Firewall Wizards mailing list archives
Due Dilligence, Liability, & Professionalism ( was "Re: ")
From: Vin McLellan <vin () shore net>
Date: Wed, 1 Sep 1999 04:47:16 -0400
Rick Smith <rick_smith () securecomputing com> opined:
What matters is that the measures are consistent with reasonable and prudent practice in the associated industry. This is, of course, a pretty low bar
I think I wrote my first article on the topic of "due dilligence" and
information security in 1968 for "Electronic News."
It went something along the lines of this: "Soon the Courts or the
Insurance Companies will jump in. When the Courts nail a few irresponsible
companies, and the pseudo-professionals who mismanage the stockholder's IT
assets.... or when the Insurance Companies offer significantly lower
premiums to companies which have top-flight computer security -- then,
_finally_, MIS (i.e., IT) professionals will get the support (or backbone)
they need to stave off budget pressures from upper management and offer
security worthy of the assets they control.
Over the following quarter century, with ever-greater cynicism, I
probably wrote a half-dozen articles on the same topic, at the request of
different magazine editors who were charmed by the same hopeful theme.
Never happened. (As is, in a somewhat different context, painfully
obvious with the current standard of commercial software.)
Along the way, I became convinced that it will never happen unless
and until a professional class of infosec specialists constitutes itself,
establishes minimal standards, and goes on the prowl as expert witnesses --
intentionally seeking to makes irresponsible behavious costly.
Hungry lawyers alone are apparently not enough.
Suerte,
_Vin
------ earlier message -----------------
Rick Smith <rick_smith () securecomputing com> opined:
What matters is that the measures are consistent with reasonable and prudent practice in the associated industry. This is, of course, a pretty low bar
Paul Robertson <proberts () clark net> responded:
<snip> I don't think this test necessarily applies to current caselaw. While "best current practice" and "in the associated industry" come up constantly, the citations I've heard say that a case (Forgive me for not having a direct citation, I'm not sure where I stored the original comments anymore) in the early 1900's that applied to commercial shipping organizations and not providing lifevests to crewmembers applies and that "best common practice" isn't a high-enough standard no matter what an industry may think....
<snip>
Steve Bellovin <smb () research att com> answered the call for a cite:
I suspect you're thinking of the T.J. Hooper case, which Bill
Cheswick and I cited in our firewalls book. Here's the quote from
the Court of Appeals ruling (60 F.2d 737, 2nd Cir. 1932):
Indeed in most cases reasonable prudence is in face common
prudence; but strictly it is never its measure; a whole
calling may have unduly lagged in the adoption of new and
available devices. It may never set its own tests, however
persuasive be its usages. Courts must in the end say what
is required; there are precautions so imperative that even
their universal disregard will not excuse their omission...
But here there was no custom at all as to receiving sets;
some had them, some did not; the most that can be urged is
that they had not yet become general. Certainly in such
a case we need not pause; when some have thought a device
necessary, at least we may say that they were right, and
the others too slack. ... We hold [against] the tugs
therefore because [if] they had been properly equipped,
they would have got the Arlington [weather] reports. The
injury was a direct consequence of this unseaworthiness.
The issue was whether or not tugboats needed to be equipped with
radios to receive weather forecasts.
Current thread:
- Due Dilligence, Liability, & Professionalism ( was "Re: ") Vin McLellan (Sep 01)