Tuesday, December 6, 2011

Security Guidance for Third Party Engagements

By Shaun Drutar.

Many times, security practitioners are called to evaluate the security risk and exposure of a new tool or implementation. If we are lucky, or worse, compromised, we get a chance to see the consequences of these decisions, and adherence to our advice. I use the term advice here due to the nature of business. That nature is not necessarily that of a high security environment. Many corporate leaders will erroneously shun the need for strong security processes in their organization. They will claim that it impedes business, users, or their career. Of course this all changes when the fit hits the proverbial shan and a breach is discovered.

Take the concept of outsourcing, off shoring, or best shoring a portion of your business. This effort may be in the best interest of your bottom line, but at what risk? Many major corporations have approached these external engagements and then subsequently in-sourced the work due to additional overhead, and unforeseen costs. One of these often hidden, ignored, and unspoken costs is that of data-loss. As you engage these external vendors and review their SAS70 or SSAE 16 assessments you are lulled into a misplaced feeling of security that may or may not be sufficient to address the constantly changing risks. Data loss can take the form of intellectual property, health information, identity information, and multiple forms of non-public information. Let’s also remember that data loss can take the form of authentication credentials and these credentials can range for your simple user, to your most powerful administrators.

While outsourcing introduces serious risk, it also presents the potential for significant rewards. How you manage security within your portfolio of business needs is critical. Treat security as fundamental to your business, and you will reap it’s rewards. Information Security must be woven into the fabric of your business process if you expect to be successful. I say this because as your business grows so does your risk. Current trends in data loss related business events indicate that a single data loss event can cost an average of $204 per record. (http://www.networkworld.com/news/2010/012510-data-breach-costs.html) Further statistics indicate that over 47% of all data loss events have occurred with third parties, a trend that is on the rise. (http://datalossdb.org/statistics)

Proactive Defense

Protect your business with sound practices and the right defenses. Here's a quick list of best practices to keep in mind:

  1. Training - Your best line of defense is your people. Train them well and enable them to take proactive steps to improve security where practical.
  2. Logging - Establish a centralized logging program to monitor and alert on critical events.
  3. Segment - Restrict the external party to specific dedicated, or isolated interfaces for key systems. Consider IPS where feasible.
  4. Be smart with authentication - Guard your administrative credentials, especially those credentials like domain administrator, application master administrators and the like. Monitor and sound the alarm at the first sign of abuse. Establish sound controls requiring multi-factor authentication and authorization around financial operations with your banks and other financial institutions.
  5. Don't just assume they're secure - Require that your external vendors allow you to test their safeguards. Move beyond trusting their security program and instead require that any third party submit to your right to audit. Be sure that this provision is in your contract.
  6. Cover yourself - Provide for compensation in your contract, in the event that your data is breached due to negligence on the part of the third party. As always consult wise, technically savvy legal counsel. Be sure that the third party's limit of liability is for the actual loss and not limited to the value of their contract.
The key here is to remain vigilant on all aspects of your information security program. Many resources exist to help guide your business through the myriad of threats, both internal and external. An in-depth security program with a well developed Incident Response, BCP, and Threat management plan are key to guiding you through the gauntlet of risk. Established human and system policies will help establish the boundaries and leverage your controls to further support your business and its ability to maintain secure operations.

No comments:

Post a Comment