This article can also be found in the Premium Editorial Download "Information Security magazine: Nine tips to guarding your intellectual property."
Download it now to read this article plus other related content.
|ISO Outlines Guidelines|
Organizations can look to an industry standard for help in securing contractor relationships.
By Jonathan Gossels
Section 8 of the ISO 17799/27002 standard provides guidance about IT controls for contractors. The underlying principle is that organizations should handle security of their contractors and third-party users the same as they do their regular employees:
The most logical first step in addressing contractor risks is to perform a risk assessment. This should include identification of the threats, vulnerabilities, impact and likelihood of a security breach associated with contractors.
The best mitigation of the risks is knowledge--knowing who you're hiring through screening such as background searches and references checks--and oversight. Who is watching the contractor and do they understand in detail what the contractor is supposed to be doing? In other words, does the manager have technical competency in the area that is outsourced? The ability to observe and understand the third party's work helps reduce risks.
In addition, oversight should include system usage monitoring, regular status reporting, and establishment of goals and milestones. Actual oversight, however, depends on the nature of the contractor's job and sensitivity of the data he or she is handling.
Make sure you don't open the door to additional risk by not providing adequate secure file-transfer capabilities--it could encourage contractors to handle sensitive data in unsecured ways by downloading large amounts of data to their local hard drives, or by sending information via clear text email. Both such actions would expose the organization; however, without an alternative the contractor will do something like that in order to complete an assigned task.
This was first published in May 2007