Avoiding a Vendor Security Breach   Leave a comment



Sound familiar? Someone outside of your vendor gained unauthorized access to their IT systems and stole a large number of names and email addresses.   The event sends shockwaves across the industry as news organizations report the breach for several days. CNN reports the scope of this breach is huge. Now, you are questioning the security of your vendors. If this hasn’t already happened to you, it most likely will. In this article, I will highlight some of the protections you should look for when selecting a vendor.  In future articles, I’ll dive deeper into each of these topics.


(1)    Does the vendor have an industry certification?  A SAS70, for example,  is presented by a third party auditor as evidence that the vendor has IT processes and has evidence that they are following those processes.


(2)    Does the vendor have a security administrator? At a minimum, the vendor’s security administrator should be a current Certified Information Systems Security Professional (CISSP).


(3)    Is the vendor subject to third party penetration tests? A third party should perform a penetration test against the vendor and produce a report of its findings. The penetration testing should be performed on a regular basis.


(4)    Does the vendor have security governance? There should be evidence that the leaders of the organization are participating in the direction the organization’s security efforts.


(5)    Does the vendor have an Incident Response Plan? The organization must plan in advance what they will do during a security incident, and it must perform regular drills against that plan. The plan should include investigation, forensics, evidence chain of custody, and more.


(6)    Does the vendor have proper access controls? A vendor’s employee should be required to have permission from the data owner in order to access data.


(7)    Is the vendor prepared for Business Continuity and Disaster Recovery? The vendor should have a plan and should perform drills against the plan. They should have well defined backup policies and secure media handling procedures.


(8)    Does the vendor have Risk Management Procedures? On a regular basis, the Information Technology should be analyzed for risk. High risk issues should be tracked until resolved.


(9)    Does the vendor practice Change Control? When a change is proposed, it should follow a procedure that includes a review, risk analysis, exit strategy planning, and more.


(10)Does the vendor have good physical security? The physical security should have layered defenses that can record activities (such as a door badge system and security cameras) for auditing purposes.


(11) Does the vendor have good logical security? Your data should be protected by firewalls and intrusion prevention systems that are monitored and maintained.


(12)Does the vendor properly use cryptography? Web sites containing confidential information should be protected by SSL. Data and reports should not be emailed unless the file is encrypted.


(13)Does the vendor provide security awareness education? The vendor employees should be required to participate in regularly scheduled security awareness education events.



About the Author:

Kevin Gilbert is the Technology Manager with SIGMA Marketing and holds several certifications including CISSP, SSCP, Security +, and NISM.

Posted September 14, 2011 by cloudbusterspodcast in Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: