Interesting bit of a quote

dan at geer.org dan at geer.org
Tue Jul 11 14:14:36 EDT 2006 

Jerrold,

I can corroborate the quote in that much of SarbOx and
other recent regs very nearly have a guilty unless proven
innocent quality, that banks (especially) and others are
called upon to prove a negative: X {could,did} not happen.
California SB1386 roughly says the same thing: If you cannot
prove that personal information was not spilled, then you
have to act as if it was.  About twenty states have followed
California's lead.  The surveillance requirements of both
SEC imposed-regulation and NYSE self-regulation seem always
to expand.  One of my (Verdasys) own customers failed a
SarbOx audit (by a big four accounting firm) because it
could not, in advance, *prove* that those who could change
the software (sysadmins) were unable in any way to change
the financial numbers and, in parallel, *prove* those who
could change the financial numbers (CFO & reports) were
unable to change the software environment.

Jeffrey Ritter, partner in the "electronic" practice at
(big-name) D.C. law firm Kirkpatrick & Lockhart gave the 
major address at the annual meeting of the Cyber Security
Industry Alliance recently.  In it he said that what he
and his firm tell their (big-name) clients is this:

	* That which was not recorded did not happen.

	* That which is not documented does not exist.

	* That which has not been audited is vulnerable.

and he did not mean this in the "paths to invisibility"
sense but rather that you have liability unless you can
prove that you don't.

While one can say that this has always been true or that
the insider has always been the real threat, or whatever
variation you like, as a consultant for nearly two decades
the burgeoning "prove a negative" focus feels unprecedented
to me.  And it is not just our field -- today's Boston
newspaper has the State of Massachusetts' building inspectors
being suspended en masse' for refusing en masse' to accept
GPS position tracking as a newly imposed job requirement.
By next summer, every animal in the country is supposed to
be chipped and the owner's home address recorded in GPS
form (google for NAIS) with a requirement to file with
USDA any off premises transportation (taking the kids'
heifer to the the 4H show included).

--dan

===========
The great distinction: 
A conservative is a socialist who worships order.
A liberal is a socialist who worships safety. 
                        -- Victor Milan', 1999


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list