Wednesday, April 17, 2013

Which certification should I get for my organization to prove its "secure" ?

Of course, we all know you can't prove anything is secure.  The best you can hope for is to prove a specific scoped set of things, is tested against a specific set of criteria at a specific period of time.   And the quality of that testing definitely varies. 

But anywho, the big well-known ones are:

The answer:  Whatever certification your customers/regulators/suppliers will accept. 

That's it.  It ain't about validity or rationality or what is economical or appropriateness or truthiness.   No matter what you do, if you don't do the one your third-parties are asking for, they won't be satisfied.

Of course, some folks chose to do none-of-the-above and simply say "hey, just come audit me" but that has a price too.

In the end, it'll always be a trade-off between what you do for compliance and what you do for security.  Trade-off could be big or small, but we know that no standard fits every organization and this is just what you have to do.