An interesting point was made the other day by Joel Scambray in a presentation that he gave to the WTIA Security SIG. How many tests does a doctor do when you go in for a checkup? The number is around 8, weight, blood pressure etc. Of course - this will not diagnose some ailments, but even if you take the pareto principle and say that it can give a trained practitioner a good guess at 80% of the common things that could be wrong with someone who walks into their office - that's a pretty good outcome.
If that is the case, given the complexity of the human body - then why do most information security frameworks (ISO, COBIT, PCI) have over 100 [in some cases over 200] individual controls. Can't we just ask 8-10 questions and get a good feeling for 80% of the major things that are wrong with an information security or privacy program?
If we can - what are those key 8-10 questions that would help us to determine if we need to get a specialist involved to do more detailed testing?
Looks like privacy does have a price - at least if you're David Letterman. It appears that Letterman was subject to a blackmail plot, and as part of the fallout he has had to relinquish some of his privacy - information that he had been sleeping with some of the women who worked on his show (although at this point in time, it is not clear how many women and when this occurred). Obviously this information would have come out when the alleged blackmailer ended up in court - and at least some credit goes to Letterman for the chutzpah to break the news on his show this week. The whole incident did leave me wondering though - how much would have to be at stake for me to expose previously known information about me that could threaten my job, my marriage and my reputation? It's a question that I hope never to have to answer in reality.