This tip is part of Ensuring compliance across the extended enterprise, a lesson in SearchSecurity.com's Compliance School. Visit the Ensuring compliance across the extended enterprise lesson page for additional learning resources.
These days, it is fairly common for a company to outsource customer-facing services or allow another organization to handle data processing and even security monitoring and management. Outsourcing allows companies to provide a wider range of services, reduce cost and focus on other tasks that will strengthen the business.
Every time an organization trusts another business entity to handle sensitive information or manage critical infrastructure, however, there are risks. Worse yet, many companies do not realize that failing to closely examine their prospective partners' security practices can lead to compromise. Organizations that are bound by regulations like HIPAA, Gramm-Leach-Bliley (GLBA) and Sarbanes-Oxley (SOX) may pay an even steeper price, as these regulations explicitly require organizations to manage the risk associated with service providers.
Fortunately, enterprises can curtail partner or service provider security issues by taking a methodical approach to assessing and managing the risks. That means coming to terms with the risks and the costs of creating and maintaining these partnerships. One such approach is a partner management program based on the ISO 17799 standard.
A standards-based methodology
By definition, ISO 17799 is a "code of practice for security information management." In other words, it is a laundry list of best security practices that apply to a broad range of business environments. The standard covers areas including risk assessment, security policy, governance, access control, information classification, operations management and business continuity.
A partner management program based on the ISO standard consists of three phases:
- Inherent risk assessment – A review of how much damage could be done to a partner if information or services were compromised and there were no security controls. In other words, how bad would it be if the partner was compromised? A partner, for example, may hold critical and sensitive customer information, like credit card numbers or social security numbers. If such data is compromised, a company's reputation could be ruined. That would constitute a critical inherent risk and call for a deeper evaluation.
- Partner practice assessment – An examination of the partner to a depth commensurate with the inherent risk. For critical partnerships that demand an in-depth review, many organizations use ISO 17799. The assessment consists of a walk-through of the standard, where the partner's practices are compared to those described in ISO 17799's 133 subsections. Each of ISO 17799's major areas (including risk assessment, security policy, access control, communications and operations, physical security, and business continuity) has subsections which review best management practices.
When addressing communications and operations management, for example, the assessment walks through the administrative practices for the service provider's production environment, covering the distribution of responsibilities, the documentation of procedures, and critical control components like change control and patch management. While such an evaluation may sound straightforward, each one of the sections requires managers to carefully consider how the standard should be applied to their given business, organizational, and technical contexts. A reasonable practice for a small company where every employee knows each other, for example, may be less acceptable in large multinational organizations, and decisions must be made accordingly.
The ISO standard can also be useful in reviewing partners that provide less critical services. The standard can be used to construct a questionnaire that gathers data and assesses how well an organization and its many departments can manage the security of another company's information. Some questions that would likely appear in a questionnaire are:
- Does your organization utilize network controls to segregate the corporate and production networks?
- What mechanisms are used to ensure that only authorized application users are allowed access to data managed by the service?
- How often are backups of the service data executed?
- Has a documented incident response plan been put in place? How often does the production staff practice the plan?
- Has your organization had a security incident?
- Remediation, monitoring and periodic assessments – After a partnership is established, the work is just beginning. Any important weaknesses that are discovered should be remediated according to an agreed-upon timeline. Furthermore, the initial assessment should be used as a baseline against which future analyses can be compared. Service providers should be revisited at least once a year to determine whether anything about their environments, designs or practices has changed for the worse. Using an ISO 17799-based report card makes it possible to compare a partner's progress with the results and assessments of other partners. The accumulation of information can help establish minimum requirements for all service providers.
ISO 17799 as a common framework
While most service providers bristle at the idea of yet another security review, particularly one that goes to the depth that an ISO 17799 review calls for, most can appreciate the fact that the ISO standard provides a set list of requirements.
One of the most problematic aspects of partner reviews is their ad hoc nature. Service providers are essentially asked to play by a different set of rules for each review they face. By agreeing on ISO 17799, service providers and consumers can substantially reduce the cost of preparations and make reviews much more efficient. The result is better communication, better documentation and faster consummation of service agreements.
About the author:
Dick Mackey is regarded as one of the industry's foremost authorities on distributed computing infrastructure and security. He has advised leading Wall Street firms on overall security architecture, virtual private networks, enterprise-wide authentication, and intrusion detection and analysis. He also has unmatched expertise in the OSF Distributed Computing Environment. Prior to joining SystemExperts, Mr. Mackey was the director of collaborative development for The Open Group (the merger of the Open Software Foundation and X/Open) where he was responsible for the integration of Microsoft's ActiveX Core with DCE and DCE Release 1.2. Mr. Mackey is an original member of the DCE Request For Technology technical evaluation team and was responsible for the architecture and defining the contents of DCE Releases 1.1 and 1.2. He has been a frequent speaker at major conferences and has taught numerous tutorials on developing secure distributed applications.
Contributor Khalid Kark explains why ISO
17799 certification requires an organization-wide commitment.
Security expert Mike Rothman discusses ISO 17799 mapping capabilities.
Learn how to develop a security program using both SABSA and ISO 17799.