Security Basics mailing list archives
RE: Third-parties and vendors
From: Tony UcedaVélez <tonyuv () versprite com>
Date: Thu, 7 Dec 2006 21:37:04 -0500
Holding third parties accountable to your organization's own security policy may seem like the right approach, but the security policy of your organization should be specific to your organization's IT infrastructure and in support of your company's business objectives. The third party, by abiding by your company's security policy, may be addressing security aspects that are not related to the service being offered to your organization. This fact is compounded by the fact that security policies do not offer precise details on how the controls (whether manual or technical) should be implemented and managed. Most mature organizations spend time to develop a set of standards for third party service providers. I say standards in lieu of policies b/c they offer more specific criteria as to what the third party should abide by. Most service providers will be more thankful to address third party standards in lieu of policies given that there is more precise information in the content of a standard compared to the vagueness of a policy (inherent trait to a policy). In the financial sector, the BITS group has allowed for the convergence of its financial industry members to address third party security standards via the development of various reference material and even toolsets that serve as a baseline for addressing the security posture of third party service providers. The BITS organization has allowed for banks and financial institutions from within the same industry to address some of the core security parameters that should be pervasive amongst their service providers. They have done a good job in sharing similar concerns related to third parties given that their operations are similar in many respects. More info can be obtained regarding that effort at www.bitsinfo.org/FISAP/index.php. Other industries will do well to emulate their efforts and leverage the lessons learned from other peers in their respective industry. Going back to your original question, I would begin by addressing the specific components of your third party's service offering and mapping those components to your organization's strategic objectives. There will be parts of their service offering that greatly impacts various components of your company's strategic objectives; therefore, you should focus on mapping what specific components to common security domains (use ISO 17799:2005 as a start). Upon doing so, you will be able to identify what underlying security control objectives you want your third party to comply with and list for them underlying controls that will be measurable and serve as your set of third party standards for that particular vendor. Obviously, if you have numerous vendors, you will want to identify commonalities across the vendors in order that you don't repeat this exercise multiple times. Hope this helps. Tony UcedaVélez, CISA, GIAC VerSprite, LLC - True Spirit of Business Technology (office) 678.938.3434 (email) tonyuv () versprite com (web) www.versprite.com -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Stephen Tanner Sent: Tuesday, December 05, 2006 8:41 AM To: security-basics () securityfocus com Subject: Third-parties and vendors I was wondering how everyone holds third-parties and vendors to their security policies. I have a few templates with suggestions, but I'm not sure that I could get a large corporation to sign the document without them wanting to have a slew of lawyers look it over. What do the rest of you do? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Stephen Tanner Information Security Administrator Network Support Services Lee County Clerk of Courts =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -------------------------------------------------------------------------- - This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect -------------------------------------------------------------------------- -
Attachment:
smime.p7s
Description:
Current thread:
- Third-parties and vendors Stephen Tanner (Dec 06)
- Re: Third-parties and vendors Saqib Ali (Dec 07)
- RE: Third-parties and vendors Tony UcedaVélez (Dec 08)