Third Party Security: Are your vendors compromising the security of your Agency?

Transcription

1 Third Party Security: Are your vendors compromising the security of your Agency? Wendy Nather, Texas Education Agency Michael Wyatt, Deloitte & Touche LLP TASSCC Annual Conference 3 August 2010

2 Agenda 3 rd Parties: Here to stay Size and Nature of the Problem Risks and Risk Mitigation Clouds in our Eyes Policies and Assessments Recommended resources Q/A

3 3 rd Parties: Here to Stay Public/Private Partnership Specialized Skill Sets Cost Considerations Net: Can t unscramble the egg and probably wouldn t if we could

4 SIZE OF THE PROBLEM

5 Dimensions of the Problem On-Site Contractors access to sensitive information Application Development IT OPS - admin rights to apps and systems External service providers Business services (HR, payments, printing, etc.) Projects (web site development/hosting) Software / application vendors Outsourced support services ASP/ SaaS / Cloud Hosting Agency applications Housing sensitive data (PII, PHI) Handy Internet services (Survey Monkey, itunes U, etc.)

6 What s the Risk? Verizon Business Data Breach Incident Report 11% of breach events involved third-party partner as primary vector* 27% of breach events involve multiple sources (e.g. external + partner) 26% of compromised asset were managed externally; an additional 9 percent were co-managed *Note: based on data collected by VZB and Secret Service only and are for intentional breaches only, not contributory errors

7 e.g. Veterans Administration May rd party contractor s unencrypted laptop stolen with Sensitive Information 3 rd party certified all laptops used encrypted hard drives VA policy requires encryption Over rd parties refusing to sign encryption clause

8 RISKS AND RISK MITIGATION

9 Shared State of Texas Risk How many different accounts does your vendor service? What are you willing to bet they re using the same admin password for all of them? What are you willing to bet that the password is password?

10 Dude, Where s Our Firewall? How many trusted entry paths do you have to your network? How many connections do you have to third-party partners apart from outsourcing? Do you still really think you have a perimeter?

11 What s Most Important? Maintaining control over security Maintaining accountability Ensuring legal compliance

12 What s Not? Data Mapping Asset Classification Security Control Frameworks used by 3 rd parties Technical Controls in the absence of good business processes SAS-70s *

13 Methods of Control Technical control Business Processes / Procedural control Contractual control

14 The Password Problem System administrators have ultimate technical control

15 Balance: Technical Compensations Privileged Account Management Multifactor Authentication Balance: Process / Procedural Oversight Separate, immediate log collection Regular audits Paper throttle Workflow system Signoff requirements Balance: Contractual Acceptance or rejection of personnel Compliance with written policies

16 The Knowledge Problem If they have all the technical expertise, how do you know what they re doing? Balance: Procedural Separate technical expertise Regular reviews Balance: Contractual Solutions and practices must comply with legal requirements

17 The Money Problem Vendor can influence decision-making by judicious use of price tags Balance: Contractual Preserve right to do it yourself On-demand cost reviews and bids

18 Security Separation of Duties Contractor provides high-level security design documents, generic procedures, baseline security settings Agency determines which technical measures are needed to comply with laws (HIPAA, FERPA, IRS, CJIS, etc.) Consider having 3 rd party assess security of the source code and architecture This may cost extra

19 Application Security Software Development Life Cycle (SDLC) Do they even have one? Include them in yours Threat modeling Test cases including security QA phase includes security scanning/pen testing Don t forget the platform

20 No, really Warranties Any security issues relating to flaws in the implementation or design of the software shall be remediated at the expense of the vendor, regardless of when they are discovered, for the life of the contract. If anyone screams at this, kindly remind them that Microsoft et al. do this already; it s called maintenance.

21 What about enhancements? Any requests for new security functionality (such as different access control measures, new encryption, more detailed logging, etc.) shall be considered the same as other new operational functionality and shall be handled according to the software enhancement agreements in this document.

22 System Integrators Purchased product not under System Integrator s control Engagement Acceptance and Signoff Use of Off-shore vs. local resources Product Vendor Professional Services vs. Independent Professional Services

23 Verification Make the developer do their own security testing OWASP Application Security Verification Standard (ASVS) Project

24 Levels of Due Diligence What is our obligation to assess and monitor security? What is reasonable to ask of 3 rd Party providers? What responsibility does the State have in this area?

25 Additional Recommendations Eliminate unnecessary data; keep tabs on what s left Make sure essential controls are met Check the above again Test and review web applications Audit user accounts and monitor privileged activity Filter outbound traffic Monitor and mine event logs

26 CLOUD COMPUTING AND SAAS

27 Clouds get in our eyes Software as a Service (SaaS) Quick to set up No review by procurement or legal License = EULA No capital procurement required Monthly subscription (Watch out for ProCard charges!) No internal management costs

28 Forecast Cloudy with a 100% of chance of risk Security by Obscurity: e.g. Amazon S3 Controls: Lack there of for Security Loss: Of Physical control of agency information, Of Governance of the information Of Information itself Not Lost: Agency data retention AFTER contract conclusion / termination Cloudy Staff: Background checks for employees? Third party contractors? Water Leaks: Multi-tenancy increase chance of intentional and unintentional data access by one tenant of another tenant s information

29 Onward through the cloud One size does not fit all Cloud providers allow different levels of visibility / auditability Cloud Audit project: aka Automated Audit, Assertion, Assessment, and Assurance API (A6)

30 POLICIES, PROCEDURES AND ASSESSMENTS

31 Third Party Security Policies You have internal Policies but what about third parties? Explicit third Party Policies and Procedures Contract language

32 What to put in the contract General: Applicable All third Parties Security and Privacy Policies and Procedures & Legal Requirements Incident response Control and auditing of administrative privileges, user access Control and use of security software Right to Audit Laptops and removable media Account Management and Access Controls Data and Application: Hosting/Housing Agency data Inventory, Data classification levels, and record retention schedules Vulnerability scanning and remediation Security configuration standards Backup security Business continuity / disaster recovery Change Management Network Connectivity: 3 rd parties w/ direct access to Agency Network Business continuity / disaster recovery Encryption Telephone, Pull vs. Push

33 Assessments To Self-Assess or Not to Self-Assess References and Referrals Model: Financial Services Industry Components to look at: IT and Risk Security Policies Asset management Security Awareness Physical and Environmental Access control Communications and Operations Business Continuity Management of Privacy Incident management Compliance

34 The bottom Line: Are all vendors bad? Well, not all of them Trusted partners with security expertise

35 Questions? Wendy Nather Texas Education Agency Michael Wyatt Deloitte & Touche LLP

36 RESOURCES

37 Resources The Shared Assessments Program sponsored by BITS General Electric Third Party Information Security Policy licy.doc The Cloud Security Alliance: The Open Group's Jericho Forum: OWASP Application Security Verification Standard (ASVS) Project erification_standard_project Cloud Audit Project -

38 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Copyright 2010 Deloitte Development LLC. All rights reserved.