Firewall Wizards mailing list archives

RE: InfoSec Consultant Liability Question

From: "Pearson, Arran" <Pears_A () admiral com au>
Date: Tue, 2 Nov 1999 12:16:41 +1100

Although the question of liability is not as silly as it first sounds.  We
all agree that the client must choose how much to invest in security so as
to appropriately mitigate his / her risk but a way of mitigating risk could
be insurance.

I have been involved in a number of assignments where what the client
(usually banking types) wants to know what is my potential loss, not risk
but impact and they then decide to either mitigate, insure or ignore
depending on how significant a loss we are talking about.

For instance, a bank contracts a third party to build a payment gateway, one
of the important questions for them to address is the level of professional
indemnity to seek from the group contracted to build the gateway.  i.e. if
your software does not work properly or one of your developers deliberately
inserts fraudulent or malicious code how much can we expect from you.  This
is a dollar figure that the bank (or the developer) must insure against
(typically based on how much $$$ damage can be done).

This has flow on effects for brand etc etc etc which cannot be insured
against (could be measured in terms of percentage of turnover which is for
banks massive) and at this point the client must invest in countermeasures.

Unfortunately security is all about money and if may be cheaper & more cost
effective to insure against loss than properly mitigate risk.

-----Original Message-----
From: Marcus J. Ranum [mailto:mjr () nfr net]
Sent: Tuesday, 2 November 1999 1:29
To: Joe Dauncey; Frank Pawlak; firewall-wizards () nfr net
Subject: Re: InfoSec Consultant Liability Question

You shouldn't focus your efforts on insurance, but on

stressing to your

clients the risk element of security. How much money do they

want to spend

on lowering the risk ?


I agree. The first thing in _any_ consulting engagement is setting the
customer's expectations correctly.  If you think the customers'
expectations are unrealistic then you'd better expect trouble, walk
away from the project, or hope you get lucky.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

Current thread:

Re: InfoSec Consultant Liability Question Joe Dauncey (Nov 01)
- Re: InfoSec Consultant Liability Question Marcus J. Ranum (Nov 01)
- <Possible follow-ups>
- RE: InfoSec Consultant Liability Question Pearson, Arran (Nov 02)