Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

10/10/2011
11:49 AM
50%
50%

Compliance Outside Corporate Walls

Getting third parties that touch regulated data to comply can be as important as your own internal compliance efforts

Instituting a security-compliance program is hard enough for most enterprises. But when you're also dealing with a whole mess of business partners, vendors, and even customers who must touch and manipulate your critical data, ensuring compliance often becomes a total minefield. When third parties use your IT assets, their security controls become as important to the regulators as yours are.

"A business is responsible and liable for all elements of their service offering, whether it is fulfilled internally or subcontracted to vendors," says Dr. Frank Gozzo, president and CEO of Noverant. "So once an end client imposes certain IT security requirements, it’s critical to ensure the requirements are passed down to all vendors and business partners. At the end of the day, you’re on the hook."

While your internal systems are certainly going to be the main focus of auditors looking for compliance gaffes, these days it's not unheard of for them to also poke into your third-party connections across the supply chain, particularly if those they're handling are very sensitive systems.

"We are beginning to see both internal and external auditors pay far more attention to partners’ environments," says Robbie Higgins, vice president of security and mobile services for GlassHouse Technologies. "Specifically with the pervasiveness of IT outsourcing in addition to the new IT service offerings via virtualization and cloud-based offerings, more comprehensive reviews are being conducted."

As Higgins puts it, in many cases when organizations outsource parts of IT, the vendor is most likely to take on the storage and management of data -- so that vendor becomes a target for breaches as much as you do.

"The challenge for many organizations has been to ensure that the service levels you want, in addition to the policies and procedures you need enforced, are in alignment with what the vendor says he or she will do," he says.

The difficulty there is getting third parties to answer important questions, says Dan Sherman, director of information security for Telos, particularly when they're smaller business vendors without a background in security. Even basic questions like, "Do you have an information security policy?" or, "Do you have an incident response plan?" could be difficult, he says.

"Many times when I ask these questions, the vendors sound like they have never had these questions asked before and are not sure who they need to talk to to get the information, or they just simply do not have it," he says.

Meanwhile, in the IT services and cloud arenas, compliance-information gathering is often stymied by a vendor's reluctance to lift the kimono, either due to fear of inconvenience or of revealing too many infrastructure details that could compromise other customers' information.

"The challenge is that every customer wants to do the audit, and they want their own auditors to be able to do it themselves," says John Nicholson, counsel for the global sourcing practice at Washington, D.C.-based law firm Pillsbury Winthrop Shaw Pittman LLP. "When we start talking about large vendor data centers, particularly in cloud environments, the last thing they want is an auditor or even multiple auditors from different customers traipsing through their data centers on a daily basis."

So what's a customer to do? As Nicholson says, the more you can tie vendors' performance to industry-accepted standards, such as those of NIST or ISO, the better off you are on the security-compliance front. But you still need to check on how well they are actually adhering to those standards -- and that's where the problem is.

For a long time, organizations have looked to their partners and SAS 70 Type II as a "good enough" CYA for compliance and security purposes. But most security experts believe that relying on SAS 70 will not cover much.

"Until recently, checking on their compliance meant usually getting a copy of their SAS 70 Type II, which really wasn't designed to do what people have used it for, but it was the proxy for it," Nicholson says.

One of the problems with SAS 70, says Sherman, is the fact that the certificate holder generally gets to cherry-pick the security controls on which the auditor tests.

"To me, since you can pick and choose what you want to adhere to, it doesn't mean a whole lot," he says. "I will obviously not choose things I cannot meet so I can pass the SAS 70 audit with the bare minimum being met."

According to Nicholson, there are alternatives to SAS 70, though.

"There are also other resources out there, like Shared Assessments, [an organization that is trying to build a more standardized service provider assessment process], which is maturing but is getting there," he says. "Also having them prove compliance with the Cloud Security Alliance's GRC stack is an incredible resource. [You want them] to try and build a checklist that enables auditors to walk in and say, 'OK, give me your checklist. Do you comply with all of these things? Yes? Great.'" Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18194
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
CVE-2020-18195
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
CVE-2020-18198
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
CVE-2020-21831
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.
CVE-2020-21842
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.