public security policy

Discussion in 'Computer Security' started by Shane Petroff, May 21, 2004.

  1. It seems to me that the more computer security issues come to the
    forefront (both literally in terms of the number of breaches as well as
    the amount of media coverage), that a software company's security
    'posture' could become a marketing advantage. By posture, I mean the
    company's outward stance and expressions of how it handles security
    related issues. (Hopefully backed up by its actions...) I'm thinking of
    Application Service Provider types of companies mainly, but the same
    could apply to anyone who even temporarily holds onto someone elses data.

    If I can convince a potential customer that my system is more secure
    than average, or better than a competitor, then other things being
    equal, more people should choose my system. To that end, I would want to
    make as much as possible, of my security policy public. The problem of
    course is that I also need to avoid exposing vulnerabilities, even

    I've tried looking around for other examples of public policies, but I'm
    not getting anywhere fast. It seems that everyone keeps as tight a lock
    on this information as possible and balks at the suggestion of making
    any of it public. I'm not a security expert, but I do know enough to be
    sure that there is no harm in making some information that is contained
    in a security policy public. Does anyone know of any guidelines for
    which aspects can and can't be made public? Also, does anyone have any
    recommendations about how to best structure a security policy (public or

    Thanks in advance

    Shane Petroff, May 21, 2004
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.