|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: InfoSec Consultant Liability Question
Pearson, Arran (Pears_A
admiral.com.au)
Tue, 2 Nov 1999 12:16:41 +1100
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: sean.kellylanston.com: "RE: Newspaper Article about Cable Modem security"
- Previous message: Thomas Piergallini: "Re: FW1 - NAT hide problem"
- In reply to: Andy Davis: "FW1 - NAT hide problem"
Although the question of liability is not as silly as it first sounds. We
all agree that the client must choose how much to invest in security so as
to appropriately mitigate his / her risk but a way of mitigating risk could
be insurance.
I have been involved in a number of assignments where what the client
(usually banking types) wants to know what is my potential loss, not risk
but impact and they then decide to either mitigate, insure or ignore
depending on how significant a loss we are talking about.
For instance, a bank contracts a third party to build a payment gateway, one
of the important questions for them to address is the level of professional
indemnity to seek from the group contracted to build the gateway. i.e. if
your software does not work properly or one of your developers deliberately
inserts fraudulent or malicious code how much can we expect from you. This
is a dollar figure that the bank (or the developer) must insure against
(typically based on how much $$$ damage can be done).
This has flow on effects for brand etc etc etc which cannot be insured
against (could be measured in terms of percentage of turnover which is for
banks massive) and at this point the client must invest in countermeasures.
Unfortunately security is all about money and if may be cheaper & more cost
effective to insure against loss than properly mitigate risk.
> -----Original Message-----
> From: Marcus J. Ranum [mailto:mjrnfr.net]
> Sent: Tuesday, 2 November 1999 1:29
> To: Joe Dauncey; Frank Pawlak; firewall-wizardsnfr.net
> Subject: Re: InfoSec Consultant Liability Question
>
>
> >You shouldn't focus your efforts on insurance, but on
> stressing to your
> >clients the risk element of security. How much money do they
> want to spend
> >on lowering the risk ?
>
> I agree. The first thing in _any_ consulting engagement is setting the
> customer's expectations correctly. If you think the customers'
> expectations are unrealistic then you'd better expect trouble, walk
> away from the project, or hope you get lucky.
>
> mjr.
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr
>
- Next message: sean.kellylanston.com: "RE: Newspaper Article about Cable Modem security"
- Previous message: Thomas Piergallini: "Re: FW1 - NAT hide problem"
- In reply to: Andy Davis: "FW1 - NAT hide problem"
This archive was generated by hypermail 2.0b3 on Wed Nov 03 1999 - 05:35:53 CST