got privacy?  Musings on the state of Privacy in a connected world.
An interesting point was made the other day by Joel Scambray in a presentation that he gave to the WTIA Security SIG.  How many tests does a doctor do when you go in for a checkup?  The number is around 8, weight, blood pressure etc.  Of course - this will not diagnose some ailments, but even if you take the pareto principle and say that it can give a trained practitioner a good guess at 80% of the common things that could be wrong with someone who walks into their office - that's a pretty good outcome.

If that is the case, given the complexity of the human body - then why do most information security frameworks (ISO, COBIT, PCI) have over 100 [in some cases over 200] individual controls.  Can't we just ask 8-10 questions and get a good feeling for 80% of the major things that are wrong with an information security or privacy program?

If we can - what are those key 8-10 questions that would help us to determine if we need to get a specialist involved to do more detailed testing?
10/12/2009 12:25:19 am

Agreed. I really think we still are in the beginning "decade" of security awareness. 8 checkpoints would be great for any business. Wouldn't be great if you went to their website and it had a small slide at the bottom that indicated their security health?


Leave a Reply.