Addressing the Risks of Outsourcing

Transcription

1 Addressing the Risks of Outsourcing White Paper June 2006 Contents You Are Entrusting Another Entity to Protect Your Data.. 1 Ensure Your Business Partners Have Strong Security Programs... 2 Common Business Partner Risks... 4 Responsibility Follows the Data... 5 About the Author... 6 About NetIQ Corporation... 6 by Rebecca Herold, CISSP, CISM, CISA, FLMI Many organizations are outsourcing very specialized data processing and management activities in an effort to save money or because they simply don t have the resources, experience, or capabilities to perform the tasks themselves. According to a 2005 IDC report, the global market for outsourced IT services hit $84.6 billion in IDC expects: The IT outsourcing market to grow 6 percent annually through the end of the decade, reaching $112.5 billion in The current $33.8 billion U.S. market to grow at 4.2 percent. Organizations also outsource to access specific expertise that they may not possess and cannot afford to hire full-time trusting that the outsourced work will incorporate that expertise. For example, if you outsource application programming, you probably expect that the individuals doing this work know about application security and will incorporate it into the product they create for you. You probably also expect them to know how to protect information in a shared customer environment; making sure that the code they create for your organization is not accidentally sent to another customer. Outsourcing is becoming commonplace, particularly with many top financial, health care, tax reporting, and credit reporting companies. Chances are there are people within your organization considering outsourcing some of your data processing activities.

2 THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time NetIQ Corporation, all rights reserved. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R (for Department of Defense (DOD) acquisitions) and 48 C.F.R and (for non-dod acquisitions), the government s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Check Point, FireWall-1, Provider-1, SiteManager-1, and VPN-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd. ActiveAgent, ActiveAnalytics, ActiveAudit, ActiveReporting, ADcheck, AppAnalyzer, Application Scanner, AppManager, AuditTrack, Chariot, ClusterTrends, CommerceTrends, Configuration Assessor, ConfigurationManager, the cube logo design, DBTrends, DiagnosticManager, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, End2End, Exchange Administrator, Extended Management Pack, FastTrends, File Security Administrator, Firewall Appliance Analyzer, Firewall Reporting Center, Firewall Suite, Ganymede, the Ganymede logo, Ganymede Software, Group Policy Administrator, immarshal, Intergreat, Knowledge Scripts, MailMarshal, Marshal, Migrate.Monitor.Manage, Mission Critical Software, Mission Critical Software for E-Business, the Mission Critical Software logo, MP3check, NetIQ, the NetIQ logo, the NetIQ Partner Network design, NetWare Migrator, OnePoint, the OnePoint logo, Operations Manager, PentaSafe, PSAudit, PSDetect, PSPasswordManager, PSSecure, Qcheck, RecoveryManager, Security Analyzer, Security Manager, Security Reporting Center, Server Consolidator, SQLcheck, VigilEnt, Visitor Mean Business, Vivinet, W logo, WebMarshal, WebTrends, WebTrends Analysis Suite, WebTrends for Content Management Systems, WebTrends Intelligence Suite, WebTrends Live, WebTrends Log Analyzer, WebTrends Network, WebTrends OLAP Manager, WebTrends Report Designer, WebTrends Reporting Center, WebTrends Warehouse, Work Smarter, WWWorld, and XMP are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.

3 You Are Entrusting Another Entity to Protect Your Data When you entrust business partners with your company s confidential data, you are placing all control of security measures for your organization s data completely into their hands. That trust cannot be blind. Many recent security incidents have resulted from inadequate security practices within outsourced organizations handling another company s customer or employee data. When you outsource critical data processing and management activities, you must take action to stay in charge of your own business data security and minimize your business risks. You must know: How the business partner is complying with your regulatory responsibilities. How you can demonstrate to regulators that you are in compliance when someone else possesses your data. You must hold your business partners to strict security standards. In many instances, the standards applied to business partners will be more stringent than your organization s internal security requirements. Addressing the Risks of Outsourcing 1

4 Ensure Your Business Partners Have Strong Security Programs How you make sure your business partners are taking appropriate actions to protect the data with which you ve entrusted them depends upon the situation and existing legal restrictions. The following list highlights general actions you should take: Require a potential business partner to provide a copy of a recent security audit of their operations that was performed by an independent reputable party. Even if the audit is broad, it will demonstrate they have gone through an audit by a reputable company. Require business partners to complete a security self-assessment questionnaire, provided by your company, about their information security and privacy program. When creating this questionnaire, structure the questionnaire around the ISO and OECD topics in addition to any specific regulatory requirements that are beyond these standards. Include security and privacy requirements within the contracts you have with the business partners. Put in enough detail to cover all issues, but don t be so specific that you allow them a way to avoid doing a security activity just because you did not specifically state it within the contract. Include within the contract citations of the specific laws for which your company must comply so that the business partner understands they must also comply with such regulations. Require business partner personnel to receive information security training for appropriate security practices prior to handling or accessing your company s information. Don t limit the training to electronic data; if they handle storage media, paper documents, speak to customers about their data, or access data in any other way, make sure it is covered in the training. Require regularly scheduled training and awareness to occur following the initial training. Review the business partner s information security policies. Include this requirement in your contract with the business partner. Ensure the policies cover all the topics related to the activities the business partner performs for your company. Ensure the wording is strong enough to actually motivate the personnel for compliance. Look for executive endorsement of the policies and for clearly stated sanctions for policy violations. Require an abbreviated form of the self-assessment, a type of information security and privacy attestation again provided by your company, that the business partner must complete each month or two, have their executives sign, and submit to your company as a requirement of continuing to do business. The signatures and contract language will help to demonstrate due diligence on the part of your company and will hold the business partner to a legal standard of due care. 2 White Paper

5 For business partners handling particularly sensitive and/or regulated information, require a clean-room environment to keep information from walking out the business partner s door. In a clean room environment, all the machines and output devices except for terminals are disabled. Copies of data cannot be made, hard drives cannot be used, mobile computing devices and desktop computers cannot download data from any of the computers, and data is otherwise not available for downloading, printing, copying, or accessing beyond the contracted purposes. The servers reside in your country of residence. There is no way for the information to leave the outsourced company. Typically in such arrangements the outsourced company s employees are physically searched when entering and leaving. These are very strict precautions, so they will not work for every company, but they definitely should be used if your level of risk warrants such actions. Limit the amount and types of information the business partner personnel can see and/or access based upon the business needs. For example, if the business partner contracted activity is to verify a customer is a good credit risk, don t send all parts of the application to the business partner; just send the information required to approve the application. Require criminal and, where appropriate, financial checks to be performed on the business partner personnel prior to their hire. No matter how many security safeguards are in place, it s difficult to stop an opportunist who will steal data for money, revenge, or some other reason. Ensure that the people handling your data have not been convicted of criminal activity that would make them a high risk for handling your data. This verification might be tricky in some countries because records of criminal activity may not be centralized, such information may be labeled differently, and in some countries doing such checks are against privacy laws. As mentioned earlier, and worth emphasizing, make sure the business partner personnel are well trained about security procedures and legal consequences. Make sure none of your disgruntled ex-employees are now employees of the business partner to which you are outsourcing your data handling. Such situations have had a devastating impact on companies. Send personnel from your company to visit the business partner sites regularly, or at least occasionally, to view the facilities, meet employees, and monitor employee turnover and subcontracting activities. Addressing the Risks of Outsourcing 3

6 Common Business Partner Risks The following list highlights several areas of recurring vulnerability that have appeared in past business partner security reviews: 4 White Paper The information provided within the business partner s security self-assessment responses might not match the security requirements within the business partner s security policies. For example, the respondent for the self-assessment may indicate the passwords used are a minimum of six characters, but the policy may indicate passwords must all be a minimum of eight alphanumeric characters. Such conflicting information should raise a red flag for you; it may indicate the business partner does not enforce compliance or communicate the security policy requirements to its personnel. The business partner may be subcontracting the processing of your data to yet another company that does not have good security practices and/or may be located in a different country from yours or the business partner. Be sure to cover this within your contract with the business partner. The business partner may not have any security policies or controls in place for mobile computing devices (laptops, PDAs, Blackberries, smart phones, and so on) or for their employees who work from home. However, they may have personnel who use these types of computers to process your data. Be sure appropriate security is in place for such situations. Business continuity and disaster recovery plans are often either missing or were written several years ago and were never tested. Make sure the business partner has up-to-date plans in place and tests them regularly. The business partner may not have any requirements to encrypt confidential data when transmitting through untrusted networks, such as the Internet. Be sure to require encryption as appropriate to how the business partner transmits your organization s data. Encryption is often not used to protect information in storage, in transit, or on mobile computing media and devices, such as laptops, PDAs, backup tapes, USB drives, and so on. Be sure encryption is used by the vendor to mitigate the risk involved in such situations, including when the company is storing information from other companies on the same servers as they are saving your data. The business partner may have been involved with a security or privacy breach. There are multiple services you can use to check on this, in addition to dozens to hundreds of good Web sites to search for news about the business partner and any published security breaches for which it was involved. If you find the business partner had a breach or incident, be sure to ask the company about it and find out what actions were taken to prevent such an event from occurring again. The business partner may not have procedures in place to securely and irreversibly dispose of data when it is no longer needed or according to data retention requirements. Many business partners simply reformat hard drives or overwrite the drive once as part of their disposal practices. Business partners often also sell their retired computers to recoup their investment, but they do not remove the data from the hardware before doing so. Make sure your organization approves of the disposal procedures your business partner has in place. The business partner may not have any security controls for sending backup media containing your organization s data to offsite storage and/or they may not have adequate security at the offsite storage site. Make sure your organization carefully reviews the business partner s practices for sending data storage media offsite.

7 Responsibility Follows the Data The bottom line is that outsourcing data handling, processing, and management is a risky proposition for your company. It is your responsibility to ensure strong security follows the data to your business partner. You must perform due diligence to ensure your business partners are protecting your data according to your security requirements. You are ultimately responsible for what happens to the data you ve given to your business partners. Be sure to discuss these issues with your organization s legal counsel and acquisitions areas. Modify business partner contracts and acquisition requirements according to what is best for your organization. Don t allow your organization s name to make the headlines because your business partners did not secure your data appropriately and subsequently experienced a security incident. Addressing the Risks of Outsourcing 5

8 About the Author Rebecca Herold has more than 16 years of experience in information security, privacy and compliance. Rebecca is an independent consultant, author and instructor and assists organizations of all sizes with their information privacy, security and regulatory compliance programs. Rebecca has a B.S. in Math and Computer Science and an M.A. in Computer Science and Education. Rebecca is a Certified Information Systems Security Professional (CISSP), a Certified Information Systems Auditor (CISA), a Certified Information Systems Manager (CISM), and a Fellow of the Life Management Institute (FLMI). Rebecca has been a member of the Information Systems Audit and Control Association (ISACA) since 1990 and has held all board positions throughout her membership in the Iowa chapter. She was Vice President, Privacy Services and Chief Privacy Officer at DelCreo, Inc., Chief Privacy Officer and Senior Security Architect for QinetiQ Trusted Information Management, Inc., and Senior Systems Security Consultant at Principal Financial Group. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group which was awarded the CSI Outstanding Security Program of the Year Award in Rebecca is also an adjunct professor for the Norwich University Master of Science in Information Assurance (MSIA) program. Rebecca authored The Privacy Papers (Auerbach) in 2001, The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach) in 2003, The Business Executive Practical Guides to Compliance and Security Risks book series (Realtime Publishers) in 2004, Managing an Information Security and Privacy Awareness and Training Program (Auerbach) in 2005, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers) in 2005 and The Privacy Management Toolkit (Information Shield) in Rebecca lives in the country near Des Moines, Iowa. She is the community leader at and she can be reached at rebeccaherold@rebeccaherold.com. About NetIQ Corporation NetIQ is a leading provider of integrated systems and security management solutions that empower IT organizations with the knowledge and ability necessary to assure IT service. NetIQ's Knowledge- Based Service Assurance products and solutions include embedded knowledge and tools to implement industry best practices and to better ensure operational integrity, manage service levels and risk and ensure policy compliance. NetIQ s modular, best-of-breed solutions for Performance & Availability Management, Security Management, Configuration & Vulnerability Management, and Operational Change Control integrate through an open, service-oriented architecture allowing for common reporting, analytics and dashboards. We empower IT organizations with the knowledge of their IT service levels through automated assessment, understanding and real-time management of current configurations, known vulnerabilities and risk. With NetIQ you know your IT service is assured. Headquartered in San Jose, Calif., with offices and development facilities in 16 countries worldwide, NetIQ employs 900 people and has more than 3,000 enterprise customers. For more information, please visit the company's web site at or call (888) White Paper