Re: Too Paranoid?

[Dave Piscitello <dave () corecom com>]

Totally in agreement.

Any reputable vendor should appreciate this, and should be willing to explain
what security measures they have implemented to your satisfaction, or if
not to your satisfaction, willing to work to resolve differences between their
security posture and what your policy requires.

Beyond this, you should establish what liability the vendor is willing to 
accept.
Your *ss is on the line, your company's integrity and future.

If there is a "they screw up, you lose" scenario", your service contract should
describe who is accountable for loss, down time, costs of cleanup, etc.

Moreover, if someone in your organization overrules you, you should put in
writing exactly what your concerns are and have it notarized (you can even
postal mail it to yourself, but don't open it).

From a technical perspective, I'd insist on auditing this system, document 
all the
security issues you feel don't meet your policy and standards. If you don't 
know
Win2K, then insist that the vendor provide a 3rd party appraisal.

I've had experience with a SCO turnkey system for credit card database 
access with a similar "phone home" requirement from the vendor. Default 
install, no effort taken to remove unnecessary services, eliminate guest 
accounts, etc.

You are not paranoid, you're doing your job.

At 12:36 PM 9/29/2002 -0400, you wrote:
> You are responsible for the security of your network.  ANY vendor
> who wants to put equipment on that network, not matter how big
> and impressive (my bet here is we're talking about ADP)- must be
> willing to demonstrate to your satisfaction that their system is secure.


David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave () corecom com
843.689.5595
www.corecom.com



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards