Regardless of how you feel about it, odds are you'll eventually have to outsource some type of IT service. Having seen both sides of the IT outsourcing issue, I've found that practically every organization needs a minimum set of security policies to help reduce its inherent risks. It's easy to read this and say, "I trust my IT provider" or "we really don't have any issues here," but it's not about whether or not you can count on and trust people; it's about doing the right thing for the business -- to make sure the proper protection mechanisms are in place to reduce risk.
Here are six essential security policies for dealing with external service providers. You can create separate policies for each, integrate these into your existing policies or create a single outsourcing policy that addresses each of these areas.
1. Acceptable usage
This is one area where employees are often covered by policy, but outsiders are overlooked. Make it policy for anyone connecting to your network to abide by a reasonable set of rules – no offensive material, no unauthorized security testing tools, no copyright violations, no unsecured wireless systems, etc. Consultants, auditors, systems integrators – anyone plugging in – can easily introduce security risks and liabilities. Make sure those that connect to your systems, especially auditors and contractors who will be working with you for an extended period of time, know what is not acceptable usage. The more enforcement technologies you have in place, the less effort you'll have to expend and the more transparent you can make the enforcement process. A smart way to create a controlled environment is to loan these users one of your organization's computers.
2. Information access
An information access policy begins with a solid information classification system. Outline the information that can and cannot be shared with or accessed by external providers. It's likely that anyone accessing critical servers is going to come into contact with your most sensitive information. Make sure those granting access are aware of this policy so they only grant the minimum necessary access to get the job done.
3. Information destruction
Given that information -- both hard and soft copy -- leaving your organization in an unauthorized fashion is one of your greatest vulnerabilities, be sure to pay special attention to this area. Make it policy and include it as part of any confidentiality or non-disclosure sections in your contract with third-party providers. Require that all information is either returned to you or destroyed.
4. Hiring and termination
Setting up a computer and/or network account for a new consultant or technician shouldn't be taken lightly (although it usually is). Again, follow the rules of need-to-know and minimum necessary, and by all means, make sure the account(s) get disabled the minute the user no longer needs access. Don't forget about any other administrator-level passwords -- such as for routers, local admin accounts and Web applications -- that you may have had to divulge in your dealings with outsiders. If possible, change the passwords when the project is complete.
5. Removal of property
The important factor to remember here is that any equipment, media or hard copy information, such as a laptop, hard drive or network diagrams, taken offsite is out of your control and needs to be properly protected. Make it policy that this property is kept protected at all times and returned when the project is complete.
6. Minimum computer requirements
Another serious vulnerability is allowing a third-party computer on your network without ensuring that it's properly protected and clean of any malware such as viruses and spyware. Make it policy to require any outside computer plugging into your network to have up-to-date patches, antivirus signatures, real-time malware protection (meaning viruses, etc. are continuously being checked for in memory, e-mail, Web browsing, etc.-- not just during hard drive scans), and even personal firewall software if deemed necessary. This is especially important if you provide remote access through a VPN, Citrix, Terminal Server and the like, since third parties can pretty much connect via any insecure computer they want. All it takes is one infected or insecure computer to completely open up your network to the outside world -- a risk no one can afford.
If your organization takes security policies seriously, it should be easy to integrate these outsourcing-related policies into your environment. I'm not a lawyer, so definitely run all of this past your legal expert before putting it into action. Finally, make sure everyone dealing with external IT providers is aware of these policies (network administrators, security managers and even purchasing/procurement) to make sure you get the most out of them.
RELATED INFORMATION:
Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC where he specializes in information security assessments for those who take security seriously and incident response for those who don't. He is author and co-author of several information security books including Hacking For Dummies and the upcoming Hacking Wireless Networks For Dummies, both by Wiley Publishing. Kevin can be reached at kbeaver@principlelogic.com.
