This should be expected and embraced from upper level management as it holds each person to a higher level of accountability thus demonstrating a higher standard. Using this same scenario, the CEO or CIO should sign and then document the basis for their decision with the assistance of in-house or third-party counsel. Just because the CEO didn’t agree to what was presented, doesn’t necessarily mean he/she was wrong. But if you do not document the basis for your decision, will 12 jurors believe your intentions were in the best interest of the company, or are you just trying to save yourself?
A fairly recent survey reported most businesses fail to address medium to low rated risks in information security. A noticeable trend started in the middle of last year. Hackers started using older vulnerabilities as a vector of attack. Most noticeably was “Phatbot”. Phatbot is like any other “bot” designed to perform a repetitive process as designed by its creator. In Phatbot’s case, the repetitive function was designed to be stealthy and install malware. In 2004, vulnerabilities in Microsoft from as far back as early 2003 were encoded into Phatbot’s payload as well as key-loggers and remote administration exploits.
From the point a vulnerability is discovered and a remedy is made available, the clock starts ticking. The longer you wait to address the threat, the closer you encroach upon negligence. This is just one demonstration for providing due care.
While the use of antivirus products might be acceptable for short term as the vulnerability is actually being patched on individual systems. Exclusively relying on this method does not work and is not accepted under “Best Practices”. This is why you will see multiple variants of the same named worm.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.