who does not love?

As terrible as the price of love is, the price of not loving is greater still. That, my friends, is also risk management.

This, incidentally, touches on why my posting here has slowed a bit of late -- work's picked up a bit, and that time has to come from somewhere. Part of my risk management is taking as little of that time from my loved ones as possible.

I hope you enjoyed your Beltane or May Day or what have you as much as I've enjoyed mine.

Spycamgate Update: Getting worse and worse

Some time has passed since the last time I mentioned Spycamgate, the case of the rural Pennsylvania school at which an assistant principal was secretly activating the cameras built into the school-distributed laptops and watching kids in their bedrooms at home.
Security Mangement magazine is reporting that it’s worse than initially thought.

PCI III: Addressing the Criticisms of the PCI DSS – Scope of Protection

In Part II of my PCI series, I listed the criticisms of the PCI DSS I’ve heard to date and asked for readers to add to the list. Nothing’s been added to date, so I’m going to address the list I have. If more criticisms are raised later, I’ll address them at that time.

Governance Part 4: Standards

We’ve covered how management uses policies to govern an undertaking, whether that’s a business, a household, or one’s career. Today we’ll continue the Governance series with a look at standards and how they bridge the gap between executive ideals and technical practicality.

The relationship between a policy and a standard is similar to the relationship between a vision and a mission:

PCI II: Criticisms of the PCI DSS

Having given a very brief explanation of the PCI DSS standard and how the credit card industry manages it’s risk by requiring merchants who want to use credit cards adhere to it, I’m going to continue this series by discussing the controversy surrounding the standard.