learn linux and unix commands - unix shell scripting

The value of online professional discussion fora


 
Thread Tools Search this Thread
# 1  
Old 09-08-2008
The value of online professional discussion fora

An interesting discussion thread on the ISO27k Implementers' Forum started with a simple question regarding whether it is necessary, for audit purposes, to obtain a certificate of destruction from a company tasked with disposing of confidential waste.

The first few answers were binary:

  • Yes, a certificate of destruction is necessary and, along with a contract specifying the disposal requirements, is common practice; or
  • No, because a certificate from a third party doesn't give sufficient confidence in the process (destruction should be witnessed and certified by the customer not the supplier).
I then pointed out that the original question begs too many questions to answer definitively, e.g.:

  • How do we know the disposal contractors are doing what they says they are doing, consistently well?
  • If we are going to transfer the risk of unauthorized disclosure of information to them, are they in fact sufficiently competent to handle it?
  • How trustworthy are they, including their employees, subcontractors and other service providers involved in the process (e.g. couriers)?
  • What might the consequences be if the materials are partially or completely "lost", diverted or substituted en route to the destruction facility? ...
Today, someone directed us to a challenge on offer for professional US data recovery firms to demonstrate their ability to recover data from a hard drive overwritten simply with all zeroes using the UNIX dd command, going against accepted wisdom that multiple overwrites with random data are necessary for secure data disposal. [I'll leave aside the question of whether the $500 prize and publicity for the challenge winner would be anything like enough to justify the cost of forensic analysis and recovery techiques.]

The key point is that there are many parameters and issues involved in secure data destruction depending on the level of security required and one's perceptions of the threats, vulnerabilities, value of information and potential impacts of control failures and incidents that may arise. It's not possible to give definitive advice on the suitability of specific information disposal methods without a lot more information about the risks.

This discussion also neatly illustrates two other concurrent ISO27k Implementers' Forum threads, one on risk analysis (now arguing the pros and cons of quantitiative vs qualitative RA methods and the constraints due to lack of factual knowledge) and another on the value of checklists (simplistic checklists generally encourage binary yes/no answers, when in fact information security is multidimensional and analogue in many respects).

All of these discussions highlight just how hard it is to write generic international standards for information security. We are discussing one relatively simple control among the hundreds noted in ISO/IEC 27002. You can probably imagine the kinds of issues that arise when international committees of experts collaborate to write, review and publish the standards. That the end results are neither totally bland nor full of options and contradictions says a lot for the editors' skills and persistence ... which reminds me of a current thread on the CISSP Forum discussing the folly or value of "best practices".

Bottom line: there's a lot to be gained from actively participating in online professional fora. Are you engaged?


Image
Image

More...
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question