In a working “risk” system, security liability would roll “downhill” to an accountable party. Who wrote the code? Who did the audit? Who certified the system as “secure?
In my own work, I mention to my peers how everything has changed in today’s Converged Internet/Global Telecommunications world. Liability and accountability roll downhill. If something happens where the operator is found at fault, that finding does not stop with the operator. It will ‘roll downhill’ to the systems integrator. That systems integrator will then turn to their vendors. The vendors will turn to their operating systems. Those operating systems would then turn to the open source organizations. All of them will turn to the auditors and certification agencies.
Check out Kim Zetter’s write up on Savvis’s Audit arm being pulled into court by Merrick – In Legal First, Data-Breach Suit Targets Auditor. If successful, we would find Savvis being the first of many companies who will share accountability for shared risk. As pointed out,
“We’re at a critical juncture where we need to decide . . . whether [network security] auditing is voluntary or will have the force of law behind it,” says Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania’s Wharton School who specializes in information security issues. “For companies to be able to rely on audits . . . there needs to be mechanisms developed to hold auditors accountable for the accuracy of their audits.”
The challenge will be a follow-through of consequences.
“A Visa executive told an audience earlier this month that the companies were not compliant, though auditors certified they were. “No compromised entity has yet been found to be in compliance with [the standards] at the time of the breach,” she said.
Where there consequences? No. One of these years we’ll have a court of law follow through with a liability case where the organization are held accountable.