Firewall Wizards mailing list archives
Re: Security clauses for contracts
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Tue, 21 May 2002 21:57:46 -0400 (EDT)
I keep wondering if the Security clauses should be implimented one way, or whether these should be bi-directional. Thus both parties feel compensated and sleep better, rather then one side feeling they are less trustworthy and taken for a ride. Cost sharing then being distributed cleaner. Thanks, Ron DuFresne On Tue, 21 May 2002, Avishai Wool wrote:
I think making such requirements is totally reasonable. (1) and (2) are pretty clear cut. A possible replacement to (3) could be Alice agrees to conduct periodic security audits, by an agreed-upon 3rd party, quarterly or every 6 months, costs to be shared by the parties, and provide the results with Bob. This may be more acceptable to Alice because Alice maintains better control over her systems, and it's not Bob directly that designs and/or implements the audits. It makes the audit process slightly less adversarial. The cost structure is a negotiating point - but if Bob shares the cost Bob has control over the fact that the audits do occur, and the auditor has a contractual obligation to provide the results to Bob. Avishai --- Adam Shostack <adam () homeport org> wrote:In thinking about liability issues, and more generally contracts, the question of "what security tidbits do you put into a contract?" comes up. (Also, I've been asked to think about this by some colleagues, in the context of Bob hiring Alice to process sensitive information.) Alice claims to "take security and privacy very seriously." A few of the things I'd like to see: 1. Alice will provide copies of their security and privacy policies to Bob. 2. Alice will provide copies of recent audits to Bob. 3. Alice agrees that Bob can conduct audits/pen tests, as long as the results are shared with Bob, the tests are designed to be non-damaging, and don't use knowledge from (2). (This one is clearly controversial; however, Bob would really like assurance that Alice isnt falling behind on their patching...) Are these reasonable? Are there other things that you'd want to see in such a contract? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards===== Avishai Wool, Ph.D., Chief Scientist & Co-Founder, Lumeta Corp. http://research.lumeta.com/yash/ http://www.eng.tau.ac.il/~yash yash () acm org Tel: +972-3-640-7206 Fax: +972-3-640-7095 ** Want to audit or debug your firewall's policy? ** Lumeta Firewall Analyzer: http://www.lumeta.com/firewall.html __________________________________________________ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Security clauses for contracts Bret Watson (May 21)
- Re: Security clauses for contracts Adam Shostack (May 22)
- <Possible follow-ups>
- RE: Security clauses for contracts Fred Kreitzberg (May 21)
- Re: Security clauses for contracts Frederick M Avolio (May 21)
- Re: Security clauses for contracts t (May 23)
- Re: Security clauses for contracts Adam Shostack (May 23)
- Re: Security clauses for contracts Matt Curtin (May 26)
- Re: Security clauses for contracts t (May 23)
- Re: Security clauses for contracts Avishai Wool (May 21)
- Re: Security clauses for contracts R. DuFresne (May 22)
- Re: Security clauses for contracts Dave Piscitello (May 22)
- RE: Security clauses for contracts Scott, Richard (May 22)
- Re: Security clauses for contracts Matt Curtin (May 23)