|
|
|
|
|
|
The Iso 17799 The Definite Guide For Security Geeks
|
By: Omar Sherin
In the Fourth part of this series we will discuss a clause that is causing nightmares for companies that take Information security seriously, this clause deals with (Security of third party access and outsourcing), As we all know it’s now a de-facto in most businesses to “outsource” some of the key business functions, and for some decision makers IT happens to be the easiest choice to outsource. The outsource model has been successful and incredibly cost effective in most of the cases because in my opinion people neglect applying lots of security controls which in their opinion would turn the whole idea cumbersome. But let me ask you a question to rest my case.
Imagine a company that outsource the help desk service, cant the IT support with the local machine administrator password logon the CEO’s laptop and copy the company’s budget or salaries sheet? The answer is terrifying.
What I can’t believe is that companies just don’t care about this scenario, they might have security controls over their own staff and terms in their contracts binding them to maintain company confidential data, but in most of the cases they treat the outsourcing firm with complete –unexplained- trust, maybe out of the human good nature.
Having said that, what about visiting users, consultants or auditors. What about their access, what about documenting their usage trail in case something malicious happened?
How many companies in Egypt actually do it the right way?
The ISO17799 tries to answer those questions by suggesting methods or controls to maintain the security of the company assets accessed by third party users.
4.2.1.1 Type of access:
Any type of third party access can be either (physical–offices, server rooms) or (logical-Information systems), you have to evaluate the access request on a case by case basis and classify it under one of the above types.
4.2.1.2 Reasons of access:
There are various reasons to grant a third party access to your data, But whatever the reason might be, the reason should be documented and signed by the access requester and the data owner who acknowledges that he/she is aware that an external party will access this data for this period of time.
4.3 Outsourcing:
Outsourcing agreements should deal with the risks, controls and procedures and to document all this in writing in the contract between the parties. For instance:
• How can we make sure that the outsources staff are aware of their security responsibilities, so no one could claim that he was not aware that accessing the salaries sheet was prohibited , best practices addressing this in the induction period.
• How the integrity and confidentiality be maintained and tested, I suggest scheduled and unscheduled audits even by another third party.
• What physical and logical controls are to be used to restrict and limit access to authorized users, my suggestion is to consider access card control systems for certain critical offices, a proper password complexity policy , making sure that users are aware of methods to secure their worksheets with passwords or encryption keys.
• The company should state clearly that it has the complete right to Audit its outsourced environment.
The contract should state the penalties and legal liabilities that would apply if a case of unauthorized access was discovered.
The above controls are to protect the interest of both parties, by affirming the boundaries that control the contract till they see it through. Till Egypt manage to develop some data ownership laws that binds all companies working in Egypt. I can’t see or understand why some companies still deal with their data as carelessly and as lightly as I have seen in many cases even for stock exchange listed companies where any information leakage (related to the annual forecast or the current financial state, etc…) could easily lead to disasters for stake holders and shares owners, who can be you and me.
One of the high profile incidents that affected 1.3 million users was labeled as “This is a typical data breach resulting from outsourcing. The client company didn’t even bother to check beforehand to see how safe it would be to send confidential information to that contractor. I’m certain that after such a large-scale incident the company will be much more careful when outsourcing in the future, and safeguards against data leaks will become a decisive factor when choosing a contractor,” says Denis Zenkin, marketing director at InfoWatch.
More on:
http://www.infowatch.com/threats?chapter=148831545&id=188217104
Posted by ROOT Technologies
|
|
|
