[EdLUG] Fwd: [Baen Baen's Bar] Cybersecurity

Edinburgh Linux Users Group edlug at lists.edlug.org.uk
Tue Feb 19 19:51:57 UTC 2019 

Hi Andrew

(Obligatory disclaimer: I am neither a lawyer, nor a security professional.
The following stems from my experience in general and cannot constitute
advice.)


On the face of it, yes, if it is an independent professional auditor, they
will need full access to the system, or for him to provide proof that
everything he is doing meets their requirements. Generally, only full
access can provide such proof.

Log files only provide minimal insight into what a system has done in the
past ; it does not show how the system is configured, and what practices
are in place, and whilst your friend's contact may in good faith believe he
has a secure system and only his own processes are running on his
computers, it is the auditor's responsibility to investigate it for
themselves, first hand, and to possibly ferret out anything that was missed
by the friend.

That is what an audit precisely is.

Conversely:

If he himself is concerned about their activities, he can seek out a lawyer
to provide him with a proper Non Disclosure Agreement contract to have the
auditor sign - I wouldn't know it is standard practice, but I think he
would be within his rights to require this in turn.

If the computers in question are not being used directly to service the
organisation or hold the organisation's data who is requiring the audit,
there is a question mark over to what extent they can require the audit to
be carried out. That's an entirely different question.



Tai

===
Tai Kedzierski
Linux Operations and Deployments Engineer

RHCSA # 170-060-834
<https://www.redhat.com/rhtapps/services/verify?certId=170-060-834>




I use LibreOffice <https://www.libreoffice.org/> , a free,
Freedom-respecting replacement for MS Office

*Open Source Free Software is a matter of liberty, not price.*
https://www.fsf.org/about/what-is-free-software



On Tue, 19 Feb 2019 at 19:12, Edinburgh Linux Users Group <
edlug at lists.edlug.org.uk> wrote:

> I just received this email.  Can anyone advise the OP on this question ?
>
> Andrew Ramage
>
>
> -------- Forwarded Message --------
> Subject: [Baen Baen's Bar] Cybersecurity
> Date: Tue, 19 Feb 2019 11:32:46 -0600vise
> From: piobair <piobair at mindspring.com> <piobair at mindspring.com>
> Reply-To: baens_bar at bar.baen.com
> Organization: Baen's Bar
> To: baens_bar at bar.baen.com
> Newsgroups: Baen_Baens_Bar
>
> The Board of Directors overseeing a friend of mine has decided that they need a security audit by an independent auditor. My friend's entire system is running on Linux with Linux servers and (mostly) thin clients.
> He put out an RFP and, in his words, they want the keys to the front door in order to see if the china cabinet is locked.
> Can an adequate audit be made from the /var/log files?
>
> --
> EdLUG mailing list
> EdLUG at lists.edlug.org.uk
> https://lists.edlug.org.uk/mailman/listinfo/edlug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.edlug.org.uk/pipermail/edlug/attachments/20190219/762beb04/attachment-0001.html>

More information about the EdLUG mailing list