WebApp Sec mailing list archives

RE: Security training of developers and company liability

From: "Wall, Kevin" <Kevin.Wall () qwest com>
Date: Tue, 13 Dec 2005 08:39:46 -0600

James Strassburg wrote...

For anyone still interested: I posed this question to our corporate
legal team.  Their response stated that since we have a corporate
information systems use policy that includes not using the Internet for
inappropriate reasons (there is much more language in the policy of
course), we would have a good argument that we were not negligent by
training developers in this respect.  Therefore, he didn't feel a CYA
signed waiver or disclaimer was necessary.  They did suggest reaffirming
the relevant parts of the information systems use policy verbally at the
start of the class however.


In this particular case, I'd agree with them, but IMHO (and IANAL), I
think that in the general case there needs to be other considerations
taken into account beyond an "acceptable use policy" or internal
"code of conduct". For instance prior to HIPPA, Sarbanes-Oxley, etc.,
your company might collect millions of customer records with unencrypted
SSNs and CC#s. Let's suppose that you kept those in a Oracle DB and
that the user id / password to access these records was widely known
not just to IT people but throughout the company. If you have a rogue,
disgruntled employee grab a few million SSNs and CC#s and sell them, I'm
not so sure that your company wouldn't be liable in class-action lawsuits
because you did not practice "due diligence" and/or best security practices.
(And even if you weren't liable, the resulting bad publicity could give your
company a black eye from which they might never recover. There is more to
risk management than just legal issues.)

However, I agree that in this particular case, CYA is not really needed--
mostly for all the reasons stated in recent threads on this topic.
(Wow; imagine that. A legal team that is not anal-retentive. I never
thought that possible. ;-)

-kevin
---
Kevin W. Wall           Qwest Information Technology, Inc.
Kevin.Wall () qwest com Phone: 614.215.4788
"The reason you have people breaking into your software all 
over the place is because your software sucks..."
 -- Former whitehouse cybersecurity advisor, Richard Clarke,
    at eWeek Security Summit

Current thread:

RE: Security training of developers and company liability, (continued)
- - RE: Security training of developers and company liability Clement Dupuis (Dec 08)
  - Re: Security training of developers and company liability Daniel (Dec 08)
- RE: Security training of developers and company liability Griffiths, Ian (Dec 08)
- RE: Security training of developers and company liability Brokken, Allen P. (Dec 08)
- RE: Security training of developers and company liability Jason Gregson (Dec 08)
- RE: Security training of developers and company liability James Strassburg (Dec 08)
- RE: Security training of developers and company liability Jeff Robertson (Dec 08)
  - Re: Security training of developers and company liability Daniel (Dec 09)
- RE: Security training of developers and company liability Harley David (Dec 12)
- RE: Security training of developers and company liability James Strassburg (Dec 12)
- RE: Security training of developers and company liability Wall, Kevin (Dec 13)