Cyber risk management of third party suppliers and partners
- Published: Tuesday, 28 June 2016 08:41
Dr. Jim Kennedy explains why managing the cyber risks posed by suppliers and partners is the weak link in many information security plans and looks at how to improve in this area.
Computer, network, and information security is based on three pillars: confidentiality, integrity, and availability. In my business as an information & cyber security, business continuity and disaster recovery consultant, I see every day how various sized and types of companies address and balance these three areas along with business needs. Some very well, some not so well, and some really poorly.
Given all the regulations and standards (HIPAA, SOX, NERC-CIP, FISMA, PIPEDA, ISO 27001/2, NIST 800-XXX and etc.) developed and published over the last five or ten years you would think that US businesses and government should be doing much better in securing their computing systems and network infrastructures. However, based on the seemingly never ending stream of cyber events prominent in the press and trade journals almost every day this does not seem to be the case.
We are informed on an almost daily basis that government agencies and private sector companies continue to have numerous and, in many cases, reoccurring cases of data leakage: a politically correct way of saying data loss, theft, or compromise. We hear about the theft of credit card and personal information and worst of all we hear of companies that have lost critical personal and health related information despite the many security controls that were supposed to be in place. Worse yet we hear of extremely large sums of monies extorted from banks and other financial institutions and also of the fragility of our power grids and gas distribution systems worldwide to cyber attacks.
And from time-to-time the media will provide on-screen experts that speak of ‘script kiddies’ or non-expert computer hackers that use pre-packaged software to break into systems without the use of their own intellect. Often the term is used in a derogatory or sarcastic fashion to denote the less than knowledgeable hacker. as of late however those that are compromising systems and networks are much more organized, smarter and often backed by nation states.
Having been involved in information/cyber security for over 30 years, I have been asked to review computer and network security breaches for many Global 1000 corporations in the government, financial, pharmaceutical, electric power generation and distribution, manufacturing and telecommunications sectors of our economy. In many cases the breaches I analyzed came from failures of having inadequate security policies and operational procedures in place or not adhering to those policies or procedures that were in place. Trusted insiders or employees also accounted for some of the losses of information and compromises to critical networks and systems.
However, a large number of the security breaches I investigated came from inadequately managing and controlling risks posed by third party partners or suppliers. Many cases of knowingly allowed, unfettered access to an organization's most critical and valuable information, systems, and networks was given to these third party entities without any or with minimal security review. Why? To facilitate the interconnection of these third party suppliers or partners to enable them to transact business or receive or deliver services. This business or contractual mandate of trusted and easy access has unfortunately resulted in:
- Loss of business critical information and intellectual property;
- Compromise of customer, patient, or employee personal and financial information;
- Large losses of institution, organization, shareholder, or customer/client funds;
- A risk of targeted breach or failure of critical infrastructure and governmental agencies.
So when it comes to third party risk, what should be done?
In information/cyber security work there is a basic but important rule used to properly protect third party connectivity, transactions and intercommunications: ‘Trust but Verify’.
By entering into any business or operational agreement or contract the Trust component is already in place. The next order of business for the trusting organization is for its security team to Verify that adequate security is in place to validate that Trust of any connection between the two organizations. To begin this process, the value of the data to be sent, received, and/or stored needs to be clearly understood along with critical network, storage, and systems security needed by both the primary organization and its proposed supplier or partner. The next order of business is to clearly identify and provide access only to the minimal amount of information and/or data to be sent, received, or stored to meet the terms of the business contract or arrangement. ‘Less is always Best’.
From this understanding all parties involved in the supplier or partnering should develop a set of security expectations for this effort. Often partners and/or suppliers are smaller and less technically mature than the primary business entity and have less to protect. They have a strong desire to ‘begin quickly’ the business function to be undertaken. This is where senior management (CISO or CSO) needs to move with the required caution. Security organizations of the primary business entity should have third party interconnection and transaction security check lists already created with which they can ascertain the level of risk that each supplier or partner presents with their interconnection to the primary business' networks, systems, and databases (information). This check list could be completed either by the third party supplier or partner or with high risk interconnections by a site visit by the primary business' security or audit team. Risks should be reviewed and determination made by senior management whether the risk is acceptable or can be mitigated to satisfaction. However, senior security management should absolutely be involved in the final decision.
The outcome of this risk assessment effort should ensure the following:
- That only data required to accomplish mission of the interconnection is shared;
- That only individuals requiring access to the data have access (need to know);
- At all times know where data is stored and all data transfer to and from points understood;
- No access is allowed from unapproved devices from any source;
- Once third party agreement is completed or terminated that all shared data owned by the primary business or government entity is destroyed or returned as per contract;
- Generate levels of service specific to third party agreement in place;
- Make sure that all parties have a clearly defined incident/breach response plan in place.
All data between primary business or government entity and third party suppliers/partners in motion or at rest should be monitored continuously and all agreed upon policies and practices should be monitored at least yearly.
Interconnection and sharing of information between businesses and government is necessary to keep the economy functioning and for government organizations to accomplish their important missions. Also important is the protection of intellectual property, personal and patient information, customer and shareholder finances, and the critical infrastructure and governmental operations and information. To do this properly all third party entities needed to send, receive, repose, or process information on behalf of a business or government function needs to be assessed for risk they might pose to that information and make informed decisions so as to the insure the security and availability of that information. I hope that I have help in identifying elements necessary to make those decisions.
Dr. Jim Kennedy, MCTE, MRP, CEH, CHS-IV, SSIC is the chief consulting officer of Business Continuity/Security Services for Recovery-Solutions. Dr. Kennedy has over 35 years' experience in the information security, business continuity and disaster recovery fields. He is the co-author of three books, ‘Security in a Web 2.0+ World, A Standards Based Approach’, ‘Blackbook of Corporate Security’ and ‘Disaster Recovery Planning: An Introduction’ and author of an e-book, ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic’. Contact him at Security-Solutions@bigfoot.com