Roger Vicker, CCP wrote:
Today I got a call from the GM that he wanted the entire share unsecured
so they could finish training with the vendor. He didn't care about
security/virus, just wanted it done NOW and worry about other things
later. The vendor told him they could secure everything from within
their application. The application only restricts users use of programs.
Remember AS/400 menu security. :-D
First warning sign. They trust the vendor more than they trust you.
This is not a mom and pop business with just two or three users. It's
not a big one either but they have had a few employees that knew enough
to be dangerous but later got fired for other problems.
What I need, and am asking the list for, is some authoritative
documents/best practices to show the exposure the vendor is putting the
customer at risk of. The bigger the horror stories the better. Also,
standards that prove how easy (and long they have been around) it is to
have the application properly designed for security.
Your only ammunition is to remind them that many states, which began
with California, now require the notification of every cardholder in
that state if there is even a "chance" that their credit card
information has been breeched. I believe it is also the responsibility
of the company to pay for credit monitoring services for each of these
cardholders as well if there is a breech.
Bill
