Matteson, John H Jr USA Mr USA 25th SigBN (ITT) <john.matte...@afghan.swa.army.mil>: > But as far as having a “contract” in place with a third party host, it makes > no difference to the crook on the datacenter floor if you have a 50 page > contract ...
I think MBS's point is that you can have crooks inside your organization just as easily as you can have crooks in a supplier's organization. You seem to take it as a given that you can always trust employee, and we know that's not true. I'm sure you familiar with all the audit requirements DoD has for computers that already can only be touched by people who have "security clearance, formal access authorization, and need-to-know". :) They're there because the "insider threat" is real, and the hardest to defend against. It's certainly possible to arrange for assurances for this sort of thing. You could do your own audits of the hosting company, or there could be some kind of accreditation system. Same as the National Industrial Security Program allows for commercial organizations to process DoD classified information, even though there normally aren't any DoD personnel on-site. All that said, most of the hosted offerings I've seen have no provisions for that sort of thing, and most businesses don't seem to care. They just blindly assume everything's going to be fine. -- Ben ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~
