Bright Stove

Reflecting information risk journey

Archive for May 2006

A bull fight in Madrid

with 2 comments

Madrid-20060513_03The ISO/IEC JTC1 SC27 18th Plenary meeting was held in Madrid from May 16-17, 2006. It set forth the new structure with formal agreement of two new working groups–one on “Security Controls and Services”, named as “WG4”, and the other “Identity Management and Privacy Technologies”, viz., “WG5.” The existing Working Groups (WG1, WG2, and WG3) remained, with WG1 having its scope changed to focus on Information Security Management System (ISMS) standardization, and the rest of its previous scope moved to WG4. That covers Network Security, Intrusion Detection, Incident Management, Disaster Recovery Services, and a few other esoteric implementation specific security standards from WG2. I was nominated by the Singapore National Body (NB) for convenorship for WG4, and the nomination was duly accepted during the Plenary meeting – congrats to me 🙂 Probably due to the scope of work involved, there was no other nomination. What am I getting myself into this round when others have no interest in this WG? 😉 But I think I would rather have no competition here so that we can get on with the work quickly, compared with what’s going on in WG5.
Madrid-20060513_19WG5’s nomination wasn’t that smooth. Germany and US NBs put forth their nomination but the NBs presence at the meeting couldn’t come to an agreement on who should lead WG5. The decision was therefore postponed to the next meeting, with call for more nomination of convernor for WG5 during the interim. It seemed that the WG5 scope is a more contentious one. The concept of privacy varies across the globe. NBs are therefore concerned that their voice and concerns might not be adequately represented in the standards arena, if they do not have someone who understand their privacy regime well. The dialogue (hopefully there’s one, or more) goes on…
Interestingly, I visited the Plaza De Toros on Sunday and watched the famous bull fight (or rather bull killing). The metadors killed eight bulls in one sitting of about 2+ hours, for 18 Euros from my pocket. It was all schemed. 6 to 8 men, two horses (blind folded), charted out a series of steps to work on the bull – make it angry, poke on its back so that it bleeds, poke more so that it bleeds badly and get exhausted, use the red flag to make the bull more angry, and provoke it to dash around meaninglessly, and get more exhausted. Then finally, kill it with a single focused spear of a long sword. And (almost) everybody applause the metador for the “great” act (of killing the exhausted bull.)
Madrid-20060513_62What happened there was (1) a well structured and standardized process; (2) great execution; and (3) a common target. But from the bull’s perspective, it was basically trapped in the structure and process. It has no way out, but to put up a good fight, and then die. In the standardization world, it seems that we are working on (1), and only (1). We probably think that we have (3) in common. Do we? In terms of (2), it is left to the NBs, industry, and practitioners. The danger is that we set up such formal (1) so much so that we ourselves get trapped like the bull — keep working hard, but no way out. Meanwhile, for those in the dark side, their works are unbounded. They are not in the stadium. They simply work hard on identifying the weakest links for their next attack.

Written by mengchow

May 19, 2006 at 9:11 am

Posted in Security Standards

%d bloggers like this: