Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."



Hello,

Just as organizations require SLAs from connection providers (telecomm,
network, internet, power), one (organization) should require a Security SLA.

This should be included as part-and-parcel of privacy, non-disclosure, and
SoX (or other legislative requirements for ones only organization)
Statements of Conformity.

For example:

Because of various legislative, legal, reporting and policy requirements one
performs a process and maintains a level of security, risk, privacy,
reporting and whatnot. When this process involves an outside 3rd parity one
should require that the levels of security, risk, privacy, reporting and
whatnot are maintained even by the outside organization. Also, that one can
audit the outside 3rd parity for conformance.

It is the responsibility of the "kick-off" organization to be in conformance
regardless of who, or where part of a process takes place. A SLA or
Statements of Conformity for security should be a requirement.

-----

What is the point of being all "safe and secure" and then letting an outside
3rd party with nonexistent security perform some kind of processing or
whatnot. One should require that the "safe and secure" things that are being
done by your organization are also being done by the outside 3rd party at
the same or higher level that your organization is.


Regards,

--
Jason Muskat | GCUX - de VE3TSJ
____________________________
TechDude
e. Jason@xxxxxxxxxxx
m. 416 .414 .9934

http://TechDude.Ca/


From: Angela and Donald <info@xxxxxxxxxxxxx>
Date: Tue, 23 May 2006 20:31:43 -0600
To: 'Jason Muskat' <Jason@xxxxxxxxxxx>
Cc: <security-basics@xxxxxxxxxxxxxxxxx>
Subject: RE: Article: "Security Absurdity: The Complete, Unquestionable, And
Total Failure of Information Security."

good record with consumer data. If your local Telco can offer
99.995% uptime why shouldn't security.

Ummm, because those aren't even remotely the same thing? Because increasing
uptime does not invariably lead customers to try to circumvent that uptime
because it's too difficult to use? Because uptime will never be sacrificed
on the altar of short-term savings?

I understand and sympathize with your point but those are not even slightly
comparable metrics and you do both yourself and your clients a disservice
thinking that they are ....

Donald Wheeler





Relevant Pages

  • For Tex, (Listening & Watching)
    ... "No Place to Hide might just do for privacy protection what Rachel ... We live in an ever more convenient society. ... O'Harrow unveils a modern world riddled with seemingly innocuous private ... Department of Homeland Security aggressively sought access to these ...
    (rec.arts.poems)
  • Re: For Tex, (Listening & Watching)
    ... "No Place to Hide might just do for privacy protection what Rachel ... We live in an ever more convenient society. ... O'Harrow unveils a modern world riddled with seemingly innocuous private ... Department of Homeland Security aggressively sought access to these ...
    (rec.arts.poems)
  • Re: [Full-disclosure] psnhack - playstation network hack
    ... As security developer I am very sad if it is used for the bad purpose. ... worried for the privacy got leaked.. ... PSN too, and have some rage in my heart for the incident follow up. ...
    (Full-Disclosure)
  • Privacy, Security, Trust (PST 2011) - Call for Papers
    ... Ninth Annual Conference on Privacy, Security and Trust ... Privacy Preserving / Enhancing Technologies ...
    (Bugtraq)
  • Privacy, Security, Trust (PST 2011) - 2nd Call for Papers (Deadline: March 20)
    ... Ninth Annual Conference on Privacy, Security and Trust ... Andrew Vallerand, Director S&T Public Security, National Defense, Canada ...
    (SSH)