Firewall Wizards mailing list archives

RE: Re: Flawed Surveys [was: VPN endpoints]

From: MHawkins () TULLIB COM
Date: Fri, 3 Sep 2004 13:50:13 -0400

Mike,

Mike - In CA all public companies must disclose any security breaches.


This is not true. Security breaches WHERE CUSTOMER INFORMATION was
compromised must be reported.

My point is that, for an accurate picture of costs and risks to be
developed, ALL security breaches need to be detailed and tabulated then
analyzed by actuaries and statisticians to build up a risk matrix.

Even CA's legislation does not do, nor was it intended, to do that.

CA's legislation primarily is intended to indirectly protect privacy. There
is no DIRECT incentive. It's indirect. This is same problem I was referring
to. Hackers provide a direct incentive to organizations to protect their
networks. Surprize, surprize, enterprizes are fairly good at protecting
themselves from hackers. On the hand, enterprizes are AWFUL at protecting
themselves from disgruntled employees and other internal risks.

Until we measure ALL such risks, we shall never know where to spend our
money.

CA legislation is very wide of that mark.

Mike H



-----Original Message-----
From: Paul D. Robertson [mailto:paul () compuwar net]
Sent: Friday, September 03, 2004 1:43 PM
To: Stailey, Mike
Cc: Hawkins, Michael; mjr () ranum com; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints]


On Wed, 1 Sep 2004, Stailey, Mike wrote:

Mike - In CA all public companies must disclose any security breaches.
Also, we now have the Sarbanes/Oxley act for publicly held companies.
Yes, it's got a long way to go but like in Paul's prior posts - it
definitely a start in the right direction.

Anyway, that's my story and I'm sticking to it...


Isnt' it bad though, that these regulations are coming from outside of our
field?  Shouldn't we be the ones lobbying and drafting and providing
guidance?

Maybe the costs will make businesses shy away from practicioners who would
advocate more regulation, but maybe that's the revolution we need in this
field to gain the next level of effectiveness?

Paul
----------------------------------------------------------------------------
-
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Re: Flawed Surveys [was: VPN endpoints] MHawkins (Sep 01)
- RE: Re: Flawed Surveys [was: VPN endpoints] Christopher Hicks (Sep 01)
  - RE: Re: Flawed Surveys [was: VPN endpoints] Marcus J. Ranum (Sep 01)
- <Possible follow-ups>
- Re: Re: Flawed Surveys [was: VPN endpoints] lists (Sep 01)
- RE: Re: Flawed Surveys [was: VPN endpoints] Stailey, Mike (Sep 01)
- RE: Re: Flawed Surveys [was: VPN endpoints] Don Parker (Sep 01)
- RE: Re: Flawed Surveys [was: VPN endpoints] Paul D. Robertson (Sep 03)
  - Re: Re: Flawed Surveys [was: VPN endpoints] Crispin Cowan (Sep 03)
  - Re: Re: Flawed Surveys [was: VPN endpoints] Stephen P. Berry (Sep 04)
- RE: Re: Flawed Surveys [was: VPN endpoints] MHawkins (Sep 03)
  - Re: Re: Flawed Surveys [was: VPN endpoints] Adam Shostack (Sep 03)
- RE: Re: Flawed Surveys [was: VPN endpoints] Stailey, Mike (Sep 03)
- RE: Re: Flawed Surveys [was: VPN endpoints] Paul D. Robertson (Sep 03)
  - RE: Re: Flawed Surveys [was: VPN endpoints] Bill Royds (Sep 04)
- Re: Flawed Surveys [was: VPN endpoints] Abe Singer (Sep 04)