How much should IT disclose post-intrusion?
As SearchSecurity's recent podcast noted, Apache's recent security disclosure was unusual in how thorough it was. Just curious: What's your company's intrusion or malware disclosure policy, and are you happy with how it's implemented? Software/Hardware used:
ASKED:
September 22, 2009 7:57 PM
UPDATED:
September 25, 2009 2:53 PM
Answer Wiki:
That all depends on what the laws are in the state or country that you do business. Businesses that are in or do business in California, if the customers person information is stolen they are required to tell there customers or face a fine.
To see all answers submitted to the Answer Wiki: View Answer History.
Michael – how do you mean “intrusion or malware disclosure policy”? Are you talking about this in the context of breach notification?
Yes, in this case, disclosure of intrusion. A talk by Zach Lanier had me thinking about it, and the general vulnerability/security ecosystem, and then I saw the Apache disclosure going into details about what went wrong, not just that something did go wrong.
Vulnerability disclosure (like what you’re referring to at the links) is different from breach/intrusion disclosure. Both have to be well-thought-out especially the breach notification stuff. This is when you get legal, HR, customer service, and management involved. Better to have a plan/policy before the fact rather than scramble to decide what to do in the midst of a situation.