On Thu, 20 Jun 1996 roberts @
>It also depends a great deal on your resources, and those of the
>outsourcing company. Most large companies outsource phyiscal security, as
>was pointed out. That's because they don't have the resources, or core
>competancy to do it themselves. Does that mean that the physical security
>of their sites is worse than if they did it themselves? Sometimes yes,
Well one phyiscal security guard would have a hard time stealing a significant
amount of a firms assets (enought to chapter11 them).
But one data security person could (depends on your business).
>If you can't get a firm commitment of service, then you're looking at the
>wrong type of firms. What happens if *you* get multiple break-ins and ...
We looked at IBM, EDS and some others. That fact is the liabilities from a
system outage were so great none of the firms would accept them in a contract
that wasn't very much more expensive then keeping it in house.
Multiple break-ins - Drop Internet connection and have SA's cleanup mess.
>I'd say the same is true of most company's IT departments. Face it, in
>almost all non-software or outsourcing vendor locations, you're an
Duh! (sorry, your flame was on too high)
>Who audits the security group?
Our audit group and periodically outside audits.
>I have outsourced almost all of my firewall development (That means the
>code writing bits, NOT the installation or security policies).
Hope they stripped the kernel and are running a minimum of processes. Not to
mention secured mail, have routers filtering on both sides of your firewall,
etc. Plz respond to this item offline, not that the forum's not safe place :)
>We've all seen how much concern OS vendors tend to put into security
>during their design and development phases. I don't see many people
>ranting that they should get their own OS design group,
Never suggested that, I even think it good to get a mature firewall product from
a firm that's been in the business 5 years or so (so long as you keep up on
BTW - I was a consultant for 10 years - good money. An _indepentant_ consultant
is just as depentant as an employee on the firm that's paying him, he'd
also like to use you as a reference. A consultant firm is less so; they
have multiple clients for both cash flow and references (not that they
want to hurt their reps(I've seen it)).
Plz don't want to waste any more forum bandwidth - take another shot if you like
but from then if necessary let's continue offline. I've seen these threads go
on far too long in the past. Let's just lurk for tech tid bits ;^)
PS: Send over the guy who'll work for $8.95/hr - Cheers - Mike