Firewall Wizards mailing list archives
Best Practices
From: "Paul D. Robertson" <paul () compuwar net>
Date: Wed, 19 May 2004 15:57:21 -0400 (EDT)
On Wed, 19 May 2004, Gwendolynn ferch Elydyr wrote:
I think that's an example of trying to fit the same shoe to everybodies foot. Best practices aren't identical for all sites.
Indeed, at my employer, we use the term "Essential Practice" for things that are bare minimum or required baseline items. From there, you can do better, but the real key is in setting the floor, not the ceiling.
yet. My company is not required by customers to carry insurance. If my company asks for insurance or other indemnification during contract talks, we get laughed at. We have stopped asking, stopped looking, and stopped worrying about it. I'd be happy to see it. So when the games starts, put me in coach.Ah! You're talking about something else entirely. If I read you correctly, you want some sort of security guarantee put into your vendor contracts. Interesting.
I think he's saying that we should require that vendors carry insurance. I did a policy review for my employer recently, and I know that many of our financial services customers do require it (along with the rest of the stuff they care about.) I think it's a perfectly reasonable thing to start to require that companies we do business with carry computer security insurance of different types. It's probably appropriate for us to start advocating what types and perhaps even what level too. "Cyberinsurance" (gag) is also a relatively new thing- but it's useful in starting to quantify the value of security, so I'm all for it.
Odd ;> I'm thinking "an additional tool in the belt" combined with "and we're always looking for better ways". This does get back to best practices. Minimum required access. Do those servers need to have access to the network? If the answer is no, then don't connect them to the network. "Because I can" is seldom the right answer [unless we're talking about that nice long motorcycle ride through the twisties ;>].
Indeed, we always build buildings on foundations, we must do the same of networks.
Right now I suspect that most of them haven't read this far down, and are waiting to move along ;>
Indeed, it's time to start wrapping up the thread, and I've changed the subject, but not the referring headers to move this a bit. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Worms, Air Gaps and Responsibility, (continued)
- Re: Worms, Air Gaps and Responsibility Adam Shostack (May 18)
- Re: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- Re: Worms, Air Gaps and Responsibility Frank Knobbe (May 18)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- RE: Worms, Air Gaps and Responsibility Paul D. Robertson (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 18)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 18)
- RE: Worms, Air Gaps and Responsibility Dana Nowell (May 19)
- RE: Worms, Air Gaps and Responsibility Gwendolynn ferch Elydyr (May 19)
- Best Practices Paul D. Robertson (May 19)
- Re: Best Practices Dana Nowell (May 21)
- Re: Best Practices Gwendolynn ferch Elydyr (May 21)
- Re: Best Practices Dana Nowell (May 21)
- Re: Re: Best Practices R. DuFresne (May 21)
- Message not available
- Re: Re: Best Practices Dana Nowell (May 21)
- Re: Worms, Air Gaps and Responsibility Nate Campi (May 21)