WebApp Sec mailing list archives
RE: Security training of developers and company liability
From: "Wall, Kevin" <Kevin.Wall () qwest com>
Date: Tue, 13 Dec 2005 08:39:46 -0600
James Strassburg wrote...
For anyone still interested: I posed this question to our corporate legal team. Their response stated that since we have a corporate information systems use policy that includes not using the Internet for inappropriate reasons (there is much more language in the policy of course), we would have a good argument that we were not negligent by training developers in this respect. Therefore, he didn't feel a CYA signed waiver or disclaimer was necessary. They did suggest reaffirming the relevant parts of the information systems use policy verbally at the start of the class however.
In this particular case, I'd agree with them, but IMHO (and IANAL), I think that in the general case there needs to be other considerations taken into account beyond an "acceptable use policy" or internal "code of conduct". For instance prior to HIPPA, Sarbanes-Oxley, etc., your company might collect millions of customer records with unencrypted SSNs and CC#s. Let's suppose that you kept those in a Oracle DB and that the user id / password to access these records was widely known not just to IT people but throughout the company. If you have a rogue, disgruntled employee grab a few million SSNs and CC#s and sell them, I'm not so sure that your company wouldn't be liable in class-action lawsuits because you did not practice "due diligence" and/or best security practices. (And even if you weren't liable, the resulting bad publicity could give your company a black eye from which they might never recover. There is more to risk management than just legal issues.) However, I agree that in this particular case, CYA is not really needed-- mostly for all the reasons stated in recent threads on this topic. (Wow; imagine that. A legal team that is not anal-retentive. I never thought that possible. ;-) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. Kevin.Wall () qwest com Phone: 614.215.4788 "The reason you have people breaking into your software all over the place is because your software sucks..." -- Former whitehouse cybersecurity advisor, Richard Clarke, at eWeek Security Summit
Current thread:
- RE: Security training of developers and company liability, (continued)
- RE: Security training of developers and company liability Clement Dupuis (Dec 08)
- Re: Security training of developers and company liability Daniel (Dec 08)
- RE: Security training of developers and company liability Griffiths, Ian (Dec 08)
- RE: Security training of developers and company liability Brokken, Allen P. (Dec 08)
- RE: Security training of developers and company liability Jason Gregson (Dec 08)
- RE: Security training of developers and company liability James Strassburg (Dec 08)
- RE: Security training of developers and company liability Jeff Robertson (Dec 08)
- Re: Security training of developers and company liability Daniel (Dec 09)
- RE: Security training of developers and company liability Harley David (Dec 12)
- RE: Security training of developers and company liability James Strassburg (Dec 12)
- RE: Security training of developers and company liability Wall, Kevin (Dec 13)