Appendix G
319
Client Response:
17. Does the client’s employee termination process address access to external
service provider systems?
Guidance:
Access to company-specific information on the provider’s
systems is normally granted to certain employees who require it to do their
jobs. In many cases, the provider’s systems are available through the Inter-
net and access requires a simple user ID and password. The employee ter-
mination process should ensure that this access is removed. With these
applications, a user can probably access the ASP and information by going
directly to the provider’s Web site and bypassing the company’s network.
Risk:
If access to services by a third-party provider is not discontinued,
there is a risk that a user will continue to have access to the company’s
information after being terminated. This is especially a problem if an
employee goes to a competitor after terminating his or her relationship
with the company.
Client Response:
18. What steps has the provider taken to ensure the availability of the service?
Is this reasonable based on the criticality of the service for the company?
Guidance:
When asking this question, the company must first consider
their tolerance for downtime, which is affected by a number of factors in-
cluding revenue impact, loss of customers, cost, and whether any alternate
procedures can be used in the event the technology is not available. This
contract-related information regarding availability could be obtained from
the people who initially negotiated the contract. Depending on what is
being provided, availability can be a critical issue. For example, in an
e-commerce environment, a site being down can mean lost revenues and
lost customers — both of which are bad for the business. There are three
key items to look for when reviewing
availability:
•Availability requirements related to the external service provider should
be aligned with the needs of the business. Availability costs money, so
the company should only ask for what is required.
•Availability should be addressed in the contract or the SLA, and pen-
alties should be attached to not meeting the availability requirement.
• Specific steps should be taken by the provider to help ensure availabil-
ity of service.
AU1706_book.fm Page 319 Wednesday, July 28, 2004 11:06 AM
320
A Practical Guide to Security Assessments
Risk:
If availability requirements have not been well thought through and
are not addressed in the contract with the external service provider, a risk
exists of disruption of services with limited ability to hold the provider
accountable. In addition, if availability is not addressed in the contract, the
company has diminished ability to enforce reasonable levels of availability.
Client Response:
19. Is the transport of information between the company and the third-party
provider secure?
Guidance:
Besides protecting the information that is on the provider’s
machines, the information that is transmitted (if any) from the provider to
the company should be secured in some way (e.g., encryption). If informa-
tion is transmitted in clear text across the Internet, it can be intercepted. If
this information contains sensitive information such as personally identifi-
able data or credit card information, the implications can be severe. The
consequences could include legal troubles, reputation damage, and others.
A technical person should review this to properly assess the transmission
of information.
Risk:
If the transmission of information is not secure, there is a risk that the
confidentiality of the company’s information in transit can be compromised.
Client Response:
20. If the company’s data resides on the external provider’s systems, what
backup strategy does the provider have?
Guidance:
This is a standard security measure that the provider should
take. During the due diligence process, this issue should definitely be
raised to understand how data is backed up and whether the measures taken
are adequate based on the company’s business requirements. Consider-
ation should be given to operational as well as any regulatory requirements
related to backups. In addition, all other data backup concerns, such as ac-
cess control and off-site storage concerns should be addressed (see Backup
and Recovery Questionnaire
in the appendices for more details). These
backup requirements should be addressed in the contract and be enforced.
Although the company is ultimately accountable for the data being backed
AU1706_book.fm Page 320 Wednesday, July 28, 2004 11:06 AM
Appendix G
321
up, they are reliant on the external service provider to ensure backups are
done properly.
Risk:
If the company’s data is not being backed up properly, a risk exists
that in the event of any kind of disaster or other event requiring restoration
of information, the company will not be able to recover critical data.
Client Response:
21. Is there an incident response process in place whereby the external service
provider can inform company personnel in the event there is an incident?
Have escalation lists been established?
Guidance:
Incidents must be handled properly to minimize any resulting
damage. There should be an incident handling process between the com-
pany and the provider. Roles and responsibilities should be clear, and
escalation lists should be established. When asking this question, you
should determine whether any incidents have occurred in the past, and if
so, how the incident was handled. Incident handling is a critical item that
should be discussed during the due diligence process. To further review the
provider’s incident handling process and determine whether it is appropri-
ate, use the Incident Handling Questionnaire contained in Appendix J.
Risk:
Without a formal incident handling process in place between the
provider and the company, a risk exists that security incidents will not be
handled properly. This can potentially have several negative consequences
depending on the severity of the incident including:
•Negative publicity if communication with the press is not handled
properly
• Slower recovery time from the incident if not handled in an organized
fashion
• Loss of revenue, customers, etc.
Client Response:
22. Does the third-party provider have a business continuity plan?
Guidance:
With some of the company’s data and operations being handled
by another company, what would be the impact to the company if the pro-
vider had a disaster? Some issues to be concerned about include:
AU1706_book.fm Page 321 Wednesday, July 28, 2004 11:06 AM
322
A Practical Guide to Security Assessments
• Is the provider’s business continuity plan robust enough to allow the
provider to be operational within a time frame that is acceptable to the
company?
• Is the data adequately backed up so that data is not permanently lost?
• Has the business continuity plan been tested?
• Is the plan updated on a regular basis based on changes to the business?
• In the event of a disaster, what priority does the company have relative
to other customers serviced by the external provider?
As a part of the assessment, you should review the provider’s business
continuity plan and determine whether the company’s outsourced opera-
tions can be recovered in an acceptable time frame.
Risk:
If the provider does not have an adequate business continuity plan,
there is a risk of long-term disruption of key operations or loss of data.
Client Response:
23. Is there a service level agreement between the company and the provider
that specifies the specific services to be provided and the metrics against
which it will be measured? Are there any remedies if the provider is not
in compliance with the SLA? Some of the items to look for in a SLA
include:
• Site availability
• Reliability
• Quality of service
• Security
Guidance:
A client is dependent on the external provider to provide a cer-
tain level of service in terms of availability, reliability, security, quality of
service, and other factors. The SLA provides details about different as-
pects of the service including the scope of service, roles and responsibili-
ties, performance metrics, and support. A SLA clearly defines the services
being provided and metrics for the provider to meet. The metrics help en-
sure that the provider understands the level of service required and makes
them accountable. When reviewing the metric, two key characteristics to
look for include:
•
Metric measurement —
Ideally, the metric should be measured by some
automated means, if possible. Automated measurements are more accu-
rate and objective and as a result, less opportunity to dispute the metric
exists. Manually generated measures are subject to human error and
are not as accurate.
•
Penalties for not meeting the metric —
A metric is much more valuable
if penalties are associated with it. Failing to meet the metrics should
AU1706_book.fm Page 322 Wednesday, July 28, 2004 11:06 AM
Appendix G
323
result in some sort of financial penalty or some other appropriate
penalty depending on the business.
Risk:
Without a SLA and associated metrics, an increased risk exists that
the appropriate level of service will not be given to the company under the
contract, which could negatively impact the business process being sup-
ported by the relationship with the external service provider.
Client Response:
24. Does the contract specifically address confidentiality requirements rela-
tive to the company’s records?
Guidance:
External providers potentially have a significant amount of
information about different clients and their customers, much of which is
sensitive. For example, medical information not adequately protected
could result in unauthorized access, resulting in potential legal and regula-
tory issues. In the security assessment, you should determine what infor-
mation resides on the provider’s computers and the related impact if the
confidentiality of that information was breached (review Data Classifica-
tion policy). Depending on the impact, a related provision in the contract
might be justified. As with all contract-related matters, ensure that the con-
tract has gone through a legal review.
Risk:
If there is no provision in the contract regarding the provider’s obli-
gation to protect the confidentiality of information, there is a risk that the
company has no basis for recourse against the provider if the confidentiality
of the information is breached. Breach of confidentiality related to person-
al data can result in noncompliance with laws such as the Health Insurance
Portability and Accountability Act (HIPAA) or the Gramm–Leach–Bliley
Act (GLBA) or with regulatory requirements such as those of the Federal
Trade Commission (FTC).
Client Response:
25. Is access to the company’s information limited to only those who need it?
Guidance:
The external provider should be able tell the client which per-
sonnel will have the ability to access the client’s information. As with all
other access, users should only have access to what they need to do their
AU1706_book.fm Page 323 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.