Six essential security policies for outsourcing

Here are six essential security policies for dealing with external service providers. You can create separate policies for each, integrate these into your existing policies or create a single outsourcing policy that addresses each of these areas.

1. Acceptable usage
This is one area where employees are often covered by policy, but outsiders are overlooked. Make it policy for anyone connecting to your network to abide by a reasonable set of rules – no offensive material, no unauthorized security testing tools, no copyright violations, no unsecured wireless systems, etc. Consultants, auditors, systems integrators – anyone plugging in – can easily introduce security risks and liabilities. Make sure those that connect to your systems, especially auditors and contractors who will be working with you for an extended period of time, know what is not acceptable usage. The more enforcement technologies you have in place, the less effort you'll have to expend and the more transparent you can make the enforcement process. A smart way to create a controlled environment is to loan these users one of your organization's computers.

2. Information access
An information access policy begins with a solid information classification system. Outline the information that can and cannot be shared with or accessed by external providers. It's likely that a

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

3. Information destruction
Given that information -- both hard and soft copy -- leaving your organization in an unauthorized fashion is one of your greatest vulnerabilities, be sure to pay special attention to this area. Make it policy and include it as part of any confidentiality or non-disclosure sections in your contract with third-party providers. Require that all information is either returned to you or destroyed.

4. Hiring and termination
Setting up a computer and/or network account for a new consultant or technician shouldn't be taken lightly (although it usually is). Again, follow the rules of need-to-know and minimum necessary, and by all means, make sure the account(s) get disabled the minute the user no longer needs access. Don't forget about any other administrator-level passwords -- such as for routers, local admin accounts and Web applications -- that you may have had to divulge in your dealings with outsiders. If possible, change the passwords when the project is complete.

5. Removal of property
The important factor to remember here is that any equipment, media or hard copy information, such as a laptop, hard drive or network diagrams, taken offsite is out of your control and needs to be properly protected. Make it policy that this property is kept protected at all times and returned when the project is complete.

6. Minimum computer requirements
Another serious vulnerability is allowing a third-party computer on your network without ensuring that it's properly protected and clean of any malware such as viruses and spyware. Make it policy to require any outside computer plugging into your network to have up-to-date patches, antivirus signatures, real-time malware protection (meaning viruses, etc. are continuously being checked for in memory, e-mail, Web browsing, etc.-- not just during hard drive scans), and even personal firewall software if deemed necessary. This is especially important if you provide remote access through a VPN, Citrix, Terminal Server and the like, since third parties can pretty much connect via any insecure computer they want. All it takes is one infected or insecure computer to completely open up your network to the outside world -- a risk no one can afford.

If your organization takes security policies seriously, it should be easy to integrate these outsourcing-related policies into your environment. I'm not a lawyer, so definitely run all of this past your legal expert before putting it into action. Finally, make sure everyone dealing with external IT providers is aware of these policies (network administrators, security managers and even purchasing/procurement) to make sure you get the most out of them.