Friday, February 24, 2006

Again, on security vs compliance

Folks often argue whether "if you are in compliance [without specifying 'of what regulation'], it means you are secure" or "if are secure, it means you are in compliance" or the first does not mean the second at all ... I am picking up some signs that the perception (and in this case, "perception is reality"...) is shifting towards "security means compliance, compliances does not mean security."

The article below talks about FISMA compliance where it seems that neither means the other one...

'The high grades could mean a lot of compliance, but not a lot of security. The low grades could mean that there's plenty of security in place, but it just wasn't verified on paper properly.' "

Dr Anton Chuvakin