Let's say that I am a Federal CIO and need to respond to a request for information on the architecture of a financial management system. I want to demonstrate that the system is capable of supporting multiple customers, can scale to thousands of users, includes modules A, B, C, D, etc., is interfaced to systems X, Y, Z. How can I structure the response so that I don't compromise the security of the architecture? For example, what type of diagram can I provide? What type information can it include? And shouldn't include?
Asked
Active
Viewed 173 times
1
-
1Without knowing who is requesting the information and what kind of relation/authority they have over you or your company/system, there's no way to answer this. – Adi Sep 27 '13 at 13:55
-
2Also, if you've been presented a legal subpoena then you'll have to answer and reveal whatever is requested. That said, you'll keep your answers to the minimum that satisfies the conditions of the legal request, regardless of the compromise to your system. Keep in mind that your system's security can't do much if the police raided you and seized your stuff. – Adi Sep 27 '13 at 13:57
1 Answers
3
Ideally the security of the system shouldn't be dependent on not knowing the entire layout of the system, however, it does make things more difficult. Certainly, anything like honeypots should be removed or altered on the diagrams and you should remove key details wherever possible so long as you can still get across the necessary information.
Exactly what is needed and what isn't depends on both the system design and the questions being asked. Simply give the minimum level of information necessary to answer the question and try to leave out any security related details where possible, but also ensure that your security isn't compromised if someone knew more about the system than you are saying.
AJ Henderson
- 41,816
- 5
- 63
- 110