Best Practices

["Paul D. Robertson" <paul () compuwar net>]

On Wed, 19 May 2004, Gwendolynn ferch Elydyr wrote:

> I think that's an example of trying to fit the same shoe to everybodies
> foot.  Best practices aren't identical for all sites.

Indeed, at my employer, we use the term "Essential Practice" for things
that are bare minimum or required baseline items.  From there, you can do
better, but the real key is in setting the floor, not the ceiling.

> > yet.  My company is not required by customers to carry insurance.  If my
> > company asks for insurance or other indemnification during contract talks,
> > we get laughed at.  We have stopped asking, stopped looking, and stopped
> > worrying about it.  I'd be happy to see it.  So when the games starts, put
> > me in coach.
>
> Ah! You're talking about something else entirely.  If I read you
> correctly, you want some sort of security guarantee put into your vendor
> contracts.  Interesting.

I think he's saying that we should require that vendors carry insurance.
I did a policy review for my employer recently, and I know that many of
our financial services customers do require it (along with the rest of
the stuff they care about.)  I think it's a perfectly reasonable thing to
start to require that companies we do business with carry computer
security insurance of different types.  It's probably appropriate for us
to start advocating what types and perhaps even what level too.

"Cyberinsurance" (gag) is also a relatively new thing- but it's useful in
starting to quantify the value of security, so I'm all for it.

> Odd ;> I'm thinking "an additional tool in the belt" combined with "and
> we're always looking for better ways".  This does get back to best
> practices.  Minimum required access.  Do those servers need to have access
> to the network? If the answer is no, then don't connect them to the
> network.  "Because I can" is seldom the right answer [unless we're talking
> about that nice long motorcycle ride through the twisties ;>].

Indeed, we always build buildings on foundations, we must do the same of
networks.

> Right now I suspect that most of them haven't read this far down, and
> are waiting to move along ;>

Indeed, it's time to start wrapping up the thread, and I've changed the
subject, but not the referring headers to move this a bit.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards