Security Basics mailing list archives
Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."
From: Jason Muskat <Jason () TechDude Ca>
Date: Wed, 24 May 2006 01:17:06 -0400
Hello, Just as organizations require SLAs from connection providers (telecomm, network, internet, power), one (organization) should require a Security SLA. This should be included as part-and-parcel of privacy, non-disclosure, and SoX (or other legislative requirements for ones only organization) Statements of Conformity. For example: Because of various legislative, legal, reporting and policy requirements one performs a process and maintains a level of security, risk, privacy, reporting and whatnot. When this process involves an outside 3rd parity one should require that the levels of security, risk, privacy, reporting and whatnot are maintained even by the outside organization. Also, that one can audit the outside 3rd parity for conformance. It is the responsibility of the "kick-off" organization to be in conformance regardless of who, or where part of a process takes place. A SLA or Statements of Conformity for security should be a requirement. ----- What is the point of being all "safe and secure" and then letting an outside 3rd party with nonexistent security perform some kind of processing or whatnot. One should require that the "safe and secure" things that are being done by your organization are also being done by the outside 3rd party at the same or higher level that your organization is. Regards, -- Jason Muskat | GCUX - de VE3TSJ ____________________________ TechDude e. Jason () TechDude Ca m. 416 .414 .9934 http://TechDude.Ca/
From: Angela and Donald <info () dna-works com> Date: Tue, 23 May 2006 20:31:43 -0600 To: 'Jason Muskat' <Jason () TechDude Ca> Cc: <security-basics () securityfocus com> Subject: RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."good record with consumer data. If your local Telco can offer 99.995% uptime why shouldn't security.Ummm, because those aren't even remotely the same thing? Because increasing uptime does not invariably lead customers to try to circumvent that uptime because it's too difficult to use? Because uptime will never be sacrificed on the altar of short-term savings? I understand and sympathize with your point but those are not even slightly comparable metrics and you do both yourself and your clients a disservice thinking that they are .... Donald Wheeler
Current thread:
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Bob Radvanovsky (May 12)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Saqib Ali (May 15)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Jason Muskat (May 17)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Stephen John Smoogen (May 20)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Jason Muskat (May 23)
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Angela and Donald (May 24)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Jason Muskat (May 24)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Saqib Ali (May 15)
- <Possible follow-ups>
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Bob Radvanovsky (May 23)