Are you putting information at risk by using contractors?


This article can also be found in the Premium Editorial Download "Information Security magazine: Nine tips to guarding your intellectual property."

Download it now to read this article plus other related content.

ISO Outlines Guidelines

    Requires Free Membership to View

Organizations can look to an industry standard for help in securing contractor relationships.
By Jonathan Gossels

Section 8 of the ISO 17799/27002 standard provides guidance about IT controls for contractors. The underlying principle is that organizations should handle security of their contractors and third-party users the same as they do their regular employees:
    Prior to employment
  • Security roles and responsibilities should be defined and documented in accordance with the organization's information security policy.
  • Background verification checks on all candidates should be carried out in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, classification of the information to be accessed, and perceived risks.
  • As part of their contractual obligation, employees, contractors and third-party users should agree and sign the terms and conditions of their employment contracts, which should state their and the organization's responsibilities for information security.
    During employment
  • Management should require employees, contractors and third-party users to apply security in accordance with established policies and procedures of the organization.
  • All employees of the organization and where relevant, contractors and third-party users, should receive appropriate security awareness training and regular updates in organizational polices and procedures, as relevant for their job function.
  • There should be a formal disciplinary process for those who have committed a security breach.
    Termination or change of employment
  • Responsibilities for performing employment termination or change in employment should be clearly defined and assigned.
  • All employees and contractors should return all of an organization's assets in their possession upon termination of their employment, contract or agreement.
  • Access rights to information and information processing facilities should be removed upon termination of their employment, contract or agreement, or adjusted upon change.
Jonathan Gossels is president of SystemExperts.

The most logical first step in addressing contractor risks is to perform a risk assessment. This should include identification of the threats, vulnerabilities, impact and likelihood of a security breach associated with contractors.

The best mitigation of the risks is knowledge--knowing who you're hiring through screening such as background searches and references checks--and oversight. Who is watching the contractor and do they understand in detail what the contractor is supposed to be doing? In other words, does the manager have technical competency in the area that is outsourced? The ability to observe and understand the third party's work helps reduce risks.

In addition, oversight should include system usage monitoring, regular status reporting, and establishment of goals and milestones. Actual oversight, however, depends on the nature of the contractor's job and sensitivity of the data he or she is handling.

Make sure you don't open the door to additional risk by not providing adequate secure file-transfer capabilities--it could encourage contractors to handle sensitive data in unsecured ways by downloading large amounts of data to their local hard drives, or by sending information via clear text email. Both such actions would expose the organization; however, without an alternative the contractor will do something like that in order to complete an assigned task.

This was first published in May 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: