Current Insight Community Cases

Justifying Your Datacenter Management Improvements

Essential Datacenter Tips On Application Performance Monitoring

The Importance Of Skilled Immigrants To The American Economy

Help A New Kind of Music Label Revolutionize The Industry

Mandates To Buy American Should Be More Carefully Considered

CwF + RtB

-- get "looooots of t-shirts"

Brought to you by Floor64 and the Techdirt crew.

stories filed under: "auditor"
Studies

Studies

by Mike Masnick

Mon, Jun 8th 2009 8:32pm


Filed Under:
auditor, cheating, data breach, liability, security



Security Pros Cheating During Audits?

from the oops dept

We were just discussing if a security auditor should be liable for giving a company a passing grade if there's later a security breach. Considering that it's pretty much impossible to be perfectly secure, and there were always some things that could go wrong, it seemed like a bad idea to hold auditors liable, except in situations where there was obvious fraud or gross negligence. And now, there's evidence that security professionals may try to trick auditors, raising even more questions about why auditors should be liable. Michael Scott points us to the news that a recent survey of security pros found that 20% admit to having cheated or knowing others who cheated in order to pass a security audit. Now, the phrasing can be misleading -- by saying that "they did or they know someone who did" it could (in theory) just be one guy who cheated... who happens to know a lot of other security professionals. So, it would certainly require a bit more research to determine how widespread the cheating is. It's also not clear how many times the cheating occurred. If it's every audit, that's one thing. If it just happened once and the issue was fixed, that's quite different. Still, it's more evidence that you can't just blame the auditors -- especially when the security pros at the company may not be completely truthful in providing info to the auditors.

5 Comments | Leave a Comment..

 
Legal Issues

Legal Issues

by Mike Masnick

Tue, Jun 2nd 2009 6:08pm


Filed Under:
auditor, data breach, liability, security



Is A Security Auditor Liable If There's A Security Breach?

from the we-may-find-out... dept

Wired is discussing the suddenly relevant legal question of whether or not a security auditor should be held liable if it claims a company's data is secure, and then there's a data leak. The specific lawsuit in the spotlight right now involves Savvis -- who had audited the security of CardSystems' computer systems and determined that the company "had implemented sufficient security solutions and operated in a manner consistent with industry best practices." As you may remember, CardSystems was later found to have had a massive breach of credit card data (for a while, until recently surpassed, it was considered the largest ever credit card data breach). So Savvis is now being sued for claiming that CardSystems' systems were secure. This is certainly a tough one. Obviously, it's no good if security auditors are simply rubberstamping things -- but it's impossible to be fully confident that a system is secure, and there can always be a leak somewhere. So holding auditors liable for any such leak could make it prohibitive to even be an auditor -- with the end result being fewer auditors, and potentially less actual security. But... at the same time, you certainly want there to be some incentive for the auditors to take their job seriously. It seems like in the absence of clear negligence on the part of the auditor, that it's a bit extreme to put any liability on the auditor.

25 Comments | Leave a Comment..

 
Search Techdirt
And now, a word from our Sponsors..
San Francisco Music Tech 2009
15% off discount for Techdirt Readers



Popular Posts
Poll

Which Internet Concern Worries You The Most?

 

 

 

 

 

 


Add Techdirt RSS To Your Reader
rss Add Techdirt to your Bloglines
Add Techdirt to your Google Add Techdirt to your My Yahoo
Add Techdirt to your Netvibes Add Techdirt to your Newsgator
Subscribe to Techdirt's Daily Email Newsletter

Techdirt's Daily Email Newsletter

Older Stuff

Monday

6:08pm: Facebook Photos Coming Back To Haunt Users In Surprising Ways (39)
4:45pm: French Courts Continue To Penalize eBay For Actions Of Users (12)
3:36pm: Dear Peter Mandelson... Dan Bull Sings His Opposition To Kicking People Off The Internet (13)
2:14pm: If We Don't Kick People Off The Internet For File Sharing, Football Will Die (65)
1:00pm: More ACTA Leaks; Still Looking Really Bad (15)
11:37am: Other Legal Work Slow? Start A Practice To Help Patent Trolling (14)
10:23am: One Misguided Tweet Is 'Indisputable' Evidence That Piracy Harms Movies? (63)
9:10am: Italian Prosecutors Assume Google Execs Read All YouTube Comments; Demands Jailtime Over Video (32)
7:33am: Copyright Law Changes In India Could Gut Fair Use (18)
6:00am: UK Pub Owner Fined Due To Unauthorized Downloads On Free Pub WiFi? (41)
3:57am: Suing For Patent Infringement No Replacement For Actually Building A Real Business (31)
1:46am: Mininova Deletes Most Torrents Under Court Threat (49)

Wednesday

7:37pm: Stop Wallowing And Start Doing Cool Stuff With Business Models, The Wil Wheaton Edition (32)
6:51pm: Researchers: Copying And Imitation Is Good For Society (140)
6:05pm: Steve Jobs Tells Startup Startup To Change Names, Saying 'It's No Big Deal' (70)
5:26pm: Profitable 'Pay Us Or We'll Sue You For File Sharing' Scheme About To Send 30,000 More Letters (20)
4:46pm: UK Police Arresting People Just To Add To DNA Database? (18)
4:01pm: Funny How Those In Favor Of ACTA Are Against Treaty Providing More Access To Content For Vision Impaired (6)
3:15pm: Advertising As Content: Newspaper Raising Newsstand Prices For Thanksgiving Papers With Black Friday Ads (11)
2:14pm: Are Entertainment Industry Tactics Working? (50)
1:00pm: Photographer Compares Microstock Sites To Pollution And Drug Dealing (45)
11:48am: If Movie Piracy Is Really A Problem, It's Hollywood's Fault (78)
10:27am: If Google Visitors Are Worthless, It's Only Because Newspaper Execs Don't Know What They're Doing (37)
9:01am: Multitasking Is Our Main Activity (15)
7:33am: Greed vs. Due Diligence: Another Case Of Startup Fraud? (4)
6:01am: Anti-Piracy Group In Spain Fined For Bad Faith Actions Against File Sharing Systems (13)
3:55am: ABA Journal's Patent Application To Score Interview With USPTO Boss David Kappos (18)
1:44am: Can Universities Make Sure That Drugs Based On Their Research Are Licensed Reasonably? (19)

Tuesday

9:21pm: Companies Realizing That Content Is Advertising Via Web Series (12)
7:01pm: Could You Prove That The Government Was Watching You Illegally? (38)
More arrow
Quick Links
Close
E-mail It