Network Security Assessment: From Vulnerability to Patch > Frequently Asked Questions

Table of Contents

Download Safari Books Online apps: Apple iOS | Android

Entire Site

Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

This Book

Network Security Assessment: From Vulnerability to Patch

Search

Visit us at: www.syngress.com

Acknowledgments

Lead Author and Technical Editor

Coauthor and Technical Editor

Contributing Authors

Foreword

Ch. 1. Windows of Vulnerability

Ch. 2. Vulnerability Assessment 101

Ch. 3. Vulnerability Assessment Tools

Ch. 4. Vulnerability Assessment: Step One

Ch. 5. Vulnerability Assessment: Step Two

Ch. 6. Going Further

Ch. 7. Vulnerability Management

Ch. 8. Vulnerability Management Tools

Ch. 9. Vulnerability and Configuration Management

Ch. 10. Regulatory Compliance

Ch. 11. Tying It All Together

Appx. A. Legal Principles for Information Security Evaluations[1]

Introduction

Uncle Sam Wants You: How Your Company’s Information Security Can Affect U.S. National Security (and Vice Versa)

Legal Standards Relevant to Information Security

Do It Right or Bet the Company: Tools to Mitigate Legal Liability

What to Cover in Security Evalutaion Contracts[64]

The First Thing We Do...? Why You Want Your Lawyers Involved From Start to Finish

Solutions Fast Track

Frequently Asked Questions

References

Appx. B. Examples of INFOSEC Tools by Baseline Activity

Index

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form.

Q:	Why can’t I advise customers about compliance with HIPAA or SOX information security requirements if I’m a knowledgeable information security consultant?
A:	Doing so would not only put you at risk for violating state law prohibitions against the unauthorized practice of law, but also fail to provide your customers either with attorney-client privilege protection against disclosure of vulnerabilities information or an “advice of counsel” defense.
Q:	Why doesn’t my in-house lawyer’s involvement give me sufficient attorney-client privilege protection?
A:	Contracting information security evaluations through in-house counsel is better than not having that involvement. However, as discussed, courts in multiple jurisdictions impose a higher standard for allowing attorney-client privilege for in-house counsel than for outside, retained lawyers.
Q:	How often do I need to have information security evaluations?
A:	Courts and regulators will apply a “reasonability” determination on this question, and it will be fact-specific, depending on the industry you are in, the types and amount of sensitive information you hold, and the then-current status of legal and regulatory requirements applicable to your business. In general, however, they should probably be no less frequently than once a year and, in many cases, more often.
Q:	How much does having a lawyer involved add to the cost of information security evaluations?
A:	Assuming you locate qualified and experienced counsel working with equally qualified technical consultants, and those two groups, in partnership, provide an integrated product that is priced in a reasonable and packaged way, your costs may well be less than using large, expensive, hourly rate-based consulting companies alone.
Q:	How likely is a catastrophic information attack on our country?
	A: There is a great deal of disagreement on this question, including among the authors of this chapter. However, the U.S. government has based a publicly stated policy on the possibility of such an attack and, post-9/11, it is prudent to assume such an attack could take place. Perhaps most importantly, assuming such an attack could occur only supports the myriad other business reasons to take reasonable information security measures, including one that lawyers rarely talk about: it is the right thing to do.
Q:	Why are scientists now using lawyers more than rats for experiments?
A:	(1) There are now more lawyers available than there are rats;(2) it is possible for scientists to get emotionally attached to the rats; and (3) there are some things you just can’t get a rat to do.

You are currently reading a PREVIEW of this book.

Get instant access to over
$1 million worth of books and videos.

Start a Free Trial