Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security clauses for contracts

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Tue, 21 May 2002 21:57:46 -0400 (EDT)


I keep wondering if the Security clauses should be implimented one way, or
whether these should be bi-directional.  Thus both parties feel
compensated and sleep better, rather then one side feeling they are less
trustworthy and taken for a ride.  Cost sharing then being distributed
cleaner.

Thanks,

Ron DuFresne

On Tue, 21 May 2002, Avishai Wool wrote:


I think making such requirements is totally reasonable.
(1) and (2) are pretty clear cut. 

A possible replacement to (3) could be 
Alice agrees to conduct periodic security audits, 
by an agreed-upon 3rd party,
quarterly or every 6 months,
costs to be shared by the parties, 
and provide the results with Bob.

This may be more acceptable to Alice because Alice maintains
better control over her systems, and it's not Bob directly
that designs and/or implements the audits. It makes the audit
process slightly less adversarial. The cost structure is a negotiating
point - but if Bob shares the cost Bob has control over the fact 
that the audits do occur, and the auditor has a contractual obligation
to provide the results to Bob.

Avishai

--- Adam Shostack <adam () homeport org> wrote:

In thinking about liability issues, and more generally contracts, the
question of "what security tidbits do you put into a contract?" comes
up.  (Also, I've been asked to think about this by some colleagues, in
the context of Bob hiring Alice to process sensitive information.)
Alice claims to "take security and privacy very seriously."

A few of the things I'd like to see:

1. Alice will provide copies of their security and privacy policies to
Bob.  

2. Alice will provide copies of recent audits to Bob.  

3. Alice agrees that Bob can conduct audits/pen tests, as long as the
results are shared with Bob, the tests are designed to be
non-damaging, and don't use knowledge from (2).  (This one is clearly
controversial; however, Bob would really like assurance that Alice
isnt falling behind on their patching...)

Are these reasonable?  Are there other things that you'd want to see
in such a contract?

Adam



-- 
"It is seldom that liberty of any kind is lost all at once."
                                                   -Hume


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards



=====
Avishai Wool, Ph.D.,   Chief Scientist & Co-Founder, Lumeta Corp.
http://research.lumeta.com/yash/   http://www.eng.tau.ac.il/~yash
yash () acm org     Tel: +972-3-640-7206  Fax: +972-3-640-7095
    ** Want to audit or debug your firewall's policy? **
Lumeta Firewall Analyzer: http://www.lumeta.com/firewall.html

__________________________________________________
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards



-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: