Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

10/10/2011
11:49 AM
50%
50%

Compliance Outside Corporate Walls

Getting third parties that touch regulated data to comply can be as important as your own internal compliance efforts

Instituting a security-compliance program is hard enough for most enterprises. But when you're also dealing with a whole mess of business partners, vendors, and even customers who must touch and manipulate your critical data, ensuring compliance often becomes a total minefield. When third parties use your IT assets, their security controls become as important to the regulators as yours are.

"A business is responsible and liable for all elements of their service offering, whether it is fulfilled internally or subcontracted to vendors," says Dr. Frank Gozzo, president and CEO of Noverant. "So once an end client imposes certain IT security requirements, it’s critical to ensure the requirements are passed down to all vendors and business partners. At the end of the day, you’re on the hook."

While your internal systems are certainly going to be the main focus of auditors looking for compliance gaffes, these days it's not unheard of for them to also poke into your third-party connections across the supply chain, particularly if those they're handling are very sensitive systems.

"We are beginning to see both internal and external auditors pay far more attention to partners’ environments," says Robbie Higgins, vice president of security and mobile services for GlassHouse Technologies. "Specifically with the pervasiveness of IT outsourcing in addition to the new IT service offerings via virtualization and cloud-based offerings, more comprehensive reviews are being conducted."

As Higgins puts it, in many cases when organizations outsource parts of IT, the vendor is most likely to take on the storage and management of data -- so that vendor becomes a target for breaches as much as you do.

"The challenge for many organizations has been to ensure that the service levels you want, in addition to the policies and procedures you need enforced, are in alignment with what the vendor says he or she will do," he says.

The difficulty there is getting third parties to answer important questions, says Dan Sherman, director of information security for Telos, particularly when they're smaller business vendors without a background in security. Even basic questions like, "Do you have an information security policy?" or, "Do you have an incident response plan?" could be difficult, he says.

"Many times when I ask these questions, the vendors sound like they have never had these questions asked before and are not sure who they need to talk to to get the information, or they just simply do not have it," he says.

Meanwhile, in the IT services and cloud arenas, compliance-information gathering is often stymied by a vendor's reluctance to lift the kimono, either due to fear of inconvenience or of revealing too many infrastructure details that could compromise other customers' information.

"The challenge is that every customer wants to do the audit, and they want their own auditors to be able to do it themselves," says John Nicholson, counsel for the global sourcing practice at Washington, D.C.-based law firm Pillsbury Winthrop Shaw Pittman LLP. "When we start talking about large vendor data centers, particularly in cloud environments, the last thing they want is an auditor or even multiple auditors from different customers traipsing through their data centers on a daily basis."

So what's a customer to do? As Nicholson says, the more you can tie vendors' performance to industry-accepted standards, such as those of NIST or ISO, the better off you are on the security-compliance front. But you still need to check on how well they are actually adhering to those standards -- and that's where the problem is.

For a long time, organizations have looked to their partners and SAS 70 Type II as a "good enough" CYA for compliance and security purposes. But most security experts believe that relying on SAS 70 will not cover much.

"Until recently, checking on their compliance meant usually getting a copy of their SAS 70 Type II, which really wasn't designed to do what people have used it for, but it was the proxy for it," Nicholson says.

One of the problems with SAS 70, says Sherman, is the fact that the certificate holder generally gets to cherry-pick the security controls on which the auditor tests.

"To me, since you can pick and choose what you want to adhere to, it doesn't mean a whole lot," he says. "I will obviously not choose things I cannot meet so I can pass the SAS 70 audit with the bare minimum being met."

According to Nicholson, there are alternatives to SAS 70, though.

"There are also other resources out there, like Shared Assessments, [an organization that is trying to build a more standardized service provider assessment process], which is maturing but is getting there," he says. "Also having them prove compliance with the Cloud Security Alliance's GRC stack is an incredible resource. [You want them] to try and build a checklist that enables auditors to walk in and say, 'OK, give me your checklist. Do you comply with all of these things? Yes? Great.'" Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...