Home > Information Security > BS Filtering for CISOs: Vendors and Third Parties

BS Filtering for CISOs: Vendors and Third Parties

June 7th, 2009

So it’s time to add a new installment of “BS Filtering for CISOs”. AS I stated in the first post of this series, BS filtering is a critical skill for CISOs everywhere, just as vital to the success of an information security team/program as content filtering and packet filtering for the technical members of the staff (not to suggest, of course, that the CISO isn’t or hasn’t been technical, far from it).The concept of “BS Filtering” does not always mean that people are deliberately trying to con you, though; you may just need to read between the lines, dig a little deeper into statements, etc.

This is particularly the case for dealing with vendors and 3rd parties, where you can get easily misled, contractual language aside. Here are a few tips specific to security professionals that I’ve gleaned over the years.

  • Understand the business motivations first. By this, I mean understand what each party wants to get out of the negotiation. In the case of a vendor, it may simply be another sale or a new customer relationship. In the case of a business partner, they may be looking for a new sales or marketing channel, a means to increase revenue directly with you, or they could even be looking for a strong reference partner/customer. Knowing what the underlying motivation is can help you to have a more intelligent business discussion about risks and rewards for both parties involved.
  • Do your homework. This sounds like common sense, and to some extent it is, but there’s a few concrete examples for security pros that can be useful to keep in mind:1. Talk to customers, preferably those in the same or similar business as you. You need to get an idea for how security has been handled by this vendor or 3rd-party during the course of their relationship. Put together a list of things that would concern you, and ask to speak with a customer they’ve had for at least a year or more. If they are reluctant to do this, you should be extremely skeptical of doing business with them.

    2. Ask them how they handle sensitive data covered by compliance regulations, if this applies to the scenario. Particularly with the advent of cloud computing and other hosted/provisioned applications and services that are remote from your data center(s), this becomes absolutely critical.

    3. Related to #2, ask them how they will demonstrate adherence to your internal and organization-specific security policies governing sensitive data. How will they keep it separate from other customer data? What guarantees will they give you? How will they respond to a data breach? There should be some contractual language crafted around the answers to these questions, once you’ve had the discussions.

  • Ask to see a SAS70 (at the least) or other indication of security in the area where your data/systems/applications will be housed. If possible, arrange a site visit for you to personally inspect the premises and do your own due diligence. I’ve fought for this and won before, and so can you.
  • Ask for audit results if possible. Especially those related to your particular data types, such as payment card data.
  • Inquire about configuration and hardening standards, and which the organization uses. Do they follow CIS guidelines for Windows builds? Do they use the DISA ESX controls for hardening VMware platforms? Ask to see proof of the build (or image maintenance/deployment) and how often it is audited.
  • For vendors hawking gear/software, ask about the volume of support cases maintained and CLOSED on a daily/weekly/monthly basis. Inquire about average turnaround time for support cases, and of course ask to speak to customers before you buy. This really comes down to availability at the end of the day, if the product doesn’t function properly it may be largely useless.

These are just a few of the “anti-BS considerations” you will need when evaluating business partners, vendors, and 3rd party providers. This doesn’t take into consideration the majority of typical operational considerations like uptime, SLAs, etc. For security pros, the most pressing issues are related to handling of data, adherence to internal and external compliance and policy requirements, and availability for security-specific products and services.

Categories: Information Security Tags:
  1. June 7th, 2009 at 15:59 | #1

    Dave,

    Great points – though I would embellish the first two bullets a bit to avoid being tricked by their IT Staff through “shock and awe”.
    – SAS 70 are based on management determined controls, so to depend on them YOU must verify the controls being audited (i.e., don’t accept the Executive Cover Letter, but require review of the actual control tests). Second to make a SAS 70 Type II useful – verify the scope of the audit includes your concerns. (this leads me to bullet #2).

    – Audit results are great – beware of SCOPE. Most organizations will try to secure data carefully, but when 3rd party validations occur they are restricted to specific types of control checks that are designed to prevent specific types of risks. Unless your data falls under those “specifics” you need to look beyond the standards advertised.

    Other thoughts?

    James DeLuccia IV

  2. admin
    June 8th, 2009 at 19:23 | #2

    Good points, Mr. D.

Comments are closed.