Executives liable for computer crime? (update)

["Wood, Tom D" <TDW6 () pge com>]

To all,
My apologies for the protracted silence after my original post. There were
multiple replies requesting a link, pointer, FTP site, whatever to fetch the
white paper I had eluded to. So... for the past week I have been working
feverishly at getting the darn thing re-posted.
All I have is a year old hard copy, and the site it originally came from has
yanked it for being dated material. I have been in contact with the
webmaster and she has provided me an active link to the doc, but as yet, no
permission to re-publish either the paper or the pointer.
I don't feel comfortable re-publishing without permission someone else's
work, but I will paraphrase it enough to get the point across. BTW, the site
it came from originally is a *very* well known maker of Token based
authentication systems, you can use your own imagination from there <g>.

It starts out revealing a new Federal regulation (1991) aimed at white
collar crime that has implications for CEO's, IS mgr's and "other senior
management". It then goes on to state that the reg holds the CEO and senior
management responsible for crime involving their organization. Even if the
crime was obviously a downstream attack using your network as a launchpad,
your on the hook for up to $290 million in damages and possible corporate
probation.

It then speaks of the Federal Sentencing Organizational Guidelines that have
defined a point system for judges to use in determining punishments, and
states that a judge can reduce the penalties if it is determined that a
"good faith effort" has been made to secure the network. Blurbs about the
wanderous things two-factor authentication can do for us make up the
remaining bulk of the doc.

IMHO, the salient point that the author has attempted to make with this
paper is this...
"If your network has been plundered and then used to plunder your neighbor's
network, and all your depending on for security is static re-usable
passwords (especially for dial-in services), in the eyes of the Fed's your
toast!"

So, has the reality bar been raised high enough in this great land of ours
that someone could actually be held liable for inadequate security? I like
the direction that takes us, although I can't say I am thrilled with a
Federal judge making the call <g>

BTW, if anyone is interested, I will post the "References" from the paper at
a later date. Could be some good research information.

Tom Wood
ETPM Advanced Systems Group
tdw6 () pge com

If genius is one percent inspiration and 99 percent perspiration, I wind
up sharing elevators with a lot of bright people.