[unisog] RE: Outside Penetration Testing and FERPA

GREGORY SEIBERT gregs at kent.edu
Fri Dec 3 23:10:11 GMT 2004






Ok...I should have footnoted reputable. For us, we have used IBM, NEC,
Price Waterhouse, E&Y, and KPMG. Reputable for us means firms with records
that inspire respect in the auditing world. (and yes, I know that Arthur
Anderson was reputable at some point in time...) I would certainly agree
that it would be irresponsible to allow Fly-By-Night, Incorporated to muck
around a network no matter how many agreements and contracts were in place.
When we have our external financial audits done, we don't use Sally
Seashell, CPA, either. I guess if  you can only afford Cheapo,
Incorporated, then you need to do a risk assessment of whether no
assessment is safer than allowing Cheapo to go rummaging around.

I think what I was trying to say is that as part of our process, we need to
partner with and trust third parties to verify our practices and point out
problems. It is not only ok, but required by federal regs, ethics and all
kinds of best practice guidelines. If appropriate agreements are in place
and if you use a "reputable" service, there should be no hesitation in
doing so. It is incumbent upon we custodians of the protected data to make
sure that we require the appropriate contract language and class of
partner. If you do that and end up with Arthur Anderson - well, you have
done everything you should have done to meet the requirements - you've done
all the right due diligence - sometimes bad things happen to good people.
You just pick up and go on and keep doing the best you can.

      Greg

Gregory A. Seibert, CISM
Director of Security and Compliance
Suite 384 Library
Kent State University
www.security.kent.edu
330-672-0383 (Voice)
330-672-9374 (FAX)



                                                                                                                                        
                      Valdis.Kletnieks at v                                                                                                
                      t.edu                     To:       UNIversity Security Operations Group <unisog at lists.sans.org>                  
                      Sent by:                  cc:       Pen Test List <pen-test at securityfocus.com>, Security Mgmt List                
                      unisog-bounces at lis         <security-management at securityfocus.com>, unisog-bounces at lists.sans.org                 
                      ts.sans.org               Subject:  Re: [unisog] RE: Outside Penetration Testing and FERPA                        
                                                                                                                                        
                                                                                                                                        
                      12/02/2004 04:10                                                                                                  
                      PM                                                                                                                
                      Please respond to                                                                                                 
                      UNIversity                                                                                                        
                      Security                                                                                                          
                      Operations Group                                                                                                  
                                                                                                                                        
                                                                                                                                        




On Thu, 02 Dec 2004 09:14:27 EST, GREGORY SEIBERT said:

> For our situation, we would have no problem with third party security
> testing by reputable firm as long as the appropriate agreements were in
> place.

OK. That just begs the question - how do you:

a) define
b) verify

what constitutes a "reputable firm"?  If you get a call from Clue-by-Four
Consulting, are they reputable?  If I'm(*) listed as the principal
consultant,
does that change matters?  If they list your competitors as clients, does
that
mean they're clued, or that they've already social engineered your
competition
and you're next? ;) (Remember - if it's a new firm, or even a not-old firm,
if you require a long list of clients, you're almost by definition looking
at
a list of companies that have lower due diligence standards than you do.
Think
about that for a moment...)

(*) No, I don't do consulting at the current time - but for better or
worse,
I probably have name recognition..  No need to voice which you think it
is.. ;)

(See attached file: attu4k7m.dat)
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog


-------------- next part --------------
A non-text attachment was scrubbed...
Name: attu4k7m.dat
Type: application/octet-stream
Size: 234 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20041203/db7a3183/attu4k7m-0002.obj


More information about the unisog mailing list