On Tue, 07 Oct 2008 13:23:20 CDT, "J. Oquendo" said:
Contractors should be held accountable for breaches in an infrastructure. Before awarding a contract, I would do my best to have the wording changed from "minimum requirements" to securest implementation. Whether this securest implementation took 5 new engineers to give a closer review, so be it.
You don't want "the securest implementation". You want one that's "secure enough" while still allowing the job to get done. You also don't want to be *paying* for more security than you actually need. Note that the higher price paid to the vendor isn't the only added cost of too much security. (Consider - the *securest* firewall is a true airgap, where files are dropped on one side, and then must be manually vetted, copied to media, and physically transferred to the other side. Feel free to try to deploy a webserver in that environment - on *either* side of the airgap....)