]] Russ Allbery > Tollef Fog Heen <[email protected]> writes: >> ]] Russ Allbery > >>> Certification compliance is not something I would ever work on without >>> being paid, personally. It is not enjoyable or fun; it's a job whose >>> only real benefit is the paycheck you get for doing it. That's of >>> course just my personal opinion; maybe someone out there finds filling >>> out ISO 27001 paperwork a great way to spend a lazy Saturday afternoon. > >> I'm obviously not going to tell you what you enjoy or not, but I think >> that's a poor (but sadly quite common) way of doing compliance >> work. Compliance work should be like running make check – it's a way of >> testing that your procedures are actually as expected and provide >> verification that the security properties you put into the system still >> hold. If it's compliance for compliance's sake, it'll be thrown out the >> window at the first opportunity. > > I'm not sure I understand what you're characterizing as a poor way of > doing compliance work. Oh, maybe you're saying that compliance shouldn't > only be a paperwork exercise?
Yes. A bit like you probably shouldn't be writing tests for trivial getters and setters in languages that use those to get a high test coverage percentage, but rather having tests for places where there's actual risk. > Sure, that's certainly true, and when I worked on compliance, it wasn't. > We built as much of compliance as possible into our software and automated > generating the information required for proof of compliance. The goal was > to ensure, wherever possible (it's not possible everywhere), that a > computer was enforcing the correct process rather than a human having to > remember it, and a computer was keeping all the necessary audit trails and > generating the compliance reports. Somehow, I'm unsurprised by you doing compliance work in a good way. :-) But also, you seem not to be doing/have done it in a way where the only benefit is the paycheck, but rather where it drives actual benefits. [...] > See, right, this is exactly my point. I have done work like this before, > but it's not something I'm going to do for free, because it's tedious and > annoying. If we want some sort of make test for our procedures, which is > certainly a rational thing to want, we'll need to figure out some way to > do it that's less tedious and annoying than (at least my experience with) > audit and compliance frameworks. Yup. (I'm not sure I'd want to do it for Debian even if I were paid, but that's both a separate discussion and obviously a position of privilege to be able to hold.) -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are
