[ISN] Standards lifting sluggish systems

From: InfoSec News (alerts@private)
Date: Mon Nov 06 2006 - 22:49:02 PST


http://australianit.news.com.au/articles/0,7204,20697239%5E24169%5E%5Enbv%5E,00.html

By Eric Wilson
The Australian
NOVEMBER 07, 2006

COMPANIES are contractually binding their electronic trading partners to 
recognised security standards as corporate systems become increasingly 
linked for just-in-time trading.

The move is designed to maintain data integrity and privacy, but the 
legal framework for IT security compliance in e-commerce is often fuzzy.

At common law, says Matthew Rouse, principal of Brisbane technology law 
firm Rouse Lawyers, general liability for technology security negligence 
can run through the supply chain.

"The modern law of negligence is founded on the principles enunciated in 
the snail in the ginger beer case", Rouse says.

Rouse refers to May Donoghue's soft drink, served in 1928 at the 
Wellmeadow Cafe in Paisley England - allegedly with ice cream. At issue 
was a 500 claim that snail remains found in the bottle caused 
gastroenteritis and emotional distress.

After losing her case, on appeal the House of Lords allowed Donoghue to 
sue down the supply chain to get at her drink supplier's supplier, a man 
named David Stephenson.

This established the principle of duty of care to third parties.

Seventy-four years later in Australia, this same duty of care applies to 
securing all private information a business may hold about Donoghue or 
anyone else - even as subcontractors, outsourcers and offshorers access 
data about her through websites, sales, and supply-chain management 
systems.

As a result, verifiable legal compliance with international standards is 
driving a gleeful IT security industry because senior management is 
liable if anything goes wrong.

Rouse says Commonwealth legislation could pin Donoghue's issues on the 
board, with directors having a duty of care and diligence under section 
180 of the Corporations Act.

"While there is not a specific obligation, it is likely that proper IT 
security measures would fall under this general duty of care, depending 
on the scope of the company's business," Rouse says.

Bigger companies, and those presenting as IT savvy, are expected to 
comply with industry best practice codes, Rouse says.

Even a salesperson saying information will be secured, can trigger a 
best-practice obligation under the Trade Practices Act.

Under the Privacy Act, it's possible to legally enforce the privacy 
statements of companies with turnover of more than $3 million, Rouse 
says.

Yet when it gets down to tin tacks, the law is fuzzy as to what a secure 
IT environment is. That is why security standards are becoming 
increasingly important to control information systems.

Symantec Asia-Pacific and Japan compliance solutions senior director Tim 
Hartman says standards such as ISO 1779/27001 provide a generic way to 
assess IT security risks, ranging from physical security to acceptable 
use policies, email security and configuration management.

Standards provide a common approach for security professionals to audit 
what is done.

Banks use the Basel II standard, while the federal government's security 
standard is ASC133.

The Department of Communications, Information Technology and the Arts' 
Leading Practices and Guidelines for Enterprise Security Governance is a 
good place to start, Hartman says.

"You want to trust the people you are dealing with electronically so you 
get them to sign off on standards," he says. "Security then becomes 
measurable."

Going through a standards process establishes rigour in risk assessment 
and decision-making. Hartman says increasing connection between 
corporations is eliminating electronic perimeters.

Although firewalls are important, the IT infrastructure they protect 
must be hardened.

"Taken to the nth degree, if you dropped that infrastructure on the 
internet unprotected, it should survive," Hartman says.

That's not as uncommon as it sounds, as corporate intranets are 
sometimes inadvertently exposed to the outside world.

Stephen Kirkby, chief executive of independent web security tester 
Maxamine, says maintaining standards isn't easy because web staff are 
usually stressed by pressing deadlines.

Mistakes can easily happen in their busy environment, which makes 
independent security testing essential to fulfilling the duty of care. 
But, he says, big companies often don't even know how many internal 
websites they have.

So, if legal push comes to shove, one must be able to prove security 
standards compliance.

PatchLink Asia-Pacific vice-president Neal Gemassmer says this means 
deploying a reporting system that shows when, where and how systems 
across a supply chain are patched and updated.

That's because firewalls and infrastructure hardening only buy time to 
fix vulnerabilities, and are not the fixes in themselves.

"Companies are negligent if they don't patch their applications, or if 
they rely on human aspects or don't report," Gemassmer says.

Apparently May Donoghue settled her duty of care litigation with David 
Stephenson's executors out of court for 200UKP, but two lord justices 
later concluded there never was any snail.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Mon Nov 06 2006 - 22:55:20 PST