But that can be a nightmare. How can you prove your business partner meets compliance testing? Run your own pentest? And what if that company has a relationship with another company that supports them? HIPAA answers that with the Chain of Trust guidelines. I'm not sure about PCI or Redflag rules, though. But for all of them, I would assume the "reasonable man" defense would apply if questioned by a government agency.
Paul Chinnery Network Administrator Memorial Medical Center 231-845-2319 _____ From: Erik Goldoff [mailto:[email protected]] Sent: Tuesday, December 30, 2008 10:03 AM To: NT System Admin Issues Subject: RE: LogMeIn and as in the case of PCI and other compliance certifications, you might have to prove that any 'connected' partner also passes compliance testing Erik Goldoff IT Consultant Systems, Networks, & Security _____ From: Dallas Burnworth [mailto:[email protected]] Sent: Tuesday, December 30, 2008 9:35 AM To: NT System Admin Issues Subject: RE: LogMeIn Exactly. I would add to that list * Free to use, but how much does it cost you if it stops working correctly? * What will your auditors or the BSA think of the setup? (It would be very interesting to see their recommendation.) * Does the company actually have a paid and supported version? That is usually an indicator that the "free" version is for personal use only-not business/organizational use. _____ From: Derek Lidbom [mailto:[email protected]] Sent: Tuesday, December 30, 2008 6:19 AM To: NT System Admin Issues Subject: RE: LogMeIn * What about the fact that it bypasses (using encrypted traffic even) any protections you have in place to filter/monitor/scan traffic passing through your gateway? * It introduces a new attack vector (files can get on that computer in ways they couldn't have before). * You are trusting logmein with credentials that allow access to your internal network. Companies bigger than them get usernames/passwords stolen. * You have less logging of intrusion attempts (to my knowledge) than if you were going through your own equipment * It is another piece of software to keep updated on your clients * How do you protect the usernames/passwords users use to access logmein? (hopefully any vpn solution would have two-factor auth so creds aren't a free path in to your network). I know they have some sort of two factor integration options, but I don't think it's at the first username/password prompt. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
