ISO 17799: A methodical approach to
partner and service provider security management
 |
|
|
|
 |
|
|
|
This tip is part of Ensuring compliance across the extended enterprise, a lesson in
SearchSecurity.com's Compliance School. Visit the Ensuring compliance across the extended enterprise lesson page for additional learning resources.
These days, it is fairly common for a company to outsource
customer-facing services or allow another organization to handle data
processing and even security monitoring and management. Outsourcing allows
companies to provide a wider range of services, reduce cost and focus on other
tasks that will strengthen the business.
 |
||||
|
 |
|||
|
|
||||
Every time an organization trusts another business entity to
handle sensitive information or manage critical infrastructure, however, there
are risks. Worse yet, many companies do not realize that failing to closely
examine their prospective partners' security practices can lead to compromise.
Organizations that are bound by regulations like HIPAA, Gramm-Leach-Bliley (GLBA) andSarbanes-Oxley (SOX) may pay an even steeper
price, as these regulations explicitly require organizations to manage the risk
associated with service providers.
Fortunately, enterprises can curtail partner or service provider
security issues by taking a methodical approach to assessing and managing the
risks. That means coming to terms with the risks and the costs of creating and
maintaining these partnerships. One such approach is a partner management
program based on the ISO 17799 standard.
A standards-based methodology
By definition, ISO 17799 is a "code of practice for security information management." In other words, it is a laundry list of best security practices that apply to a broad range of business environments. The standard covers areas including risk assessment, security policy, governance, access control, information classification, operations management and business continuity.
By definition, ISO 17799 is a "code of practice for security information management." In other words, it is a laundry list of best security practices that apply to a broad range of business environments. The standard covers areas including risk assessment, security policy, governance, access control, information classification, operations management and business continuity.
A partner management program based on the ISO standard consists of
three phases:
·
Inherent risk assessment – A review of how much damage could be done to a partner if
information or services were compromised and there were no security controls.
In other words, how bad would it be if the partner was compromised? A partner,
for example, may hold critical and sensitive customer information, like credit
card numbers or social security numbers. If such data is compromised, a
company's reputation could be ruined. That would constitute a critical inherent
risk and call for a deeper evaluation.
·
Partner practice assessment – An examination of the partner to a depth commensurate with the
inherent risk. For critical partnerships that demand an in-depth review, many
organizations use ISO 17799. The assessment consists of a walk-through of the
standard, where the partner's practices are compared to those described in ISO
17799's 133 subsections. Each of ISO 17799's major areas (including risk
assessment, security policy, access control, communications and operations,
physical security, and business continuity) has subsections which review best
management practices.
When addressing communications and operations management, for example, the assessment walks through the administrative practices for the service provider's production environment, covering the distribution of responsibilities, the documentation of procedures, and critical control components like change control and patch management. While such an evaluation may sound straightforward, each one of the sections requires managers to carefully consider how the standard should be applied to their given business, organizational, and technical contexts. A reasonable practice for a small company where every employee knows each other, for example, may be less acceptable in large multinational organizations, and decisions must be made accordingly.
The ISO standard can also be useful in reviewing partners that provide less critical services. The standard can be used to construct a questionnaire that gathers data and assesses how well an organization and its many departments can manage the security of another company's information. Some questions that would likely appear in a questionnaire are:
When addressing communications and operations management, for example, the assessment walks through the administrative practices for the service provider's production environment, covering the distribution of responsibilities, the documentation of procedures, and critical control components like change control and patch management. While such an evaluation may sound straightforward, each one of the sections requires managers to carefully consider how the standard should be applied to their given business, organizational, and technical contexts. A reasonable practice for a small company where every employee knows each other, for example, may be less acceptable in large multinational organizations, and decisions must be made accordingly.
The ISO standard can also be useful in reviewing partners that provide less critical services. The standard can be used to construct a questionnaire that gathers data and assesses how well an organization and its many departments can manage the security of another company's information. Some questions that would likely appear in a questionnaire are:
·
Does your organization
utilize network controls to segregate the corporate and production networks?
·
What mechanisms are used to
ensure that only authorized application users are allowed access to data
managed by the service?
·
How often are backups of
the service data executed?
·
Has a documented incident
response plan been put in place? How often does the production staff practice
the plan?
·
Has your organization had a
security incident?
·
Remediation, monitoring and
periodic assessments – After a partnership is
established, the work is just beginning. Any important weaknesses that are
discovered should be remediated according to an agreed-upon timeline.
Furthermore, the initial assessment should be used as a baseline against which
future analyses can be compared. Service providers should be revisited at least
once a year to determine whether anything about their environments, designs or
practices has changed for the worse. Using an ISO 17799-based report card makes
it possible to compare a partner's progress with the results and assessments of
other partners. The accumulation of information can help establish minimum
requirements for all service providers.
ISO 17799 as a common framework
While most service providers bristle at the idea of yet another security review, particularly one that goes to the depth that an ISO 17799 review calls for, most can appreciate the fact that the ISO standard provides a set list of requirements.
While most service providers bristle at the idea of yet another security review, particularly one that goes to the depth that an ISO 17799 review calls for, most can appreciate the fact that the ISO standard provides a set list of requirements.
One of the most problematic aspects of partner reviews is their ad
hoc nature. Service providers are essentially asked to play by a different set
of rules for each review they face. By agreeing on ISO 17799, service providers
and consumers can substantially reduce the cost of preparations and make
reviews much more efficient. The result is better communication, better
documentation and faster consummation of service agreements.
About the author:
Dick Mackey is regarded as one of the industry's foremost authorities on distributed computing infrastructure and security. He has advised leading Wall Street firms on overall security architecture, virtual private networks, enterprise-wide authentication, and intrusion detection and analysis. He also has unmatched expertise in the OSF Distributed Computing Environment. Prior to joining SystemExperts, Mr. Mackey was the director of collaborative development for The Open Group (the merger of the Open Software Foundation and X/Open) where he was responsible for the integration of Microsoft's ActiveX Core with DCE and DCE Release 1.2. Mr. Mackey is an original member of the DCE Request For Technology technical evaluation team and was responsible for the architecture and defining the contents of DCE Releases 1.1 and 1.2. He has been a frequent speaker at major conferences and has taught numerous tutorials on developing secure distributed applications.
Dick Mackey is regarded as one of the industry's foremost authorities on distributed computing infrastructure and security. He has advised leading Wall Street firms on overall security architecture, virtual private networks, enterprise-wide authentication, and intrusion detection and analysis. He also has unmatched expertise in the OSF Distributed Computing Environment. Prior to joining SystemExperts, Mr. Mackey was the director of collaborative development for The Open Group (the merger of the Open Software Foundation and X/Open) where he was responsible for the integration of Microsoft's ActiveX Core with DCE and DCE Release 1.2. Mr. Mackey is an original member of the DCE Request For Technology technical evaluation team and was responsible for the architecture and defining the contents of DCE Releases 1.1 and 1.2. He has been a frequent speaker at major conferences and has taught numerous tutorials on developing secure distributed applications.
