DNA database claims

Ian Batten ukcrypto at chiark.greenend.org.uk
Thu, 31 Jul 2008 09:25:11 +0100 

On 31 Jul 2008, at 08:42, Mary Hawking wrote:

>
>> I have found out that there is a Forensic Science Society <www.forensic-science-society.org.uk 
>> >
>
> Looking at the website, it doesn't look as though they include data  
> security or any other parts of IT in their definition of science..

Nor do many organisations.

I've just finished the triennial review of the 27001 certificate I  
maintain.  I suspect it's not rigourous enough to satisfy David H, but  
it's not a walk in the park, and the fact that as a business we sink  
the resources into 27001 and have the board-level sponsorship to stop  
projects in their tracks and say ``no, that's not going to fly'' at  
least proves our seriousness if not, of itself, our competence.   And  
even after three years of work on our ISMS, the fresh set of eyes we  
got from the triennial has pointed us in some new and interesting  
directions.

Risk Assessments have got themselves a bad name from the public sector  
risk-aversion gang, but without a policy describing your security  
objectives, a register of the information assets you are protecting, a  
register of the risks you see your business as being exposed to some  
idea of what you're doing about them, how can you do security?

I wouldn't say that 27001 proves that an organisation is taking  
security (and, more to the point, security management) seriously.  But  
I would say that absence of 27001 is a pretty reliable sign that they  
aren't.   It's like 18001 health and safety: if you're not running  
OHSA to the required standard, what the hell are you playing at?  And  
if you are, why aren't you certified?  Or 14001 environmental: if  
you're legal, you should be certified, if you can't get the  
certification, are you legal?

There's justifiable cynicism about ISO9000, although the sector- 
specific variants like TL9000 for telecoms or QS9000 (the former  
TS16949) for automotive lay down clear requirements and metrics which  
do provide a lot of value for customers.    But things like 14, 18, 27  
and the new 25999 business continuity standards strike me as basic  
floors of competence, and organisations which don't even think  
compliance is a worthwhile goal have to be considered suspect.

[[ Disclaimer: rather proud of doing 27001 from scratch, rather proud  
of my employer having TL, 14 and 18, currently working on 25 ]]

ian