ISO 17799: A methodical approach to partner and service provider security management

These days, it is fairly common for a company to outsource customer-facing services or allow another organization to handle data processing and even security monitoring and management. Outsourcing allows companies to provide a wider range of services, reduce cost and focus on other tasks that will strengthen the business.

For more information Contributor Khalid Kark explains why ISO 17799 certification requires an organization-wide commitment. Security expert Mike Rothman discusses ISO 17799 mapping capabilities. Learn how to develop a security program using both SABSA and ISO 17799.

Every time an organization trusts another business entity to handle sensitive information or manage critical infrastructure, however, there are risks. Worse yet, many companies do not realize that failing to closely examine their prospective partners' security practices can lead to compromise. Organizations that are bound by regulations like HIPAA, Gramm-Leach-Bliley (GLBA) and Sarbanes-Oxley (SOX) may pay an even steeper price, as these regulations explicitly require organizations to manage the risk associated with service providers.

Fortunately, enterprises can curtail partner or service provider security issues by taking a methodical approach to assessing and managing the risks. That means coming to terms with the risks and the costs of creating and maintaining these partnerships. One such approach is a partner management program based on the ISO 17799 standard.

A standards-based methodology
By definition, ISO 17799 is a "code of practice for security information management." In other words, it is a laundry list of best security practices that apply to a broad range of business environments. The standard covers areas including risk assessment, security policy, governance, access control, information classification, operations management and business continuity.

A partner management program based on the ISO standard consists of three phases:

• Inherent risk assessment – A review of how much damage could be done to a partner if information or services were compromised and there were no security controls. In other words, how bad would it be if the partner was compromised? A partner, for example, may hold critical and sensitive customer information, like credit card numbers or social security numbers. If such data is compromised, a company's reputation could be ruined. That would constitute a critical inherent risk and call for a deeper evaluation.
• Partner practice assessment – An examination of the partner to a depth commensurate with the inherent risk. For critical partnerships that demand an in-depth review, many organizations use ISO 17799. The assessment consists of a walk-through of the standard, where the partner's practices are compared to those described in ISO 17799's 133 subsections. Each of ISO 17799's major areas (including risk assessment, security policy, access control, communications and operations, physical security, and business continuity) has subsections which review best management practices.
  
  When addressing communications and operations management, for example, the assessment walks through the administrative practices for the service provider's production environment, covering the distribution of responsibilities, the documentation of procedures, and critical control components like change control and patch management. While such an evaluation may sound straightforward, each one of the sections requires managers to carefully consider how the standard should be applied to their given business, organizational, and technical contexts. A reasonable practice for a small company where every employee knows each other, for example, may be less acceptable in large multinational organizations, and decisions must be made accordingly.
  
  The ISO standard can also be useful in reviewing partners that provide less critical services. The standard can be used to construct a questionnaire that gathers data and assesses how well an organization and its many departments can manage the security of another company's information. Some questions that would likely appear in a questionnaire are:
  • Does your organization utilize network controls to segregate the corporate and production networks?
  • What mechanisms are used to ensure that only authorized application users are allowed access to data managed by the service?
  • How often are backups of the service data executed?
  • Has a documented incident response plan been put in place? How often does the production staff practice the plan?
  • Has your organization had a security incident?

• Remediation, monitoring and periodic assessments – After a partnership is established, the work is just beginning. Any important weaknesses that are discovered should be remediated according to an agreed-upon timeline. Furthermore, the initial assessment should be used as a baseline against which future analyses can be compared. Service providers should be revisited at least once a year to determine whether anything about their environments, designs or practices has changed for the worse. Using an ISO 17799-based report card makes it possible to compare a partner's progress with the results and assessments of other partners. The accumulation of information can help establish minimum requirements for all service providers.

ISO 17799 as a common framework
While most service providers bristle at the idea of yet another security review, particularly one that goes to the depth that an ISO 17799 review calls for, most can appreciate the fact that the ISO standard provides a set list of requirements.

One of the most problematic aspects of partner reviews is their ad hoc nature. Service providers are essentially asked to play by a different set of rules for each review they face. By agreeing on ISO 17799, service providers and consumers can substantially reduce the cost of preparations and make reviews much more efficient. The result is better communication, better documentation and faster consummation of service agreements.

About the author:
Dick Mackey is regarded as one of the industry's foremost authorities on distributed computing infrastructure and security. He has advised leading Wall Street firms on overall security architecture, virtual private networks, enterprise-wide authentication, and intrusion detection and analysis. He also has unmatched expertise in the OSF Distributed Computing Environment. Prior to joining SystemExperts, Mr. Mackey was the director of collaborative development for The Open Group (the merger of the Open Software Foundation and X/Open) where he was responsible for the integration of Microsoft's ActiveX Core with DCE and DCE Release 1.2. Mr. Mackey is an original member of the DCE Request For Technology technical evaluation team and was responsible for the architecture and defining the contents of DCE Releases 1.1 and 1.2. He has been a frequent speaker at major conferences and has taught numerous tutorials on developing secure distributed applications.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Security Audit, Compliance and Standards,   ISO 17799,   COBIT,   Compliance School,   Ensuring compliance across the extended enterprise,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Identity lifecycle management for security and compliance Interpreting 'risk' in the Massachusetts data protection law FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? ISO 17799 Tony Spinelli: Prioritize Information Security over Compliance How to write a risk methodology that blends business, security needs IT auditing applications and tools for ISO 27002 certification Security survey finds increase in security standards adoption Mix of Frameworks and GRC Satisfy Compliance Overlaps GRC: Over-Hyped or Legit? Is the Orange Book still relevant for assessing security controls? How do ISO 17799 and SAS 70 differ? How to apply ISO 27002 to PCI DSS compliance How to migrate from SAS 70 to ISO 27001 COBIT Tony Spinelli: Prioritize Information Security over Compliance Security survey finds increase in security standards adoption Mix of Frameworks and GRC Satisfy Compliance Overlaps GRC: Over-Hyped or Legit? Is the Orange Book still relevant for assessing security controls? Does SOX provision email archiving? COSO and COBIT: The value of compliance frameworks for SOX Mapping the path toward information security program maturity RSA Conference 2006 Step 1: Understanding compliance -- Financial and technical standards COBIT Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary COBIT  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.