Computer Security - public security policy

05-21-2004, 05:12 PM

It seems to me that the more computer security issues come to the
forefront (both literally in terms of the number of breaches as well as
the amount of media coverage), that a software company's security
'posture' could become a marketing advantage. By posture, I mean the
company's outward stance and expressions of how it handles security
related issues. (Hopefully backed up by its actions...) I'm thinking of
Application Service Provider types of companies mainly, but the same
could apply to anyone who even temporarily holds onto someone elses data.

If I can convince a potential customer that my system is more secure
than average, or better than a competitor, then other things being
equal, more people should choose my system. To that end, I would want to
make as much as possible, of my security policy public. The problem of
course is that I also need to avoid exposing vulnerabilities, even
indirectly.

I've tried looking around for other examples of public policies, but I'm
not getting anywhere fast. It seems that everyone keeps as tight a lock
on this information as possible and balks at the suggestion of making
any of it public. I'm not a security expert, but I do know enough to be
sure that there is no harm in making some information that is contained
in a security policy public. Does anyone know of any guidelines for
which aspects can and can't be made public? Also, does anyone have any
recommendations about how to best structure a security policy (public or
private)?

Thanks in advance

--
Shane

Shane Petroff

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Computer Security Information and What You Can Do To Keep Your SystemSafe!	Ann.Anderson.group.com@gmail.com	A+ Certification	0	12-06-2007 01:55 AM
Computer Security	aldrich.chappel.com.use@gmail.com	A+ Certification	0	11-27-2007 02:11 AM
Computer Security Information (Free Articles and eBooks)	aditya.jaiswal.com.use@gmail.com	DVD Video	0	10-10-2007 04:53 AM
Re: public access computers..security with xp/2k	Pikoro	A+ Certification	4	08-21-2003 07:10 PM
Re: public access computers..security with xp/2k	Russ	A+ Certification	1	07-14-2003 01:26 AM

05-21-2004, 05:12 PM	#1
	public security policy It seems to me that the more computer security issues come to the forefront (both literally in terms of the number of breaches as well as the amount of media coverage), that a software company's security 'posture' could become a marketing advantage. By posture, I mean the company's outward stance and expressions of how it handles security related issues. (Hopefully backed up by its actions...) I'm thinking of Application Service Provider types of companies mainly, but the same could apply to anyone who even temporarily holds onto someone elses data. If I can convince a potential customer that my system is more secure than average, or better than a competitor, then other things being equal, more people should choose my system. To that end, I would want to make as much as possible, of my security policy public. The problem of course is that I also need to avoid exposing vulnerabilities, even indirectly. I've tried looking around for other examples of public policies, but I'm not getting anywhere fast. It seems that everyone keeps as tight a lock on this information as possible and balks at the suggestion of making any of it public. I'm not a security expert, but I do know enough to be sure that there is no harm in making some information that is contained in a security policy public. Does anyone know of any guidelines for which aspects can and can't be made public? Also, does anyone have any recommendations about how to best structure a security policy (public or private)? Thanks in advance -- Shane Shane Petroff