Farruco <[email protected]> writes: > Nonetheless, a sound, consistent, updated and properly documented > Information Security Management System can be of value in any collective > human endeavour in which cybersecurity is to be heeded, and indeed the > Debian Project can be argued to fall into that category.
This is one of those statements that is ubiquitous in compliance work to justify the effort that goes into preparing this document. I think a lot of compliance professionals truly believe this. However, as someone adjacent but not part of the process, I am dubious. I don't think there's all that much hard evidence that this is true. I think there is much more evidence that an organzation that is capable of writing Information Security Management System documentation is more likely to be able to maintain good security. But that's not the same thing; the causality goes in the other direction. Having full ISO 27001 documentation is a form of effort-signaling: You're showing that you care enough about security to go through the tedium of maintaining formal documentation. This does say something about how much you organizationally value security, or at least the *appearance* of security (there are criminal enterprises with ISO 27001 certifications), but it's not the only way to do that. It is certainly true that having documentation and organizational best practices is fairly universally of value. But it is not at all obvious to me that casting that documentation in the specific format of Information Security Management System documentation has much value except for getting compliance certifications. I suppose there's some benefit in skimming over the list of things to document to make sure one is not missing something obvious, but I can almost guarantee that if one then translates one's documentation into that format, it will quickly become useless. It's far more important that the documentation be: - simple and easy to understand; - easily and quickly maintanable so that it is kept up-to-date; and - actually followed. This is more likely if there is a minimum of boilerplate, as little formality as it is possible to get away with, and a willingness to let the little things drop rather than trying to comprehensively document everything and thus ensure the documentation almost immediately becomes out of date and therefore not trustworthy. > So, reframing my original question now that I have better context: Do > you think a scoped, volunteer-friendly external audit (ISO 27001-based > or other framework) could still be useful, or is the project's security > already in a good enough shape to afford dismissing such? Yes, absolutely. External audits have value; a fresh pair of eyes often notices things that you've stopped noticing. And taking a moment to think through a list of possible risks, sort them, and write down some solid documentation for how we're addressing the top few with checklists for critical operations (if they don't already exist) is generally useful for any project. More useful than what people are already doing? Probably not! Debian does not have lots of people, particularly people who already have the knowledge of Debian required to do this sort of work, sitting around bored and idle. But if someone said "I'm going to join one of the relevant teams and help them with their existing work while writing documentation of Debian's security practices, making sure that I do enough other work that the impact on existing members is at least neutral," I would be entirely in favor. Sounds great! I would definitely not say that the project's security is in good enough shape that I would dismiss something like this! I don't think our security is *awful*, but it is certainly on the list of things that we could be doing better. (It's a long list; making a distribution is a lot of work and resources are scarce.) I think the critical thing to avoid is any approach that would make existing volunteers have to deal with certification paperwork if they aren't actively excited to do that, because a whole lot of people are going to have the same reaction that I have: No, this is the kind of work that I only do for a paycheck, and Debian is not in a position to provide my paycheck. -- Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/>
