Firewall Wizards mailing list archives
Executives liable for computer crime? (update)
From: "Wood, Tom D" <TDW6 () pge com>
Date: Tue, 25 Aug 1998 20:16:33 -0700
To all, My apologies for the protracted silence after my original post. There were multiple replies requesting a link, pointer, FTP site, whatever to fetch the white paper I had eluded to. So... for the past week I have been working feverishly at getting the darn thing re-posted. All I have is a year old hard copy, and the site it originally came from has yanked it for being dated material. I have been in contact with the webmaster and she has provided me an active link to the doc, but as yet, no permission to re-publish either the paper or the pointer. I don't feel comfortable re-publishing without permission someone else's work, but I will paraphrase it enough to get the point across. BTW, the site it came from originally is a *very* well known maker of Token based authentication systems, you can use your own imagination from there <g>. It starts out revealing a new Federal regulation (1991) aimed at white collar crime that has implications for CEO's, IS mgr's and "other senior management". It then goes on to state that the reg holds the CEO and senior management responsible for crime involving their organization. Even if the crime was obviously a downstream attack using your network as a launchpad, your on the hook for up to $290 million in damages and possible corporate probation. It then speaks of the Federal Sentencing Organizational Guidelines that have defined a point system for judges to use in determining punishments, and states that a judge can reduce the penalties if it is determined that a "good faith effort" has been made to secure the network. Blurbs about the wanderous things two-factor authentication can do for us make up the remaining bulk of the doc. IMHO, the salient point that the author has attempted to make with this paper is this... "If your network has been plundered and then used to plunder your neighbor's network, and all your depending on for security is static re-usable passwords (especially for dial-in services), in the eyes of the Fed's your toast!" So, has the reality bar been raised high enough in this great land of ours that someone could actually be held liable for inadequate security? I like the direction that takes us, although I can't say I am thrilled with a Federal judge making the call <g> BTW, if anyone is interested, I will post the "References" from the paper at a later date. Could be some good research information. Tom Wood ETPM Advanced Systems Group tdw6 () pge com If genius is one percent inspiration and 99 percent perspiration, I wind up sharing elevators with a lot of bright people.
Current thread:
- Executives liable for computer crime? (update) Wood, Tom D (Aug 26)
- Re: Executives liable for computer crime? (update) Dean Michaels (Aug 27)
- Re: Executives liable for computer crime? (update) Henry Hertz Hobbit (Aug 27)
- <Possible follow-ups>
- Re: Executives liable for computer crime? (update) Rick Smith (Aug 27)