Unformatted text preview: -1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 CISSP All-in-One Exam Guide 876 Security mechanisms should be employed to reduce the frequency and severity of
security-related losses. A sound security program is a smart business practice.
Senior management needs to decide upon the amount of risk it is willing to take
pertaining to computer and information security, and implement security in an economical and responsible manner. (These issues are discussed in great detail in Chapter
3.) These risks do not always stop at the boundaries of the organization. Many companies work with third parties, with whom they must share sensitive data. The main company is still liable for the protection of this sensitive data that they own, even if it is on
another company’s network. This is why more and more regulations are requiring companies to evaluate their third-party’s security measures.
When companies come together to work in an integrated manner, special care must
be taken to ensure that each party promises to provide the necessary level of protection,
liability, and responsibility, which should be clearly defined in the contracts each party
signs. Auditing and testing should be performed to ensure that each party is indeed
holding up its side of the bargain. ch10.indd 876 12/4/2009 11:39:09 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 Chapter 10: Legal, Regulations, Compliance, and Investigations 877
If one of the companies does not provide the necessary level of protection and its
negligence affects a partner it is working with, the affected company can sue the upstream company. For example, let’s say company A and company B have constructed an
extranet. Company A does not put in controls to detect and deal with viruses. Company
A gets infected with a destructive virus and it is spread to company B through the extranet. The virus corrupts critical data and causes a massive disruption to company B’s
production. Therefore, company B can sue company A for being negligent. Both companies need to make...
View Full Document