Caveat emptor
The technical briefing that closed the engagement with the client
yielded one last surprise. The ASP had provided the client with a
"clean" SAS-70 Type II Audit Report issued by a prestigious CPA firm. A
SAS-70 is a widely recognised independent auditing standard that
includes an in-depth audit of a service provider's control activities,
which include controls over information technology and related
processes. Accordingly, BC had felt confident that their clients' data
would be well protected by the ASP.
Ultimately, even in the case of an ASP or Business Partner citing independent validation of their security practices, the onus lies with you (the client/partner) to perform due diligence and due care to corroborate that the validation is accurate and relevant to your security requirements. Current regulatory requirements including HIPAA, Sarbanes Oxley, and SB-1386, mandate this due diligence/due care.
In most cases where we have been engaged to evaluate the effectiveness of a business partner's level of security, we have found it to be notably below that required by the client. Of recent note, was a marketing firm who carried its database on its balance sheets as a $55m asset. We found that the data mining company they had engaged to improve their penetration into an emerging market sector, had security practices so poor, that we were provided an unencrypted copy of the client's database, with little more than a spoofed email.
Once again, the 2,000+ year old maxim holds true: caveat emptor.
Talkback
Nothing new under the sun. This is reality the world over. Not common practice but still plentyfull around. It makes one wonder what kind of (business) reasoning and mindset was behind it all to make it all become reality. "GUI geil" some call it. Anything under the conceptual level is simply blocked out in the decision making proces as being irrelevant or not meaningfull enough. Those that agree with such attitude are pushed up to decision making powers. Those that don't are left to get blamed later given that they're not in a position to really do something meaningfull about it all. Human error that wasn't suppose to happen, you've heard of it. Reward the guilty, punish the innocent.
Thing to note however is that 'easy hacks' make for great news making but are still the tip of the iceberg. There's so much more but it isn't easy reading the average human can relate to at all.
Had a similar episode with a client, who had a teminal server with good Domian protection, yet had a blank password for a local logon. This was thier main Lotus notes mail server!