Re: How can you trust a company you don't know?

From: Steve (securityfocus_at_delahunty.com)
Date: 10/23/03

  • Next message: Byron Sonne: "Re: When does a scan attempt become a focused attack?"
    To: "Rob McComber" <rob@digitalgenesis.ca>, "Nicholas Diotte" <xphox@xphox.net>, <security-basics@securityfocus.com>
    Date: Wed, 22 Oct 2003 20:07:32 -0400
    
    

    I think that we might be a bit off topic, Nicholas' original request was
    about looking into an email list/newsletter management firm, not totally
    outsourcing their corporate email. I believe that Nicholas' firm would
    still control the content and their marketing department would have direct
    say over that.

    STEVE

    ----- Original Message -----
    From: "Rob McComber" <rob@digitalgenesis.ca>
    To: "Nicholas Diotte" <xphox@xphox.net>; <security-basics@securityfocus.com>
    Sent: Tuesday, October 21, 2003 8:20 PM
    Subject: RE: How can you trust a company you don't know?

    In support of Dave Hartnell, I'd also like to add that when you allow a
    third-party to provide a service like emailing, you lose control of what is
    fast becoming a critical element of your company's archives. With email
    records being used in court with increasing frequency, maintaining the
    integrity of your own records is paramount.

    Even if your internal mail remains your own, your ability to control email
    that is sent as a legal representation of your company is compromised.

    Going back to C-I-A,
    Confidentiality - with a third-party, you just don't have it. Even if the
    email is intended for the public, you lose certain controls.

    Integrity - if they're a good company, this may be maintained. It may not be
    as well. If they send something out in error, it's very difficult to place
    responsibility, and even if you can, your company will be responsible to
    your customers.

    Availability - this is particularly dangerous. Can you be sure that access
    to your email will be available only to your authorized representatives?
    Will it always be available? If a court demands records, can you trust that
    another company will have maintained them? And even more disturbing, can you
    trust that your third-party provider won't make records of your email
    traffic available to someone else? This may not be maliscious...if they're
    told by the courts to submit your records, they may buckle far sooner than
    your own legal section.

    In the end, no matter how well you know the company, Dave is right. Your
    corporate image is carried to your customers through marketing emails. You
    can't trust someone else with something that valuable.

    Rob McComber
    Technical Trainer

    rob_@_digitalgenesis.ca

    ---------------------------------------------------------------------------
    Visual & Easy-to-use are not words that you think of when talking about
    network analyzers. Are you sick of the three window text decodes? Download
    ClearSight Network's Analyzer and see a new network analysis tool that
    makes the complex - easy
    http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Visual & Easy-to-use are not words that you think of when talking about
    network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that
    makes the complex - easy
    http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021
    ----------------------------------------------------------------------------


  • Next message: Byron Sonne: "Re: When does a scan attempt become a focused attack?"