How much should IT disclose post-intrusion?
Home > IT Answers > Security > How much should IT disclose post-intrusion?
Michael Morisy
720 pts.
0
Q:
How much should IT disclose post-intrusion?
intrusion defense, Open IT Forum, vulnerability management, Intrusion detection
As SearchSecurity's recent podcast noted, Apache's recent security disclosure was unusual in how thorough it was. Just curious: What's your company's intrusion or malware disclosure policy, and are you happy with how it's implemented?
ASKED: Sep 22 2009  7:57 PM GMT
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
RELATED QUESTIONS
0
Mrdenny
46765 pts.
0
A:
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
  • AddThis Social Bookmark Button
That all depends on what the laws are in the state or country that you do business. Businesses that are in or do business in California, if the customers person information is stolen they are required to tell there customers or face a fine.
Last Answered: Sep 23 2009  2:29 AM GMT by Mrdenny   46765 pts.
  •   
0
0
RSS - Discussions Help
Discuss This Answer:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

KevinBeaver   7610 pts.  |   Sep 24 2009  5:57PM GMT

Michael - how do you mean “intrusion or malware disclosure policy”? Are you talking about this in the context of breach notification?

 

Michael Morisy   720 pts.  |   Sep 24 2009  6:34PM GMT

Yes, in this case, disclosure of intrusion. A talk by Zach Lanier had me thinking about it, and the general vulnerability/security ecosystem, and then I saw the Apache disclosure going into details about what went wrong, not just that something did go wrong.

 

KevinBeaver   7610 pts.  |   Sep 25 2009  2:53PM GMT

Vulnerability disclosure (like what you’re referring to at the links) is different from breach/intrusion disclosure. Both have to be well-thought-out especially the breach notification stuff. This is when you get legal, HR, customer service, and management involved. Better to have a plan/policy before the fact rather than scramble to decide what to do in the midst of a situation.

 
0