News from the US government:

The Department of Homeland Security (DHS) and the Information Technology Sector Coordinating Council (IT SCC) today released the IT Sector Baseline Risk Assessment (ITSRA) to identify and prioritize national-level risks to critical sector-wide IT functions while outlining strategies to mitigate those risks and enhance national and economic security.

The news release claims the ITSRA “validates the resiliency of key elements of IT sector infrastructure”.

That sounds suspiciously like the SAS70 approach to security where audits can be targeted to very limited areas of an organization and success is never measured across the whole.

Key elements?

Reduce scope enough and success is found somewhere. I think Calvin and Hobbes had a nice variation of this. It was a graphic of a snowman with just two balls — no head. Calvin stood back in admiration and said something about the secret to good-self esteem comes from lowering expectations until they are already met. Here’s another variation from Calvin that will have to do until I can dig up the one I remember:

I’m not saying that is now the case here, as I have not finished reading the full report yet, but the press release language is already steering me in that direction.