Firewall Wizards mailing list archives
Re: Too Paranoid?
From: Dave Piscitello <dave () corecom com>
Date: Sun, 29 Sep 2002 13:57:15 -0400
Totally in agreement. Any reputable vendor should appreciate this, and should be willing to explain what security measures they have implemented to your satisfaction, or if not to your satisfaction, willing to work to resolve differences between their security posture and what your policy requires.Beyond this, you should establish what liability the vendor is willing to accept.
Your *ss is on the line, your company's integrity and future. If there is a "they screw up, you lose" scenario", your service contract should describe who is accountable for loss, down time, costs of cleanup, etc. Moreover, if someone in your organization overrules you, you should put in writing exactly what your concerns are and have it notarized (you can even postal mail it to yourself, but don't open it).From a technical perspective, I'd insist on auditing this system, document all the security issues you feel don't meet your policy and standards. If you don't know
Win2K, then insist that the vendor provide a 3rd party appraisal.I've had experience with a SCO turnkey system for credit card database access with a similar "phone home" requirement from the vendor. Default install, no effort taken to remove unnecessary services, eliminate guest accounts, etc.
You are not paranoid, you're doing your job. At 12:36 PM 9/29/2002 -0400, you wrote:
You are responsible for the security of your network. ANY vendor who wants to put equipment on that network, not matter how big and impressive (my bet here is we're talking about ADP)- must be willing to demonstrate to your satisfaction that their system is secure.
David M. Piscitello Core Competence, Inc. & 3 Myrtle Bank Lane Hilton Head, SC 29926 dave () corecom com 843.689.5595 www.corecom.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Too Paranoid? Jim Seymour (Sep 29)
- Re: Too Paranoid? Paul D. Robertson (Sep 29)
- Re: Too Paranoid? James Triplett (Sep 29)
- Re: Too Paranoid? R. DuFresne (Sep 29)
- Re: Too Paranoid? Dave Piscitello (Sep 29)
- Re: Too Paranoid? Frederick M Avolio (Sep 29)
- Re: Too Paranoid? Dave Piscitello (Sep 29)
- Re: Too Paranoid? Bennett Todd (Sep 30)
- Re: Too Paranoid? Adam Shostack (Sep 30)