NIST/FISMA information security guidance is generally outstanding and more prescriptive than most other forms of guidance. However, there are limits to any standard’s ability to be prescriptive. These limits generally relate to differing technological architectures, the evolution of technology/assessment tools, and differing risk levels (which mandate different levels of testing).
These limits are well illustrated by a recent call that I had with a potential client. Our conversation began with him telling me: “This should be a pretty quick conversation – ...Continue Reading →