Proving you are secure over compliance

I am a follower of David Lacey and his school of thought. He was an initiator for the BS7799 standard later adopted as ISO27001/2 in the EU. Beginning of September I participated in a telepresence conference with him and many others from the BCS around the globe. This was organized by David Misell. In the telepresence many influentials in thought leadership in information and cyber security.

This one meeting has influenced much of my thinking since. It is impossible to prove you are compliant, even if you follow the rule book, you cannot prove you are 100% compliant even with the best and most dedicated security consultants in the world, especially on large accounts that I am normally exposed to. Moreover, even if you could, proving you are compliant does not prove that you are secure.

So what is the answer, well as David Lacey believes smart use of technology is a part of a way forward. For example did you know that over 85% (maybe more) of PCs shipped today have a chip that supports trusted computing (TPM) and that Intel has acquired companies such as McAfee (DeepSafe and DeepCommand) and Nordic thern Edge (One-Time-Password, OTP). They are placing security at the chip level.

Now if you can prove your organization is secure by implementing secure technologies (note that I don’t say security). This is almost getting close to what the Common Criteria is trying to do, but never really succeeded wide scale because it just became too complicated, and customizations made by individual organizations, each with special needs made any CC status assigned void. I believe that secure at the chip level is an amazing step forward, and more companies should be looking into this, particularly when they are finding their existing IAM infrastructure is just getting too complex.

Happy bunny finds iPhone

Well so here I am preaching on the dangers of location services, and I enabled this service eventually, just two weeks ago on my iPhone. Started to get quite convenient with the purchase of my personal Mac Airbook (11″) and then I synced everything into the iCloud. Furthermore, I often lose my mobile phones, you know I have two, one for work and other for personal use… just as I now have again my HP PC for my work and beloved Mac for my playtime.

Well today I used the service. I couldn’t find my iPhone. Really thought this time I’d blown it, lost it and it was lying somewhere lost. And I was hoping…. did I enable that service, or did I do as usual and decide not to? I had enabled the service, and I found my iPhone. So I’m a happy bunny today… although still torn by the dilemmas that personal privacy presents.. i.e. convenience and safety vs. personal privacy..