Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Security training of developers and company liability

from [Wall, Kevin] Network Security [Permanent Link]
Subject: RE: Security training of developers and company liability
Date: Tue, 13 Dec 2005 08:39:46 -0600 
James Strassburg wrote...
 

For anyone still interested: I posed this question to our corporate
legal team.  Their response stated that since we have a corporate
information systems use policy that includes not using the Internet for
inappropriate reasons (there is much more language in the policy of
course), we would have a good argument that we were not negligent by
training developers in this respect.  Therefore, he didn't feel a CYA
signed waiver or disclaimer was necessary.  They did suggest reaffirming
the relevant parts of the information systems use policy verbally at the
start of the class however.


In this particular case, I'd agree with them, but IMHO (and IANAL), I
think that in the general case there needs to be other considerations
taken into account beyond an "acceptable use policy" or internal
"code of conduct". For instance prior to HIPPA, Sarbanes-Oxley, etc.,
your company might collect millions of customer records with unencrypted
SSNs and CC#s. Let's suppose that you kept those in a Oracle DB and
that the user id / password to access these records was widely known
not just to IT people but throughout the company. If you have a rogue,
disgruntled employee grab a few million SSNs and CC#s and sell them, I'm
not so sure that your company wouldn't be liable in class-action lawsuits
because you did not practice "due diligence" and/or best security practices.
(And even if you weren't liable, the resulting bad publicity could give your
company a black eye from which they might never recover. There is more to
risk management than just legal issues.)

However, I agree that in this particular case, CYA is not really needed--
mostly for all the reasons stated in recent threads on this topic.
(Wow; imagine that. A legal team that is not anal-retentive. I never
thought that possible. ;-)

-kevin
---
Kevin W. Wall           Qwest Information Technology, Inc.
Kevin.Wall@qwest.com    Phone: 614.215.4788
"The reason you have people breaking into your software all 
over the place is because your software sucks..."
 -- Former whitehouse cybersecurity advisor, Richard Clarke,
    at eWeek Security Summit
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Fwd: SF new column announcement: Users inundated with pop-ups, by Scott Granneman, Andrew van der Stock
Next by Date:  PCI DSS Compliance, Ademar Gonzalez
Previous by Thread:  RE: Security training of developers and company liability, James Strassburg
Next by Thread:  New SF Article Announcement: Trusting software, Andrew van der Stock
Indexes:  [Date] [Thread] [Top] [All Lists]