314
A Practical Guide to Security Assessments
8. Overall, what is the quality of service currently being provided?
Guidance:
This is an open-ended question that can generate conversation
about how good the service is from the provider. The discussion related to
the quality of the service will lead to further discussion about security,
availability, and other issues the client might be having with the provider.
The lessons learned from this experience can provide guidance for the next
relationship with an external service provider.
Risk:
Not applicable. This question is being asked to obtain an overall
judgment of the service being provided.
Client Response:
9. Was any due diligence performed from a security perspective in the pro-
cess of selecting the external service provider? If so, was someone who
represented security part of the due diligence effort?
Guidance:
External service providers often provide mission-critical ser-
vices or house very sensitive information on their machines. With this in
mind, the selection process should be a rigorous one involving significant
due diligence. As part of this effort, someone representing security should
be involved. One of the issues seen with external service providers is that
security is often an afterthought — i.e., security is considered after the
contract is signed. Ideally, security personnel should be constantly inter-
facing with business unit personnel to ensure that they are involved in the
external service provider selection process from the beginning. It is better
to discover any security issues sooner rather than later. Once a contract is
signed, it becomes much more difficult to change how you do business
with an external provider.
Risk:
Without a thorough due diligence process that includes evaluating
security, there is a risk that the company will choose a provider that will
not adequately secure the company’s data.
Client Response:
10. What is the financial condition of the provider?
Guidance:
In the due diligence process, the financial condition of the pro-
vider is one of the most important areas, if not the most important area in
AU1706_book.fm Page 314 Wednesday, July 28, 2004 11:06 AM
Appendix G
315
today’s economy. If the provider is a publicly traded company, financial
information is publicly available (on the Internet). When reviewing the
financials, a number of factors should be considered, including:
Amount of cash on hand
Amount of debt
Profit and loss statement trends
Cash flows
In addition to the above items, the notes to the financial statements, which
contain “other” financial information, should be reviewed. Any recent 8K
statements should also be reviewed as these contain significant changes
to the business. The specific criteria used in reviewing the financial data
depend on the company and its tolerance for risk. At the minimum, the
provider should have the financial means to stay in business for the
duration of the contract. For providers that are not publicly traded, finan-
cial information may not be readily available and in these cases, you
should talk to the provider as well as do some independent research. For
example, if the company is being funded by VC (venture capital), you
might be able to see some details on the VC firm’s Web site. The impor-
tance of the financial condition cannot be overstated. There have been
more than a few cases where providers have gone bankrupt or folded. If
this were to happen, it would not only be a hassle operationally, there
would also be issues relating to retrieving and securing the information
on the provider’s systems.
Risk:
If the external provider is not financially sound, significant risks
exist related to disruption of services and the security of information resid-
ing on the provider’s systems.
Client Response:
11. Does the external provider have any customer references? Do they provide
service for companies similar to yours?
Guidance:
Customer references should be checked when looking at an
external provider. These can provide great insight into the quality of ser-
vice given by the external provider. Ideally, customer references from
companies similar to the client’s are very helpful. An external service pro-
vider who services similar companies might have more expertise and thus
provide better service. In addition, there might be providers who specialize
in customers who are in the same industry as the company’s, in which case
it might make sense to look at those providers also.
Risk:
If the external provider cannot provide solid customer references,
there is a risk that they are either not very good or they are just starting out
AU1706_book.fm Page 315 Wednesday, July 28, 2004 11:06 AM
316
A Practical Guide to Security Assessments
and do not have an adequate level of expertise. This does not mean that
providers without solid references should not be considered; it does mean
that they should be reviewed thoroughly. Other qualities may make them
an attractive choice.
Client Response:
12. Does the external service provider have any security policies and proce-
dures in place?
Are there procedures that are documented and followed?
Are systems used for providing services hardened to the extent possible?
Guidance:
As with the company’s own security policies, the provider
should also have formal security policies, which are the foundation to their
information security program. Ideally, the policies should be reviewed as
part of the due diligence process. Whether or not the external service pro-
vider has them is an indication of how serious they are about security. With
some external providers who are struggling financially, there might be a
tendency to cut corners in some areas. Information security is one of those
areas that companies will often cut because it typically does not have an
obvious and direct link to revenue. In addition, you should determine
whether the external service provider has documented procedures for crit-
ical processes such as backup and recovery, employee terminations, physi-
cal security, and other key processes. A lack of documented procedures
could be an indication that these processes are not being performed con-
sistently or not being done in a secure manner.
Risk:
If an external service provider does not have security policies and
procedures in place, there is a risk that the provider does not have a sound
information security program, resulting in an increased risk of security in-
cidents associated with using the external service provider.
Client Response:
13. What measures does the third-party provider have in place to physically
secure its environment?
Guidance:
Sometimes, there is a heavy focus on technical security, and
physical security is not given much consideration. Remember that some-
times, the best way to gain unauthorized access to systems is to be able to
physically have access to them. Physical access to the facilities should be
AU1706_book.fm Page 316 Wednesday, July 28, 2004 11:06 AM
Appendix G
317
tightly controlled so that only those who need access to do their jobs have
access. Physical security for the provider’s premises should be comparable
to the company’s own physical security requirements. For the equipment
housing the critical information, strong physical security measures should
be in place to protect customer machines and the data on them. This eval-
uation should be a part of the due diligence process. The physical security
of the external service provider’s facilities should be a key factor in deter-
mining which provider to select.
Risk:
If the provider does not have good physical security, there is an in-
creased risk of unauthorized access to their facilities and potentially the
systems holding customer data. This can lead to a compromise of sensitive
data or the disruption of operations.
Client Response:
14. Does the third-party provider contract call for an independent audit to
be performed periodically?
Guidance:
A provider, whether publicly traded or not, should have an
audit done by a qualified independent party. An independent audit can val-
idate some of the things learned in the due diligence process and provide
some assurance that the provider has good security and controls. The audit
can also validate the financial condition as represented by management.
One of the audits that is useful is the SAS 70 review, which is sanctioned
by the AICPA (American Institute of Certified Public Accountants) and is
a review of the internal control environment of a service organization (a
detailed discussion of the SAS 70 is included in Chapter 9). The SAS 70
is something that is done typically by certified public accounting (CPA)
firms that have appropriately trained individuals and are licensed to pro-
vide this service. Besides the SAS 70, there are other standards in use such
as the AICPA WebTrust and SysTrust standards, which are also indepen-
dent audits, based on certain standards (these standards are readily available
on the Internet). Besides these, there are several independent audits that can
be done. Keep in mind that the key is that these audits must be independent.
Risk:
Not applicable. There is no specific risk associated with whether or
not an independent audit is done. However, there is significant value in
having an independent opinion regarding the external provider’s control
and security environment.
Client Response:
AU1706_book.fm Page 317 Wednesday, July 28, 2004 11:06 AM
318
A Practical Guide to Security Assessments
15. Is there a person or a group of people in the company who are in charge
of managing the relationship with the third-party provider?
Guidance:
Once there is a relationship with the provider, someone from
the company should be in charge of managing the relationship, or at a min-
imum, be a single point of contact. This does not have to be a person for
whom this is the sole responsibility. This person’s role can vary from being
a point of contact to someone with decision-making authority who can
manage the relationship and ensure that the contract requirements are met.
In addition, having this role in place creates a single point where all com-
munication is funneled through and a mechanism for surfacing any issues
in the relationship. The provider should also provide a single point of con-
tact to help ensure proper communication.
Risk:
Without someone being a point of contact and facilitating good com-
munication, there is a risk that the contract requirements, particularly from
a security perspective, will not be met. In addition, issue resolution is also
more difficult without a point person on both sides who knows what has to
be done.
Client Response:
16. How does the external service provider, specifically application service
providers (ASPs), secure the company’s information on its computers and
ensure that the company’s information is not commingled with another
company’s information?
Guidance:
At a technical level, the data of each company on the external
provider’s machines should be segregated. Depending on how the archi-
tecture is set up, a risk might exist that different companies’ data could be
commingled. As part of the security assessment, someone with the appro-
priate technical expertise should review the information flows and deter-
mine whether appropriate security measures are in place to protect the
confidentiality of the company’s information residing on the external
service provider’s computers and that data from different companies is not
commingled.
Risk:
If data from different companies is commingled, there are two poten-
tial risks:
Other customers of the provider might have unauthorized access to
company information.
The integrity of the company’s data might not be maintained.
AU1706_book.fm Page 318 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.91.153