Good point!
60 Minutes did a segment on how many US companies and organizations are cyber security compliant, via ISO27000, versus euro companies. The number in the US was pitiful. A few years ago, everyone with a government security clearance had “ALL” their security information hacked. The lack of prevention should be a basis for criminal negligence with the witnessed punishment phase subcontracted to Kim Jung via a good neighbor program. That will help with the arrogant attitude of the IT professionals and company executives responsible for our data security and repercussions from its misuse and lack of accountability.
ISO 27000 - ISO 27001 and ISO 27002 Standards
ISO27K isn't even a very high bar to reach.
On the other hand, though, not pursuing ISO compliance does not necessarily mean that your company isn't secure. It's a certification that costs money and there are many competing certifications and compliance standards. Basing a conclusion like, "EU has more companies that invest appropriately in security than the US" solely on ISO compliance isn't really a good measure.
What an ISO certification actually means also varies a lot depending on who the auditor is. The company being certified is the one paying the auditor so there is an inherent conflict of interest there. Bigger auditors who have more to lose than one customer will (a lot of times) do a better job than smaller shops. At the same time, some of the big shops pay kids who are barely out of college to do all the hard work while they collect massive checks.
None of this is to say ISO certification is worthless, I don't mean that at all, but there is definitely a lot more to it than might be apparent.
The federal government has it's own shockingly FANTASTIC and well maintained security compliance standard (NIST 800-53) but unfortunately it seems to be more critical for contractors to follow than the government itself. Something like Clinton (and Powell before her) using their own email servers for work is such a basic violation of good security practices, I can't even imagine what else must be going on.
Honestly, voters should demand independent audits against NIST 800-53 for any government agency that wants to collect their information and should be empowered not to provide that information if the agency cannot maintain compliance. Won't happen, but it should be that way.
I'll avoid ranting about security further in this thread.
![[banana]](/xen/styles/default/xenforo/smilies.vb/029.GIF "Banana [banana]")
