Re: InfoSec Consultant Liability Question

["Joe Dauncey" <j_dauncey () hotmail com>]

Frank,

You shouldn't focus your efforts on insurance, but on stressing to your
clients the risk element of security. How much money do they want to spend
on lowering the risk ? You will never ever get a completely secure
site/implementation, and if your clients are under any impression of this
then you probably need to put more work into explaining this to them.

Your role is to explain what measures can reduce risk, not how to prevent
them from being compromised. At the end of the day it is their fault if they
get compromised because they probably weren't prepared to spend the cash to
eliminate the risk in the area in which they were compromised.

However, if you tell them that a Windows 98 client is a reliable firewall,
then I guess that you could be asking for it !!

Is this view controversial ? I hope not !!

Cheers,
Joe Dauncey

j_dauncey () hotmail com
----- Original Message -----
From: Frank Pawlak <FPAWL () pcsentre com>
To: <firewall-wizards () nfr net>
Sent: Friday, October 15, 1999 7:45 PM
Subject: InfoSec Consultant Liability Question


> I am considering entering the InfoSec field as an independent consultant.
My question is what kind of legal liabilities are general encountered during
the course of work?  Is there Insurance available, like a type of
mal-practice insurance?
> I understand that systems can not be made 100% secure, and that knowledge
transfer can be made to the client.  But, there remains the possibility that
if a network is compromised, the client may litigate for damages, etc.
> Any advice or pointers are most welcome.  My thanks in advance.
>
> Frank Pawlak