In last week’s blog I talked about the value of ISO 27001 certification and the questions to ask when a potential or indeed existing supplier talks about being certified. When establishing outsourcing or managed services what sort of areas should be considered from a security viewpoint?
The following is not a comprehensive look at outsourcing or all of the associated risks (and of course the many benefits) for that I recommend taking a look at the new ISO 37500 standard. Instead this is a high level view of some of the things to consider purely from a security perspective.
Before we dive into that list the first thing to understand is the risk that the various suppliers pose to your organisation. By that I mean what service is being provided by your supplier. If we are talking about an outsourcing deal where your complete organisational IT environment is managed by a third party, then the level of risks and hence controls will be different to for example awarding a security guarding contract. That is not to say the latter does not have risks, indeed third party staff having access to your buildings presents opportunities for the theft of confidential documents, unauthorised access to systems or the planting of key logger devices, one only needs to look at the Sumitomo Mitsui bank breach way back in 2004 to see this:
So a good place to start is to create a list of the suppliers and the services they provide (or may provide if we are looking at new suppliers). For each one consider the security risk scenarios, their likelihood and impact and try to come up with an overall rating. There are many risk assessment methods available and I will talk specifically about some of them in upcoming blogs. The thing to say here is that I am not looking for a complex calculation just a good idea of the sort of risk scenarios that would be relevant. Depending on the risk scenarios we can then select some common requirements which should be baked into your contracts with the said suppliers.
At this point I will hear the inevitable point which is that we already have a contract and these issues are not addressed, what can we do? Well firstly let’s introduce a Third Party Policy requiring that future contracts are subject to the necessary risk assessment and review and that the items to follow in this blog are considered. At least then we will reduce this problem in the future. But what about those existing contracts? For those try to negotiate with your suppliers, is it possible to have addendums to the contract? Understandably there may be commercial implications, your suppliers may look to increase costs or in some cases be quite resistant to change. The latter is particularly true if your suppliers don’t see security as an important issue. In this case I always encourage people to work with their suppliers, can you help them to deliver the security you need and bring them along with you? Maybe you need to work on your explanations but if you can get them onside this will make life very much easier.
The other major step is to also note when the contract is due to expire and make sure that you allow enough time for contract re-negotiation, so next time round the controls and requirements you need are captured and addressed. Of course ongoing review of compliance is something to consider as well, but for now let’s take a look at the key security issues that you may want to include in your third party contracts:
1) Requirement for independent certifications. Last week’s blog already looked at ISO 27001 certification and its relevance but there are others. If you rely upon your supplier to provide a minimum level of availability, you may want to consider whether they are certified to ISO 22301 indicating the presence of a Business Continuity Management System. If they are providing IT Services, ISO 20000 may be of interest this specifies the requirements of a Service Management System. These ISO management certifications should still be looked at along the same lines as the advice I gave in our article on ISO 27001. If your supplier is processing credit card information, you will need to ensure they follow the requirements of the Payment Card Industry – Data Security Standard (PCI-DSS) and you may ask the supplier to complete a Report on Compliance (RoC) to verify such compliance. A RoC can only be issued by a valid PCI Council Approved Qualified Security Assessor (QSA).
Recently the UK Government has also announced the Cyber Essentials and Cyber Essentials Plus https://www.cyberstreetwise.com/cyberessentials/. This certification is aimed at organisations supplying certain services to UK Government and is designed to ensure some basic levels of cyber security in the supply chain. Cyber Essentials certification is essentially a self-review with oversight from a certification body whilst Cyber Essentials Plus requires an onsite assessment of the environment. Whilst, your organisation and your suppliers may not become involved in government related activity this standard does set a minimum baseline and in my view should be seriously considered by those in the private sector. The key point about requiring suppliers to have certifications is to really consider which certifications are relevant and related to the risks that need to be managed. All too often I see tender documents and contracts littered with lists of certifications that a supplier must hold but without the real context. As said in last week’s blog the point of standards is to provide a minimum platform and standard in certain areas. They are not the be all and end all and should not be used as box ticking criteria.
2) Confidentiality, Non-disclosure and the Data Protection Act. So you have a supplier that is (or will be) holding some of your organisation’s information. Maybe some of it is commercial and needs to be kept secure or perhaps some is highly sensitive personal data. Whatever the value you will want to be sure that your supplier and its staff are not motivated to use that information or disclose it to others without your knowledge and consent. Having clear contractual clauses in this regard is critical and any such clauses should be legally sound and enforceable. With regards to the Data Protection Act if your organisation is passing personal data to an outsourcer/supplier your contract should firmly establish who is the Data Controller (usually your organisation) and who is the Data Processor. Remember that you need to be clear on whether your customers (or persons about who you process personal data) have given their consent for such information to be processed by a third party. Also is your third party going to store or process any of this personal data outside of the European Economic Area? If yes, some very careful thought needs to be given in line with Principle 8 of the Data Protection Act. Does the country you are transferring to have adequate laws and controls? Simply buying into a service and not considering this is a high risk strategy that could lead to a number of very serious consequences from both a legal and reputational perspective.
When working with US suppliers some companies talk about Safe Harbour. Whilst this offers some comfort from a legal perspective there are many flaws with this scheme which I will address in future blogs.
3) Technical Security Requirements. As described in the ISO 27001 article often we focus on the controls from an organisational and people perspective which is quite correct and of fundamental importance. The quality of technical controls however should not be overlooked. For example the supplier may have excellent policy documents on encryption but does this mean those controls are actually deployed correctly and that they are truly going to address the risk? If there are specific risks that are significant enough to warrant it, I would recommend specifying minimum technical security requirements which your supplier should meet. Also you may want to negotiate that the suppliers’ environment is subject to regular vulnerability assessments or penetration tests.
For a description of penetration testing see: http://www.parkersolutionsgroup.co.uk/solutions/cyber-security/penetration-testing.php
In this case you will need to negotiate the frequency and scope of such tests and the costs associated. Also you will need to ensure that those performing the tests are genuinely independent and competent.
4) Staff Clearance. Your organisation most probably goes to the effort of performing background checks on its employees prior to employment. For example: performing identity checks, taking up references, performing DBS (criminal records checks) checks and perhaps even demanding specific levels of security clearance. These checks are all performed to minimise risk so when outsourcing you may want your supplier to perform the same levels of clearance to those staff that they employ who will handle your data or access your systems or buildings. To be clear I am not saying your organisation needs to perform these checks but you are looking to see if your supplier will provide these checks. If there is a mismatch, does this introduce new risks? Finally on this point, if your supplier relies on recruitment agencies to perform these checks, does the supplier audit the agency to ensure these checks are being completed as required?
5) Business Continuity. If you are relying on your supplier to deliver services, are they prepared for an interruption to their business? How would an interruption to their business effect your organisation? Does your supplier have adequate Business Continuity plans? Depending on your requirements you may require evidence that your supplier has conducted adequate planning and testing. Again this is a key area to consider in your contract.
6) Right to Audit. Finally you may have agreed a whole range of controls through your contract in response to the relevant risk. How do you have assurance surrounding these controls? Perhaps the independent certifications may be enough but if you want true assurance the right to audit clause will allow your organisation to perform the relevant assessments of compliance. Of course the size, frequency and scope of such audits will be agreed and the supplier may well look to add additional cost to cover their time facilitating the audits. This is an area that requires careful negotiation and discussion but one that is at the heart of any good supplier due diligence. I hope these pointers give you some useful ideas about security in the supply chain going forward.
Graeme Parker is an experienced professional on Cyber Security, Risk Managemet and Governance fields with proven experience in implementing and developing effective management systems for these fields.
If you have any questions, please do not hesitate to contact Graeme at: firstname.lastname@example.org
Please see the following useful pages on our site: