Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/12/2017
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Dealing with Due Diligence

Companies will find themselves evaluating third-party cybersecurity more than ever -- and being subject to scrutiny themselves. Here's how to handle it.

Due diligence is becoming an increasingly important part of any cybersecurity strategy. Not only will companies often find clients checking their services for cybersecurity readiness, but they'll also face regulations demanding that they subject their own service providers to similar scrutiny.

The Securities and Exchange Commission's cybersecurity guidance says that registered investment advisers "may also wish to consider assessing whether protective cybersecurity measures are in place at relevant service providers." New York State's recently introduced NYCRR Part 500 cybersecurity regulation is more explicit, requiring financial companies to subject their service providers to cybersecurity checks.

Across the Atlantic, the EU's General Data Protection Regulation will demand that data controllers (the companies managing their customers' data) exercise a high level of care when choosing data processors (the third-party service providers that they use to help process that data).

When Vendors Won't Talk to You
The problem when conducting due diligence is that companies aren't guaranteed a detailed response from the service provider. Depending on the customer and vendor's relative sizes, companies may get no response at all. Hyperscale service providers, like Google or Amazon, are unlikely to let many, or any, companies into their data centers for a look around, or spend much time filling out RFPs for businesses.

Thankfully, cybersecurity auditing standards make evaluation of third-party services far easier. Gathering together due diligence questions into standardized, approved question sets makes it possible for even smaller customers to get a handle on a service provider's cybersecurity readiness.

What kind of cybersecurity framework should you use when conducting due diligence on a supplier or a potential acquisition? Much depends on the kind of relationship and the industry involved, but a hardy perennial is the Standards for Attestation Engagements (SSAE) 16 auditing standard. Created by the American Institute of Certified Public Accountants (AICPA), it's a standard for auditing controls at service organizations and replaces the existing SAS 70 standard. That standard's Service Organization Controls (SOC) 2 audit process takes in cybersecurity controls.

The National Institute for Science and Technology (NIST), which develops voluntary best-practice cybersecurity guidelines, recommends that companies use its cybersecurity framework as the basis for due diligence. On its own, the NIST framework can be challenging to navigate, particularly for small and midsize firms. eSentire has distilled the NIST framework into an easy-to-follow workbook that will help identify a firm's security risks and develop policies to support cybersecurity governance.

Certain industries or use cases also mandate their own requirements. One of the more prescriptive audits is the Payment Card Industry council's Data Security Standard (PCI-DSS), which subjects companies storing, holding, or transmitting payment card details to a strict audit. For users of enterprise cloud computing services, the Cloud Security Alliance publishes a Cloud Controls Matrix, a risk assessment framework to help evaluate cloud security. Organizations providing cloud services to the public sector in the US will need to pass a FedRAMP cybersecurity evaluation.

Companies meeting these cybersecurity requirements to comply with their clients' needs should expect to go through some internal pain when bringing themselves up to speed with the relevant standards. They should also devote time to regular reviews, so that they can show ongoing compliance.

Those in certain industries, including law and finance, may find themselves under increasing regulatory pressure to comply with due diligence requests, not only because they work in heavily regulated industries but because they sit at the cross-section of many different sectors. Legal and financial firms deal with so many kinds of companies, whether as clients or as investments, that they have access to sensitive data across multiple industries. As such, they may find themselves affected by sector-specific regulations outside their own.

While meeting these requirements may seem like a burden, senior management can also view this as an opportunity. Proving compliance with one or more cybersecurity standards can be a competitive differentiator, giving companies significant leverage among clients increasingly worried about data breaches. When it comes to due diligence, a little pain now can yield significant gains further down the line. 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content:

Eldon Sprickerhoff is founder and chief security strategist at cybersecurity company eSentire (www.esentire.com). In founding eSentire, Eldon responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
charles@concise.ac
50%
50%
[email protected],
User Rank: Apprentice
7/12/2017 | 6:56:00 PM
Might be of interest to your readers
Hi,

On the subject of Cybersecurity Conferences, this link might be of interest: (Events in Las Vegas) > https://infosec-conferences.com/events/cybersecurity-conferences-las-vegas/

Thanks
douglasagray
50%
50%
douglasagray,
User Rank: Apprentice
7/17/2017 | 4:01:29 PM
Building Maturity in Managing Vendors
Another framework to look at is the Software Engineering Institute, Carnegie Mellon University's CERT Resilience Management Model, specifically their External Dependencies Management process area.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
7/31/2017 | 4:46:45 PM
Compliance Without a Track Record
As much as I appreciate the compliance badge here, it also needs to be clear that such a badge isn't an indicator of quality.  There needs to be a track record, too.  Tangible, quantifiable examples of a working product must be available in addition to any industry compliance certifications.  I can't count the number of CMMI compliant applications my organizations have procured that fell flat on their face when we tried to implement them.  When your RFP narrows down three vendors and you have to go with the one with the most certifications and badges but is not user friendly, or has not the best ratings from users at other organizations, you shoot yourself in the foot.  I personally admire NIST and PCI-DSS, for example.  But again, you sometimes have to go with your gut and what you think might be possible to change down the road if it means getting what will work out of the box without opening yourself up to exploits.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5604
PUBLISHED: 2020-07-09
Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remoto attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
CVE-2020-5974
PUBLISHED: 2020-07-08
NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.
CVE-2020-15072
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
CVE-2020-15073
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
CVE-2020-2034
PUBLISHED: 2020-07-08
An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect...