2 responses to “Vendor Provides Access, No Questions Asked

  1. coffeeking

    Regardless of how many regulation, standards or policies we have none of them is effective as long as it is down to people. It all comes down to enforcement. I can bet that the vendor support responsible for providing you the access to their website or the Firewall password people were aware of good and bad security practices, as they are commonly communicated, but just didn’t care to or were lazy to follow them. Following security standards is not easy because it is not the norm, norm is to keep things easy as they were kept in easy in both your experiences.

    Like

  2. Hi coffeeking,
    I agree. Hopefully the vendor’s auditors look at who they give accounts to occasionally and whether any approval is documented. In this case, no harm done, as I’m one of the good guys (another name for auditor, right?).

    But then again, if this is how they treat the very large and prominent company I’m currently auditing, it is likely that they treat other companies the same. And smaller companies worse.

    Of course, this particular vendor is a security provider [surprise!].

    Following security standards is usually not only the norm, it’s a pain. I know because it doesn’t come naturally to me either. But then I remind myself that it’s much easier, quicker, and less painful than being responsible for a breach.

    Like

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s