[Dshield] IH Policy for third party webhosts?

warwick ackfin warwick7th at gmail.com
Tue Mar 15 15:14:28 GMT 2005


I'm gonna answer Hobbit and Corp's questions in one fell swoop here...

I am quite certain the host is in another country...a friendly
country(sort of)...but another country for sure.

As a consultant I'm sorta limited in what I can say anyway
but...thoughts of invasion have cross my mind.  My client is a "touchy
feely" type that doesn't want to grab the bull by the horns...VERY
frustrating.

The SLA...how difficult is that going to be considering we already
have a contract in force?  I'm thinking this could be considered a
"New" thing to add to the contract but that usually means more money.

My only concern about auditing is the international border.  I'm not
familiar with the other country's hacking laws and don't wanna get
caught behind that particular 8ball.  I guess that's a call to legal
though.  I'll see what can be done in that regard...thanks!

We were considering asking them for the qualifications of their IH
team but their organizational certification is also a good call.

--Warwick


On Mon, 14 Mar 2005 10:46:23 -0800 (PST), Mrcorp <mrcorp at yahoo.com> wrote:
> Great question!  I love these...
> 
> I start with SLA (Service Level Agreements).  These outline your expectations of the service you
> are provided.  For example, in this specific scenario, I would include notification of impact to
> service, escalation process, and etc.
> 
> Next, I would include a required audit by your folks in audit, or if a smaller org, by yourself.
> Most third parties today understand this.
> 
> I also require third parties to have a certification of some sort.  Such as ISO or BS7799.  This
> is sometimes very difficult, but is very helpful when you know they meet specific requirements.
> 
> I do have some policy work on this as well that will be up on my site later this
> week.(www.infosecwriters.com)  I also have a worksheet that I require to have completed when
> evaluating vendors or service providers.  I would be willing to share this, just contact me off
> list.
> 
> Mrcorp
> 
> 
> --- warwick ackfin <warwick7th at gmail.com> wrote:
> > I have a situation where a client's website and webapplications are
> > hosted by a third party in another country.  Recently they have
> > experienced prolonged unscheduled downtime and the webhost is tell me
> > that there was an attack of some sort but will not go into further
> > detail.
> >
> > This isn't your regular webhost and my client has a contract with
> > certain expectations wired into it.  Unfortunately, the contract is
> > devoid of any incident handling measures expected of the webhost such
> > as sharing of log information and attack characteristics.
> >
> > Has anyone out there found themselves in the same nightmarish
> > predicament?  If so, what types of things did you include in the
> > policy?
> >
> > I want to be mindful of the webhosts security posture and the need to
> > protect their own perimeter.  I know I can't ask for all the IDS /
> > Firewall logs but I should be able to request grepped logs pertaining
> > to my client's environment right?
> >
> > ....and for the record...the idea of halting the SANS practicals is a
> > very VERY bad one...
> >
> > http://www.giac.org/practicals/termination.php
> >
> > --Warwick
> > -------------- Sponsor Message ------------------------------------
> > Join us at SANSFIRE 2005 in Atlanta!
> > The Internet Storm Center Conference.
> > Details: http://www.sans.org/sansfire2005
> >
> > _______________________________________________
> > send all posts to list at lists.dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> >
> -------------- Sponsor Message ------------------------------------
> Join us at SANSFIRE 2005 in Atlanta!
> The Internet Storm Center Conference.
> Details: http://www.sans.org/sansfire2005
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 


-- 
Warwick AckFin

Don't tread on me
<><



More information about the list mailing list