Firewall Wizards mailing list archives
Due Dilligence, Liability, & Professionalism ( was "Re: ")
From: Vin McLellan <vin () shore net>
Date: Wed, 1 Sep 1999 04:47:16 -0400
Rick Smith <rick_smith () securecomputing com> opined:
What matters is that the measures are consistent with reasonable and prudent practice in the associated industry. This is, of course, a pretty low bar
I think I wrote my first article on the topic of "due dilligence" and information security in 1968 for "Electronic News." It went something along the lines of this: "Soon the Courts or the Insurance Companies will jump in. When the Courts nail a few irresponsible companies, and the pseudo-professionals who mismanage the stockholder's IT assets.... or when the Insurance Companies offer significantly lower premiums to companies which have top-flight computer security -- then, _finally_, MIS (i.e., IT) professionals will get the support (or backbone) they need to stave off budget pressures from upper management and offer security worthy of the assets they control. Over the following quarter century, with ever-greater cynicism, I probably wrote a half-dozen articles on the same topic, at the request of different magazine editors who were charmed by the same hopeful theme. Never happened. (As is, in a somewhat different context, painfully obvious with the current standard of commercial software.) Along the way, I became convinced that it will never happen unless and until a professional class of infosec specialists constitutes itself, establishes minimal standards, and goes on the prowl as expert witnesses -- intentionally seeking to makes irresponsible behavious costly. Hungry lawyers alone are apparently not enough. Suerte, _Vin ------ earlier message ----------------- Rick Smith <rick_smith () securecomputing com> opined:
What matters is that the measures are consistent with reasonable and prudent practice in the associated industry. This is, of course, a pretty low bar
Paul Robertson <proberts () clark net> responded:
<snip> I don't think this test necessarily applies to current caselaw. While "best current practice" and "in the associated industry" come up constantly, the citations I've heard say that a case (Forgive me for not having a direct citation, I'm not sure where I stored the original comments anymore) in the early 1900's that applied to commercial shipping organizations and not providing lifevests to crewmembers applies and that "best common practice" isn't a high-enough standard no matter what an industry may think....
<snip> Steve Bellovin <smb () research att com> answered the call for a cite:
I suspect you're thinking of the T.J. Hooper case, which Bill Cheswick and I cited in our firewalls book. Here's the quote from the Court of Appeals ruling (60 F.2d 737, 2nd Cir. 1932): Indeed in most cases reasonable prudence is in face common prudence; but strictly it is never its measure; a whole calling may have unduly lagged in the adoption of new and available devices. It may never set its own tests, however persuasive be its usages. Courts must in the end say what is required; there are precautions so imperative that even their universal disregard will not excuse their omission... But here there was no custom at all as to receiving sets; some had them, some did not; the most that can be urged is that they had not yet become general. Certainly in such a case we need not pause; when some have thought a device necessary, at least we may say that they were right, and the others too slack. ... We hold [against] the tugs therefore because [if] they had been properly equipped, they would have got the Arlington [weather] reports. The injury was a direct consequence of this unseaworthiness. The issue was whether or not tugboats needed to be equipped with radios to receive weather forecasts.
Current thread:
- Due Dilligence, Liability, & Professionalism ( was "Re: ") Vin McLellan (Sep 01)