Cloud

7/12/2017
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Dealing with Due Diligence

Companies will find themselves evaluating third-party cybersecurity more than ever -- and being subject to scrutiny themselves. Here's how to handle it.

Due diligence is becoming an increasingly important part of any cybersecurity strategy. Not only will companies often find clients checking their services for cybersecurity readiness, but they'll also face regulations demanding that they subject their own service providers to similar scrutiny.

The Securities and Exchange Commission's cybersecurity guidance says that registered investment advisers "may also wish to consider assessing whether protective cybersecurity measures are in place at relevant service providers." New York State's recently introduced NYCRR Part 500 cybersecurity regulation is more explicit, requiring financial companies to subject their service providers to cybersecurity checks.

Across the Atlantic, the EU's General Data Protection Regulation will demand that data controllers (the companies managing their customers' data) exercise a high level of care when choosing data processors (the third-party service providers that they use to help process that data).

When Vendors Won't Talk to You
The problem when conducting due diligence is that companies aren't guaranteed a detailed response from the service provider. Depending on the customer and vendor's relative sizes, companies may get no response at all. Hyperscale service providers, like Google or Amazon, are unlikely to let many, or any, companies into their data centers for a look around, or spend much time filling out RFPs for businesses.

Thankfully, cybersecurity auditing standards make evaluation of third-party services far easier. Gathering together due diligence questions into standardized, approved question sets makes it possible for even smaller customers to get a handle on a service provider's cybersecurity readiness.

What kind of cybersecurity framework should you use when conducting due diligence on a supplier or a potential acquisition? Much depends on the kind of relationship and the industry involved, but a hardy perennial is the Standards for Attestation Engagements (SSAE) 16 auditing standard. Created by the American Institute of Certified Public Accountants (AICPA), it's a standard for auditing controls at service organizations and replaces the existing SAS 70 standard. That standard's Service Organization Controls (SOC) 2 audit process takes in cybersecurity controls.

The National Institute for Science and Technology (NIST), which develops voluntary best-practice cybersecurity guidelines, recommends that companies use its cybersecurity framework as the basis for due diligence. On its own, the NIST framework can be challenging to navigate, particularly for small and midsize firms. eSentire has distilled the NIST framework into an easy-to-follow workbook that will help identify a firm's security risks and develop policies to support cybersecurity governance.

Certain industries or use cases also mandate their own requirements. One of the more prescriptive audits is the Payment Card Industry council's Data Security Standard (PCI-DSS), which subjects companies storing, holding, or transmitting payment card details to a strict audit. For users of enterprise cloud computing services, the Cloud Security Alliance publishes a Cloud Controls Matrix, a risk assessment framework to help evaluate cloud security. Organizations providing cloud services to the public sector in the US will need to pass a FedRAMP cybersecurity evaluation.

Companies meeting these cybersecurity requirements to comply with their clients' needs should expect to go through some internal pain when bringing themselves up to speed with the relevant standards. They should also devote time to regular reviews, so that they can show ongoing compliance.

Those in certain industries, including law and finance, may find themselves under increasing regulatory pressure to comply with due diligence requests, not only because they work in heavily regulated industries but because they sit at the cross-section of many different sectors. Legal and financial firms deal with so many kinds of companies, whether as clients or as investments, that they have access to sensitive data across multiple industries. As such, they may find themselves affected by sector-specific regulations outside their own.

While meeting these requirements may seem like a burden, senior management can also view this as an opportunity. Proving compliance with one or more cybersecurity standards can be a competitive differentiator, giving companies significant leverage among clients increasingly worried about data breaches. When it comes to due diligence, a little pain now can yield significant gains further down the line. 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content:

Eldon Sprickerhoff is founder and chief security strategist at cybersecurity company eSentire (www.esentire.com). In founding eSentire, Eldon responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
7/31/2017 | 4:46:45 PM
Compliance Without a Track Record
As much as I appreciate the compliance badge here, it also needs to be clear that such a badge isn't an indicator of quality.  There needs to be a track record, too.  Tangible, quantifiable examples of a working product must be available in addition to any industry compliance certifications.  I can't count the number of CMMI compliant applications my organizations have procured that fell flat on their face when we tried to implement them.  When your RFP narrows down three vendors and you have to go with the one with the most certifications and badges but is not user friendly, or has not the best ratings from users at other organizations, you shoot yourself in the foot.  I personally admire NIST and PCI-DSS, for example.  But again, you sometimes have to go with your gut and what you think might be possible to change down the road if it means getting what will work out of the box without opening yourself up to exploits.
douglasagray
50%
50%
douglasagray,
User Rank: Apprentice
7/17/2017 | 4:01:29 PM
Building Maturity in Managing Vendors
Another framework to look at is the Software Engineering Institute, Carnegie Mellon University's CERT Resilience Management Model, specifically their External Dependencies Management process area.
charles@concise.ac
50%
50%
[email protected],
User Rank: Apprentice
7/12/2017 | 6:56:00 PM
Might be of interest to your readers
Hi,

On the subject of Cybersecurity Conferences, this link might be of interest: (Events in Las Vegas) > https://infosec-conferences.com/events/cybersecurity-conferences-las-vegas/

Thanks
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11505
PUBLISHED: 2018-05-26
The Werewolf Online application 0.8.8 for Android allows attackers to discover the Firebase token by reading logcat output.
CVE-2018-6409
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerability via the download.php q parameter.
CVE-2018-6410
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.
CVE-2018-6411
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap_form_elements SQL Injection.
CVE-2018-11500
PUBLISHED: 2018-05-26
An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vulnerability in "admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list" that can add an admin account.