Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Article: "Security Absurdity: The Complete, Unquestionable, And Tota

from [Jason Muskat] Network Security [Permanent Link]
Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."
Date: Wed, 24 May 2006 01:17:06 -0400 
Hello,

Just as organizations require SLAs from connection providers (telecomm,
network, internet, power), one (organization) should require a Security SLA.

This should be included as part-and-parcel of privacy, non-disclosure, and
SoX (or other legislative requirements for ones only organization)
Statements of Conformity.

For example:

Because of various legislative, legal, reporting and policy requirements one
performs a process and maintains a level of security, risk, privacy,
reporting and whatnot. When this process involves an outside 3rd parity one
should require that the levels of security, risk, privacy, reporting and
whatnot are maintained even by the outside organization. Also, that one can
audit the outside 3rd parity for conformance.

It is the responsibility of the "kick-off" organization to be in conformance
regardless of who, or where part of a process takes place. A SLA or
Statements of Conformity for security should be a requirement.

-----

What is the point of being all "safe and secure" and then letting an outside
3rd party with nonexistent security perform some kind of processing or
whatnot. One should require that the "safe and secure" things that are being
done by your organization are also being done by the outside 3rd party at
the same or higher level that your organization is.


Regards,

-- 
Jason Muskat  | GCUX - de VE3TSJ
____________________________
TechDude
e. Jason@TechDude.Ca
m. 416 .414 .9934

http://TechDude.Ca/



From: Angela and Donald <info@dna-works.com>
Date: Tue, 23 May 2006 20:31:43 -0600
To: 'Jason Muskat' <Jason@TechDude.Ca>
Cc: <security-basics@securityfocus.com>
Subject: RE: Article: "Security Absurdity: The Complete, Unquestionable, And
Total Failure of Information Security."


good record with consumer data. If your local Telco can offer
99.995% uptime why shouldn't security.


Ummm, because those aren't even remotely the same thing?  Because increasing
uptime does not invariably lead customers to try to circumvent that uptime
because it's too difficult to use?  Because uptime will never be sacrificed
on the altar of short-term savings?

I understand and sympathize with your point but those are not even slightly
comparable metrics and you do both yourself and your clients a disservice
thinking that they are ....

Donald Wheeler
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security.", Angela and Donald
Next by Date:  Re: Wireless Security (Part 2), Ian Scott
Previous by Thread:  RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security.", Angela and Donald
Next by Thread:  Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security.", Adam Vollmer
Indexes:  [Date] [Thread] [Top] [All Lists]