RE: Bank Audit Best practices

[Frank Knobbe <frank () knobbe us>]

On Tue, 2004-03-23 at 10:19, Mike Shaw wrote:
>  * It's about *risk*management*.  FI's don't understand many technical
> things, but they understand this.  Thus, many consultants end up looking
> pretty silly to FI's when they can't tie technical benefit to risk reduction.


In addition, links owned by processors etc are typically excluded from
vulnerability studies, and sure as hell from pentests. But you can
inquire about copies of the processors assessment. There are few
technical solutions to the issues raised by linking via a router to a
processor. If that link can be segmented and firewalled, fine. If not,
then this is something that should be highlighted in a risk assessment.
A vulnerability assessment should clearly mark it as excluded -- it can
not make any assertions about it, regarding vulnerabilities or
otherwise. 

It's a business decision. After all, it's a business partner, not a
business scumbag, that they link up with. They may talk with each other,
they may know something about their networks, they may work together,
they may strive for security together, they rise and fall together. And
I bet there are agreements and insurance policies that protect them from
each other :)

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part