Cloud

7/12/2017
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Dealing with Due Diligence

Companies will find themselves evaluating third-party cybersecurity more than ever -- and being subject to scrutiny themselves. Here's how to handle it.

Due diligence is becoming an increasingly important part of any cybersecurity strategy. Not only will companies often find clients checking their services for cybersecurity readiness, but they'll also face regulations demanding that they subject their own service providers to similar scrutiny.

The Securities and Exchange Commission's cybersecurity guidance says that registered investment advisers "may also wish to consider assessing whether protective cybersecurity measures are in place at relevant service providers." New York State's recently introduced NYCRR Part 500 cybersecurity regulation is more explicit, requiring financial companies to subject their service providers to cybersecurity checks.

Across the Atlantic, the EU's General Data Protection Regulation will demand that data controllers (the companies managing their customers' data) exercise a high level of care when choosing data processors (the third-party service providers that they use to help process that data).

When Vendors Won't Talk to You
The problem when conducting due diligence is that companies aren't guaranteed a detailed response from the service provider. Depending on the customer and vendor's relative sizes, companies may get no response at all. Hyperscale service providers, like Google or Amazon, are unlikely to let many, or any, companies into their data centers for a look around, or spend much time filling out RFPs for businesses.

Thankfully, cybersecurity auditing standards make evaluation of third-party services far easier. Gathering together due diligence questions into standardized, approved question sets makes it possible for even smaller customers to get a handle on a service provider's cybersecurity readiness.

What kind of cybersecurity framework should you use when conducting due diligence on a supplier or a potential acquisition? Much depends on the kind of relationship and the industry involved, but a hardy perennial is the Standards for Attestation Engagements (SSAE) 16 auditing standard. Created by the American Institute of Certified Public Accountants (AICPA), it's a standard for auditing controls at service organizations and replaces the existing SAS 70 standard. That standard's Service Organization Controls (SOC) 2 audit process takes in cybersecurity controls.

The National Institute for Science and Technology (NIST), which develops voluntary best-practice cybersecurity guidelines, recommends that companies use its cybersecurity framework as the basis for due diligence. On its own, the NIST framework can be challenging to navigate, particularly for small and midsize firms. eSentire has distilled the NIST framework into an easy-to-follow workbook that will help identify a firm's security risks and develop policies to support cybersecurity governance.

Certain industries or use cases also mandate their own requirements. One of the more prescriptive audits is the Payment Card Industry council's Data Security Standard (PCI-DSS), which subjects companies storing, holding, or transmitting payment card details to a strict audit. For users of enterprise cloud computing services, the Cloud Security Alliance publishes a Cloud Controls Matrix, a risk assessment framework to help evaluate cloud security. Organizations providing cloud services to the public sector in the US will need to pass a FedRAMP cybersecurity evaluation.

Companies meeting these cybersecurity requirements to comply with their clients' needs should expect to go through some internal pain when bringing themselves up to speed with the relevant standards. They should also devote time to regular reviews, so that they can show ongoing compliance.

Those in certain industries, including law and finance, may find themselves under increasing regulatory pressure to comply with due diligence requests, not only because they work in heavily regulated industries but because they sit at the cross-section of many different sectors. Legal and financial firms deal with so many kinds of companies, whether as clients or as investments, that they have access to sensitive data across multiple industries. As such, they may find themselves affected by sector-specific regulations outside their own.

While meeting these requirements may seem like a burden, senior management can also view this as an opportunity. Proving compliance with one or more cybersecurity standards can be a competitive differentiator, giving companies significant leverage among clients increasingly worried about data breaches. When it comes to due diligence, a little pain now can yield significant gains further down the line. 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content:

Eldon Sprickerhoff is founder and chief security strategist at cybersecurity company eSentire (www.esentire.com). In founding eSentire, Eldon responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
7/31/2017 | 4:46:45 PM
Compliance Without a Track Record
As much as I appreciate the compliance badge here, it also needs to be clear that such a badge isn't an indicator of quality.  There needs to be a track record, too.  Tangible, quantifiable examples of a working product must be available in addition to any industry compliance certifications.  I can't count the number of CMMI compliant applications my organizations have procured that fell flat on their face when we tried to implement them.  When your RFP narrows down three vendors and you have to go with the one with the most certifications and badges but is not user friendly, or has not the best ratings from users at other organizations, you shoot yourself in the foot.  I personally admire NIST and PCI-DSS, for example.  But again, you sometimes have to go with your gut and what you think might be possible to change down the road if it means getting what will work out of the box without opening yourself up to exploits.
douglasagray
50%
50%
douglasagray,
User Rank: Apprentice
7/17/2017 | 4:01:29 PM
Building Maturity in Managing Vendors
Another framework to look at is the Software Engineering Institute, Carnegie Mellon University's CERT Resilience Management Model, specifically their External Dependencies Management process area.
charles@concise.ac
50%
50%
[email protected],
User Rank: Apprentice
7/12/2017 | 6:56:00 PM
Might be of interest to your readers
Hi,

On the subject of Cybersecurity Conferences, this link might be of interest: (Events in Las Vegas) > https://infosec-conferences.com/events/cybersecurity-conferences-las-vegas/

Thanks
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3783
PUBLISHED: 2018-08-17
A privilege escalation detected in flintcms versions <= 1.1.9 allows account takeover due to blind MongoDB injection in password reset.
CVE-2018-3784
PUBLISHED: 2018-08-17
A code injection in cryo 0.0.6 allows an attacker to arbitrarily execute code due to insecure implementation of deserialization.
CVE-2018-3785
PUBLISHED: 2018-08-17
A command injection in git-dummy-commit v1.3.0 allows os level commands to be executed due to an unescaped parameter.
CVE-2018-10873
PUBLISHED: 2018-08-17
A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could send specially crafted messages to its peer which would result in a crash or, potentially,...
CVE-2018-5546
PUBLISHED: 2018-08-17
The svpn and policyserver components of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host. A malicious local unprivileged user may gain knowledge of se...