SMB Considerations When Facing a Third-Party Security Assessment
Outsourcing by companies has been an area of growth for many years, and the trend does not seem to be slowing down. For example, Gartner is forecasting a 17 percent growth in public cloud use worldwide in 2019. Leading the way is infrastructure-as-a-service or (IaaS) with an expected 27 percent growth alone.
Along with outsourcing to third-party service providers, oversight of them is a growing concern for many companies because protection of information assets is necessary to establish and maintain trust between companies and their business partners. This is because there are multiple state, federal, and international privacy laws that regulate the handling practices of personal information such as personally identifiable information (PH) and personal health information (PHI). In addition, there is more regulatory pressure as well. For example, both the Financial Industry Regulatory Authority (FINRA) and the US Federal Financial Institutions Examination Council (FFIEC) have requirements that companies assess their vendors’ controls.
There is good reason for the regulatory oversight: 59 percent of respondents to the Ponemon Institute’s third annual “Data Risk in the Third-Party Ecosystem” study experienced a data breach caused by a third party or vendor. Another Ponemnon study found that only 28 percent of small companies rate their ability to mitigate threats, vulnerabilities, and attacks as highly effective. This can be devastating when small-to-midsized companies face a security assessment from their clients.
There are many resources available to assist with preparing for third-party assessment. This article highlights a few key areas that are commonly focused on and how to manage them.
Physical and environmental safeguards
Exposure of assets can occur through physical access and damage or destruction to physical components. Specifically, they include limited or non-existent physical controls and building layout, geographic location of the facilities, and power infrastructure. Areas analyzed typically include perimeter safeguards, interior/exterior building security controls, primary and alternate power architecture, server room security controls and conditions, environmental controls such as climate control and fire detection and suppression, and threat sources and mitigations, both natural and environmental.
A best practice for data centers is to have layers of security from the perimeter to the server room.
Governance includes documented policies, standards, procedures, and affiliated support documentation. It also includes audit and risk management functions to ensure there is proper internal oversight of the information technology organization. The purpose is to ensure the vendor has an effective program to address privacy and security objectives as well as gain insight into the maturity of the program and understand the level of expertise and seriousness with which the vendor approaches their security and privacy responsibilities. Following a framework such as NIST 800-53, PCI, HITRUST, or The Shared Assessments will help to bring structure to the governance function. In addition, ISO27001 certification and SOC II Type 2 audits are good benchmarks for success.
Logical security infrastructure
Vendors should have in place mechanisms for protecting electronic data at rest and in transit. This includes network monitoring, system hardening, formalized system changes, and data storage that is commensurate with the organization's policies and procedures. Specific examples include patching processes, change control processes, perimeter and system security monitoring and escalation, data backup and recovery process, data loss prevention, and portable device management and security.
Security and privacy education program
As privacy legislation continues to emerge, disseminating the regulatory, privacy, and security obligations to the organization becomes increasingly more important. The awareness and privacy program controls focus on the vendor's ability to formalize and implement a program to educate the employees on their responsibilities.
Many companies will implement bare-bones awareness programs to meet either audit or regulatory compliance but the programs may be ineffective as ZDNet points out. This is a big risk because employees are the weakest link the cybersecurity defense chain and bad actors know it. Both PCI and the SANS Institute have documented standards for the program as a guide for building robust programs.
As noted, some solutions are best handled by outsourcing for several reasons:
- Resource availability. The labor market is tight for qualified cybersecurity practitioners. Outsourcing can alleviate the headache of obtaining them. Logical security services fit well here. However, there is a catch. Oversight of the vendor that is monitoring and maintaining the logical infrastructure is crucial. Things to consider are non-disclosure and service level agreements as well as having another outside auditing company periodically review the outsourced company’s work as a another level of control.
- Cost. Cybersecurity tools and talent can be expensive. For example, smaller organizations that have the data center integrated into the main office commonly do not have proper security structure in place such as guards, badges, monitoring. This is a good area where it makes sense to outsource this function to a cloud provider.
- Business model. If your organization is not designed to manage a sophisticated information technology infrastructure, then building one internally may not make good business sense.
Even small-to-midsized companies can perform well during a third-party security assessment. The biggest factor is begin prepared.