Outsourcing your IT and the responsibility for your company's information assets doesn't relieve you of your obligations regarding information security. Try telling the CEO that it's alright that there has been a loss of customer information because "we have an IT outsourcing contract." Just don't tell him about the supplier's limitation of liability provision or the exclusion concerning indirect damages for loss of data. That doesn't even consider the customer and external business repercussions.
Virtually every company in any industry relies on its information technology systems to meet company operational, financial, and informational obligations. Accordingly, company IT systems, and the information and communications stored, processed, and presented on these systems ("information assets") constitute vital company property that companies must absolutely protect, operate, and maintain in a secure environment.
Every outsourcing buyer should conduct periodic information security (IS) risk assessments, identifying any material deficiencies in the buyer's (and supplier's) use and handling of information, and the subsequent levels of risk for monetary loss, productivity loss, and/or loss of user or customer confidence for an application, system, or business process. The buyer must then follow up with its IT outsourcing supplier to develop and implement appropriate methodologies, controls, and procedures. Then, companies must provide continuing oversight of the supplier's compliance with these in order to ensure that the company's information assets are protected and that its information is secure.
Implement an Internal IS Policy
Buyers, with their supplier's assistance, should develop, implement, and maintain an IS policy across the buyer's organization which addresses:
- Those parts of the organization that have access to, store, transmit or copy information
- Operating system management, database management, patch management, computer security incident response, business continuity, change management/control, problem management, policy development, auditing and monitoring, source code management and control, virus/malicious, software management, security awareness, privacy awareness and network and system configuration
The buyer's security, information, or equivalent chief office should formally approve any material changes to this IS policy. Then he or she must communicate the changes to all employees and contractors.
The supplier should implement, maintain, and comply with incident management procedures, which:
- Ensure a prompt, effective, and orderly response to IS incidents, including, without limitation, information system failures and loss of service, denial of service, breaches of confidentiality, and data errors
- Provide for post-incident analysis to prevent reoccurrence, including, without limitation, identification of the cause of the IS incident, secured audit trails and logs, and communication with those affected or to be affected by the IS incident
- Limit incident management to only authorized employees or contractors
- Require documentation of incident response actions taken in detail which shall meet reasonable expectations of forensic admissibility
The supplier should regularly and periodically train the buyer's employees on how to follow and comply with the buyer's IS policy, including, without limitation, training concerning incident response procedures, security awareness, privacy awareness, and codes of conduct. Training should occur prior to any buyer employee having access to information. The supplier should update these IS training materials on an annual basis and provide additional training to buyer employees with respect to such updated materials.
Expand Information Security to People and Places
Prior to providing any access to information, the supplier should complete certification checks in accordance with a "company certification program" of all buyer employees, contractors, and other third parties that should have access to such information. The supplier should monitor and log the access to the information by employees, contractors, and other third parties, and should suspend access to the information for any employees, contractors, and other third parties that pose an actual or reasonably suspected potential IS risk.
The supplier should promptly terminate access to information for employees who have been terminated or who no longer have a need to access the information for legitimate business purposes.
The buyer should establish a formal procedure for employees, contractors, and other third parties that require them to:
- Promptly report any actual or reasonably suspected IS incident or any actual or reasonably suspected potential IS risk
- Collect and record information concerning such IS incident or potential IS risk
Additionally, the buyer should insist that the supplier segregate duties among its employees and contractors in order to reduce the risk of fraud or the accidental misuse or unauthorized use of the buyer's information assets.
The buyer should implement and maintain a "physical security perimeter." With respect to any person who gains physical access to the buyer's or supplier's IT facilities, the supplier should record and log the time and date of entry and departure to such facilities.
The buyer needs to utilize authentication controls, including, without limitation, the use of photo identification badges with electronic identification technology to authorize and validate all access to IT facilities. Buyers must log electronic access and retain the records for no less than thirty days. Operation centers, server rooms, wiring closets, and other critical infrastructure areas must have highly restricted access with logged electronic badge reader authentication. Visitors to IT facilities should be clearly identified, and their access limited to areas within the IT facilities that need to be accessed in order to fulfill their functions at the IT facilities.
Control the Communication of Information
The buyer and supplier should work together to develop, implement, and maintain network controls to ensure the security of information, including:
- "Demilitarized zones"
- Intrusion detection and active alerts
- Network and system segmentation, including the utilization of packet-inspecting firewalls to maintain zones segregating the following information assets from each other: Internet connection, Web servers, application servers, database servers, core network, and external networks
- Firewalls, including, without limitation, firewalls utilizing packet inspection
- Enforced path controls that prevent users from accessing portions of the network outside those portions typically accessed by each authorized user
- Authentication controls for external network connections and automatic network connections
- Controls to prevent unauthorized access and use of remote network diagnostic ports
- Network access controls that restrict unauthorized access with respect to electronic mail, file transfer, and interactive access
- Routing controls across interconnected networks
Internal IT users should only connect with external parties through a buyer-approved extranet firewall or virtual private network. All firewalls used in the buyer's networks should be configured to:
- Block all data traffic (subject to the protocol limitations of the firewall) except that traffic which is explicitly allowed
- Direct incoming traffic to trusted internal systems
- Protect vulnerable systems
- Prevent disclosure of information such as system names, network topology, and network device types
- Support network layer authentication, with both the firewall and the network layer authentication to be used in conjunction with standard application authentication methods
The buyer and supplier should work together to develop, maintain, and comply with policies, procedures, and controls to protect the exchange of information through the use of voice, facsimile, and video communications. Such policies, procedures, and controls should include communicating the risk of IS incidents associated with the use of voice, facsimile, and video communications.
The supplier should maintain and utilize encryption for the secured transfer of "personally identifiable information (PII)" when it is transferred using other forms of electronic transfer. Additionally, neither buyer nor supplier employees or contractors should transport copies of information stored on media via courier or mail without the prior consent of the appropriate buyer officer.
Lessons from the Outsourcing Journal:
- Information security (IS) risk assessments provide buyer executives with the data and analysis needed to understand factors that may impact the operation and safeguarding of their information assets. Although organizations utilize different methods and tools, there are several common principles critical to the success of any IS risk assessment:
- Obtain senior management involvement to ensure resources and fulfillment
- Define and document assessment procedures and "institutionalize" the process
- Include outside technical and business advisors without internal agendas
- Designate internal focal points and hold these and IT suppliers accountable
- Document and maintain assessment results--learn from what's happened.
Bruce Leshine is a partner in the law firm of Jorden Burt LLP. With over twenty years of experience as a lawyer, business executive and systems engineer, Leshine represents and advises clients in the areas of information technology, telecommunications and IT and business process outsourcing. His email: [email protected].