Avoiding a Vendor Security Breach   Leave a comment

AVOIDING VENDOR SECURITY BREACH

 

Sound familiar? Someone outside of your vendor gained unauthorized access to their IT systems and stole a large number of names and email addresses.   The event sends shockwaves across the industry as news organizations report the breach for several days. CNN reports the scope of this breach is huge. Now, you are questioning the security of your vendors. If this hasn’t already happened to you, it most likely will. In this article, I will highlight some of the protections you should look for when selecting a vendor.  In future articles, I’ll dive deeper into each of these topics.

 

(1)    Does the vendor have an industry certification?  A SAS70, for example,  is presented by a third party auditor as evidence that the vendor has IT processes and has evidence that they are following those processes.

 

(2)    Does the vendor have a security administrator? At a minimum, the vendor’s security administrator should be a current Certified Information Systems Security Professional (CISSP).

 

(3)    Is the vendor subject to third party penetration tests? A third party should perform a penetration test against the vendor and produce a report of its findings. The penetration testing should be performed on a regular basis.

 

(4)    Does the vendor have security governance? There should be evidence that the leaders of the organization are participating in the direction the organization’s security efforts.

 

(5)    Does the vendor have an Incident Response Plan? The organization must plan in advance what they will do during a security incident, and it must perform regular drills against that plan. The plan should include investigation, forensics, evidence chain of custody, and more.

 

(6)    Does the vendor have proper access controls? A vendor’s employee should be required to have permission from the data owner in order to access data.

 

(7)    Is the vendor prepared for Business Continuity and Disaster Recovery? The vendor should have a plan and should perform drills against the plan. They should have well defined backup policies and secure media handling procedures.

 

(8)    Does the vendor have Risk Management Procedures? On a regular basis, the Information Technology should be analyzed for risk. High risk issues should be tracked until resolved.

 

(9)    Does the vendor practice Change Control? When a change is proposed, it should follow a procedure that includes a review, risk analysis, exit strategy planning, and more.

 

(10)Does the vendor have good physical security? The physical security should have layered defenses that can record activities (such as a door badge system and security cameras) for auditing purposes.

 

(11) Does the vendor have good logical security? Your data should be protected by firewalls and intrusion prevention systems that are monitored and maintained.

 

(12)Does the vendor properly use cryptography? Web sites containing confidential information should be protected by SSL. Data and reports should not be emailed unless the file is encrypted.

 

(13)Does the vendor provide security awareness education? The vendor employees should be required to participate in regularly scheduled security awareness education events.

 

 

About the Author:

Kevin Gilbert is the Technology Manager with SIGMA Marketing and holds several certifications including CISSP, SSCP, Security +, and NISM.

Posted September 14, 2011 by cloudbusterspodcast in Uncategorized

Social Media Fund Raising   Leave a comment

Social Media has matured into a powerful venue. No one understands this better then Pete Werner, owner of Dreams Unlimited Travel, host of the Dis Unplugged Podcast, and owner of WDWInfo.  Pete has turned thousands of his social media fans toward a charity: Give Kids the World. Give Kids The World works with organizations such as the Make-A-Wish foundation to provide children with life-threatening illnesses a magical vacation to Disney World. Pete’s goal is to raise one million dollars for the organization. “We are [demonstrating] the power of the internet in raising money for good causes,” Pete explains.

 

To get started, Pete created a website that serves as the hub of the fund raising activities. He made sure the site had no visible connection to his business. Next, he hit his social media network and handed out the challenge. Organizer Dave Parfitt explained, “The fundraiser is really all about leveraging the power of social media to raise money for Give Kids The World.” Using a concept called crowdsourcing, the power of 10 asks that each person find 10 people who are willing to donate $10. In addition, he has asked his network to develop creative fund raising activities. Like the incredible social marketer that Pete is, his message has been blasted out through podcasts, online forums, websites, e-newsletters, facebook, twitter, and more.

 

Pete has taken the social elements that brought him success with Disney and has brought them to fund raising. The Power of 10 is accessible through Facebook, twitter, blogs, forums, and ebay fundraising auctions.  Other sites have jumped aboard, including wdwnotjustforkids, disneygeek, Sorcerer Radio Network, Michael Jackson Fan Community, and others.  Aljon Go, Sorcerer Radio station manager says, “We started mentioning The Power of 10 campaign on-air as well as on-line in February and will step up our efforts by producing these spots to further promote this worthwhile cause.” Fans have responded by posting, tweeting, blogging, holding concerts and running fund raising parties.

 

Pete is realistic and knows it could take a long time to raise one million dollars, especially during a recovering economy. Therefore, he hasn’t set a time limit on the goal. “We’ve set no time limit on this goal – whether it takes 6 months or 2 years doesn’t matter.” The success is building. User Zendisney reported “I made a post on FaceBook about the Power of 10 campaign and within 30 minutes of the post already I have someone who is going to write a check!” After the first 3 months, Dave Parfitt reported $12,000 had been raised for the cause.

 

For more information about the Power of Ten, you can visit http://www.PowerOf10.us .

 

Posted September 12, 2011 by cloudbusterspodcast in Uncategorized

Security Groups Best Practices   Leave a comment

Security Groups are like firewalls in Amazon AWS. Servers (known as instances) are added to a group. The group defines which inbound ports are permitted. If one uses the Virtual Private Cloud (VPC) option one can specify outbound ports as well.

There are countless ways to group instances into security groups. For example, one might put all the instances related to a project into one group. Or one could make an individual group for each instance. Identical instances (perhaps they are load balanced) could go in the same group. Or instances could be grouped by their common function such as placing all web servers in one group.

If you were creating a best practice for the use of security groups, how would you use them?

Posted September 10, 2011 by cloudbusterspodcast in Uncategorized

Welcome to Cloud Busters Pod Cast   Leave a comment

Welcome to the Cloud Busters Pod Cast’s Blog. We don’t have any content yet, but check back soon and we’ll have some thrilling and exciting things to share.

Posted September 1, 2011 by cloudbusterspodcast in Uncategorized