This week, I spoke with a new client who told me all about how they are looking forward to addressing a number of internal issues surrounding their IT systems. They explained that over the last 12 months, they repeatedly had issues of delays in service and outages, which had affected their business.
Discussing this further, I explored their relationship with the supplier and asked what due diligence they had performed prior to working with them. Their response was quite typical and also quite worrying.
"Well, we've used them since we first started the business a couple of years ago, so we've kinda grown up together."
I fully support the idea that we shouldn't change for change’s sake, but we also need to get closer to our suppliers, especially when these suppliers provide such critical services.
Knowing you, knowing me.
One of the key components of ISO27001 has always been that supplier relationships are considered and managed effectively. In the new Annex A, controls for ISO27002:2022 have also been expanded to incorporate new requirements. ISO27001:2022 therefore requires;
- Information security in supplier relationships.
- Addressing information security within supplier agreements.
- Managing information security in the ICT supply chain.
- Monitoring, review and change management of supplier services.
Recognising that Cloud has now become a major supplier for many organisations, the standard now includes a new requirement for "Information Security for the use of Cloud Services" (A5.23).
If the payment card standard, PCI DSS is more of a concern for you, then you should know that the tenth requirement of the standard requires that you “Log and monitor all access to system components and cardholder data". This means more than monitoring your own access to network resources and cardholder data.
I often ask to see the service agreements for organisations who hold a support contract with an IT provider, because I want to understand the level of access that the organisation has granted to that third party.
For example, does the IT provider have complete and continuous access to their clients' networks for support purposes? Or do they have to request access? In most situations, it makes perfect sense to allow the IT provider complete control of the network to support the client. But this then exposes the client to additional risks from the possibility of issues affecting the supplier, which could spread into their systems.
Not Just IT
Before you think this is just an attack on IT suppliers, I want to be clear that whoever your critical suppliers are, you need to be assessing their security capabilities based on the risk to your organisation.
For obvious reasons, the IT Managed Service Provider (MSP) is often a primary focus. But who else do you rely on to run your business? What access to your data do they have, and can this pose a threat to your business or reputation?
IT's getting hot in here!
Back in 2006, Dell Corporation, the world's largest computer manufacturer at the time, had to recall millions of laptops due to fears that they could catch fire. It was considered to be the consumer electronic industry's largest product recall, with more than 4 million batteries identified as potential hazards.
Since then, there have been countless stories of Dell laptops bursting into flames and causing fires. Whatever the cause, what is known is that the batteries were supplied to Dell by a third party manufacturer. This is a very tangible example of a supplier having a very real-world impact on their client's reputation (Dell).
Cyber Due Diligence
It's always returning to the basics with information security, and remembering that the central tenet of the discipline is to ensure:
- Confidentiality of data.
- Integrity of data.
- Availability of data.
With this in mind, when was the last time you completed a review of your suppliers against these three principles?
When you allow a supplier into your business, you are trusting that they are a safe and secure business. But how do you know? Have you performed thorough due diligence?
This is important, whether you are hiring a cleaning company, or looking for a supplier of goods or services, including outsourced IT and cybersecurity.
Have you asked them what screening processes they have for their staff? How do they monitor performance? What do they do in relation to security? How do they guard your data? Who has access to your data? Who is your point of contact? What are the Service Level Agreements for any issues? How do they handle data breaches?
These are all sensible questions to ask of any supplier. But, in addition, for your data centres and cybersecurity companies, you must ask more searching questions.
Here are questions you should ask of your data centre hosting company today:
- What Information Certificates do they hold?
- Are they UKAS certified to ISO27001? If so, what is the scope?
- Are they fully certified to the 12 requirements of PCI-DSS?
- Are they certified to ISO9001? 45001? 20000?
- What other relevant certificates do they hold? (if you deal with the USA, SOC may be needed).
- When was the last Penetration Test, and were all findings remediated?
- Have there been any data breaches in the last 12 months?
These are your initial questions, just to get you started. Even if you use one of the large commercial services, their certificates of compliance can easily be obtained through a simple, search, or by speaking to your account representative.
No such thing as 100% secure
Third-party security also factors into some of the privacy regulations as well. For example, The California Consumer Privacy Protection Act (CCPA), as well as GDPR require third-party security. GDPR states this in Article 24:
"Where processing is to be carried out on behalf of a controller, the controller shall use only processors (suppliers) providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject."
If you rely on suppliers to support your business, you need to know they are going to be there when you need them most, and that they are protecting your environment to the highest level possible.
Information security professionals often say that there is no such thing as a 100% secure system. The more we rely on external providers, the truer this statement can become. Security isn't just for your organisation. It extends as far as your entire supply chain. The best way to protect it is with a close examination to make sure that the links are as tightly bound as possible.
You can follow Gary on Twitter here: @AgenciGary
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.