In some email I received from Kevin Tyrrell, sie wrote: [...] > Buying insurance against "hackers" might actually make some companies less > secure. They have been certified as insurable (secure), so they can put > security on the back burner until its time for next year's checkup, then > they get whacked. But hey, they got insurance. I'm somewhat bemused by the attitude towards audits. At least here, in Australia, legal firms are auditted twice anually and one (if not both) are random audits where the only notice you get is when they ring the bell to say they're there. This probably happens in a lot of other cases too, it's just the only one I personally know about. I can't see why IT security should be any different. Maybe there's a call for more regular audits - who knows ? I'd expect that if you did fail an audit that your certification would (at least) immeadiately lapse and so possibly void your insurance. I'd imagine that would be somewhat embaressing too. Darren
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:56 PDT