Compliance Outside Corporate Walls

Getting third parties that touch regulated data to comply can be as important as your own internal compliance efforts
Instituting a security-compliance program is hard enough for most enterprises. But when you're also dealing with a whole mess of business partners, vendors, and even customers who must touch and manipulate your critical data, ensuring compliance often becomes a total minefield. When third parties use your IT assets, their security controls become as important to the regulators as yours are.

"A business is responsible and liable for all elements of their service offering, whether it is fulfilled internally or subcontracted to vendors," says Dr. Frank Gozzo, president and CEO of Noverant. "So once an end client imposes certain IT security requirements, it’s critical to ensure the requirements are passed down to all vendors and business partners. At the end of the day, you’re on the hook."

While your internal systems are certainly going to be the main focus of auditors looking for compliance gaffes, these days it's not unheard of for them to also poke into your third-party connections across the supply chain, particularly if those they're handling are very sensitive systems.

"We are beginning to see both internal and external auditors pay far more attention to partners’ environments," says Robbie Higgins, vice president of security and mobile services for GlassHouse Technologies. "Specifically with the pervasiveness of IT outsourcing in addition to the new IT service offerings via virtualization and cloud-based offerings, more comprehensive reviews are being conducted."

As Higgins puts it, in many cases when organizations outsource parts of IT, the vendor is most likely to take on the storage and management of data -- so that vendor becomes a target for breaches as much as you do.

"The challenge for many organizations has been to ensure that the service levels you want, in addition to the policies and procedures you need enforced, are in alignment with what the vendor says he or she will do," he says.

The difficulty there is getting third parties to answer important questions, says Dan Sherman, director of information security for Telos, particularly when they're smaller business vendors without a background in security. Even basic questions like, "Do you have an information security policy?" or, "Do you have an incident response plan?" could be difficult, he says.

"Many times when I ask these questions, the vendors sound like they have never had these questions asked before and are not sure who they need to talk to to get the information, or they just simply do not have it," he says.

Meanwhile, in the IT services and cloud arenas, compliance-information gathering is often stymied by a vendor's reluctance to lift the kimono, either due to fear of inconvenience or of revealing too many infrastructure details that could compromise other customers' information.

"The challenge is that every customer wants to do the audit, and they want their own auditors to be able to do it themselves," says John Nicholson, counsel for the global sourcing practice at Washington, D.C.-based law firm Pillsbury Winthrop Shaw Pittman LLP. "When we start talking about large vendor data centers, particularly in cloud environments, the last thing they want is an auditor or even multiple auditors from different customers traipsing through their data centers on a daily basis."

So what's a customer to do? As Nicholson says, the more you can tie vendors' performance to industry-accepted standards, such as those of NIST or ISO, the better off you are on the security-compliance front. But you still need to check on how well they are actually adhering to those standards -- and that's where the problem is.

For a long time, organizations have looked to their partners and SAS 70 Type II as a "good enough" CYA for compliance and security purposes. But most security experts believe that relying on SAS 70 will not cover much.

"Until recently, checking on their compliance meant usually getting a copy of their SAS 70 Type II, which really wasn't designed to do what people have used it for, but it was the proxy for it," Nicholson says.

One of the problems with SAS 70, says Sherman, is the fact that the certificate holder generally gets to cherry-pick the security controls on which the auditor tests.

"To me, since you can pick and choose what you want to adhere to, it doesn't mean a whole lot," he says. "I will obviously not choose things I cannot meet so I can pass the SAS 70 audit with the bare minimum being met."

According to Nicholson, there are alternatives to SAS 70, though.

"There are also other resources out there, like Shared Assessments, [an organization that is trying to build a more standardized service provider assessment process], which is maturing but is getting there," he says. "Also having them prove compliance with the Cloud Security Alliance's GRC stack is an incredible resource. [You want them] to try and build a checklist that enables auditors to walk in and say, 'OK, give me your checklist. Do you comply with all of these things? Yes? Great.'" Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.