Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/12/2017
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Dealing with Due Diligence

Companies will find themselves evaluating third-party cybersecurity more than ever -- and being subject to scrutiny themselves. Here's how to handle it.

Due diligence is becoming an increasingly important part of any cybersecurity strategy. Not only will companies often find clients checking their services for cybersecurity readiness, but they'll also face regulations demanding that they subject their own service providers to similar scrutiny.

The Securities and Exchange Commission's cybersecurity guidance says that registered investment advisers "may also wish to consider assessing whether protective cybersecurity measures are in place at relevant service providers." New York State's recently introduced NYCRR Part 500 cybersecurity regulation is more explicit, requiring financial companies to subject their service providers to cybersecurity checks.

Across the Atlantic, the EU's General Data Protection Regulation will demand that data controllers (the companies managing their customers' data) exercise a high level of care when choosing data processors (the third-party service providers that they use to help process that data).

When Vendors Won't Talk to You
The problem when conducting due diligence is that companies aren't guaranteed a detailed response from the service provider. Depending on the customer and vendor's relative sizes, companies may get no response at all. Hyperscale service providers, like Google or Amazon, are unlikely to let many, or any, companies into their data centers for a look around, or spend much time filling out RFPs for businesses.

Thankfully, cybersecurity auditing standards make evaluation of third-party services far easier. Gathering together due diligence questions into standardized, approved question sets makes it possible for even smaller customers to get a handle on a service provider's cybersecurity readiness.

What kind of cybersecurity framework should you use when conducting due diligence on a supplier or a potential acquisition? Much depends on the kind of relationship and the industry involved, but a hardy perennial is the Standards for Attestation Engagements (SSAE) 16 auditing standard. Created by the American Institute of Certified Public Accountants (AICPA), it's a standard for auditing controls at service organizations and replaces the existing SAS 70 standard. That standard's Service Organization Controls (SOC) 2 audit process takes in cybersecurity controls.

The National Institute for Science and Technology (NIST), which develops voluntary best-practice cybersecurity guidelines, recommends that companies use its cybersecurity framework as the basis for due diligence. On its own, the NIST framework can be challenging to navigate, particularly for small and midsize firms. eSentire has distilled the NIST framework into an easy-to-follow workbook that will help identify a firm's security risks and develop policies to support cybersecurity governance.

Certain industries or use cases also mandate their own requirements. One of the more prescriptive audits is the Payment Card Industry council's Data Security Standard (PCI-DSS), which subjects companies storing, holding, or transmitting payment card details to a strict audit. For users of enterprise cloud computing services, the Cloud Security Alliance publishes a Cloud Controls Matrix, a risk assessment framework to help evaluate cloud security. Organizations providing cloud services to the public sector in the US will need to pass a FedRAMP cybersecurity evaluation.

Companies meeting these cybersecurity requirements to comply with their clients' needs should expect to go through some internal pain when bringing themselves up to speed with the relevant standards. They should also devote time to regular reviews, so that they can show ongoing compliance.

Those in certain industries, including law and finance, may find themselves under increasing regulatory pressure to comply with due diligence requests, not only because they work in heavily regulated industries but because they sit at the cross-section of many different sectors. Legal and financial firms deal with so many kinds of companies, whether as clients or as investments, that they have access to sensitive data across multiple industries. As such, they may find themselves affected by sector-specific regulations outside their own.

While meeting these requirements may seem like a burden, senior management can also view this as an opportunity. Proving compliance with one or more cybersecurity standards can be a competitive differentiator, giving companies significant leverage among clients increasingly worried about data breaches. When it comes to due diligence, a little pain now can yield significant gains further down the line. 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content:

Eldon Sprickerhoff is founder and chief security strategist at cybersecurity company eSentire (www.esentire.com). In founding eSentire, Eldon responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
7/31/2017 | 4:46:45 PM
Compliance Without a Track Record
As much as I appreciate the compliance badge here, it also needs to be clear that such a badge isn't an indicator of quality.  There needs to be a track record, too.  Tangible, quantifiable examples of a working product must be available in addition to any industry compliance certifications.  I can't count the number of CMMI compliant applications my organizations have procured that fell flat on their face when we tried to implement them.  When your RFP narrows down three vendors and you have to go with the one with the most certifications and badges but is not user friendly, or has not the best ratings from users at other organizations, you shoot yourself in the foot.  I personally admire NIST and PCI-DSS, for example.  But again, you sometimes have to go with your gut and what you think might be possible to change down the road if it means getting what will work out of the box without opening yourself up to exploits.
douglasagray
50%
50%
douglasagray,
User Rank: Apprentice
7/17/2017 | 4:01:29 PM
Building Maturity in Managing Vendors
Another framework to look at is the Software Engineering Institute, Carnegie Mellon University's CERT Resilience Management Model, specifically their External Dependencies Management process area.
charles@concise.ac
50%
50%
[email protected],
User Rank: Apprentice
7/12/2017 | 6:56:00 PM
Might be of interest to your readers
Hi,

On the subject of Cybersecurity Conferences, this link might be of interest: (Events in Las Vegas) > https://infosec-conferences.com/events/cybersecurity-conferences-las-vegas/

Thanks
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.