Common practices or best - Which is it?
This tip was submitted to the searchSecurity Tip Exchange by user Ken Shaurette. Let other users know how useful it is by rating the tip below.
Has your company ever wondered what is meant by "due diligence" or industry standard? Did you every wonder what constituted a "best practice?" If the method is best, by whose definition is it "best?" Wouldn't an "accepted practice" be a better description? A few months ago, a group of Certified Information Systems Security Practitioners (CISSPs) found they were debating those very questions and decided to do something about it.
As one of those participating in the discussion, I have to admit the need to establish practices that are perceived by the industry as good practices makes a lot of sense. A group of CISSPs from several industries started a project to begin documenting these practices. The decision was to title it CASPR, Commonly Accepted Security Practices and Recommendations.
Having been in the information security business for almost 20 years, I have found myself many times looking for help. Years of experience in our changing field does not necessarily guarantee you current information on all the domains that are covered by information security. So, you seek the help of other professionals who have experienced and implemented what they have found to be good practice. If you don't ask someone directly, you go attend training
In my opinion, building documentation on good security practices for all the industry to share is long overdue. Sure, you could find some here and there, scattered about the Net, but what made it a "best" practice? I heard it said once: "I found it on the Internet, so it must be true!" That explains one reason why it makes sense to describe this group as putting together common accepted practices, rather than "best." A group can reach consensus that a practice is acceptable, but may never reach agreement on whether that practice is best or what someone else's version of a practice is.
Is the CASPR project reducing the value of intellectual property for consulting organizations? In my opinion, that is not the issue. The value of the consulting organization is not in whether they have documentation of good practices, but whether they can deliver the expertise to implement the practices. The documentation done by this project is a valuable step toward accomplishing some of the activity started by the National Infrastructure Protection Center, as well as meeting the code of ethics canon of the CISSP certification, "Protect society, the commonwealth and the infrastructure."
If you are curious about this project or want to participate, visit http:www.caspr.org or check out Yahoo groups (casprproject) to join the project.
This was first published in July 2001