By: Stephen Hancock, PA & 7Safe PCI QSA
It would be hard to be unaware of two major trends affecting IT in recent years. One is out-sourcing, and all its variants including multi-sourcing, infrastructure-as-a-service, cloud and others. The other is the increase in cyber security threats and data breaches.
I am not suggesting that there is a cause and effect here. On the contrary, outsourcing can be an effective way for organisations to obtain resources and skills that they would find difficult to have in-house. Examples might include outsourcing the running and management of a Security Operations Centre (SOC) or retaining a specialist company to provide incident response services to call on in the event of a data breach. But what you cannot do is outsource the responsibility for security. That’s not just a glib phrase, it is the reality. If you suffer a data breach, the regulators will not care that you thought a third party was managing your data securely. Yet that, apparently is the mind-set that many organisations seem to have.
Is it really possible to outsource data security?
A couple of examples will illustrate the problem. These are based on real situations I have come across in my role as a PCI QSA and information security consultant. The first is a high street retailer developing the business by adding an on-line presence. Not having the in-house expertise, they opted to obtain a complete e-commerce service from a specialist company including web design, application management and hosting. It is a reasonable and common approach.
However, a problem arose when we identified that the web servers would be in scope for various PCI DSS requirements. We found that the e-commerce company did not actually host the servers itself but had subcontracted this further. As it happens, it had contracted one of the industry’s biggest names, a company that is PCI DSS compliant as a service provider. The e-commerce company and our client, the retailer, had taken considerable assurance from this. Until, that is, we took a closer look at the hosting company’s compliance. Yes, they were compliant across all the PCI DSS requirements but this only applied to the underlying infrastructure and their own management systems. It did not apply to the virtual servers configured on top as used by the retailer. Unless extra service levels are purchased from the hosting company all security apart from the physical datacentre is down to the purchaser. The position is similar with cloud services from Amazon and Microsoft.
The second example is another well-known UK company operating from around one hundred locations. The e-commerce website code is written by one company, the web servers managed by another with physical hosting sub-contracted to a third. The corporate domain and network is managed by a major telecoms company but front line desktop support is handled by someone else. None of the companies are certified as PCI DSS compliant service providers. Assessment found that some of the security expected was sadly lacking.
Blaming your suppliers won't satisfy regulators!
We helped both companies unpick the responsibilities of the various players and ascertain what level of security was in place. The lesson from both examples is that you cannot take it for granted that service providers are running secure systems for you even if they are major companies and even if they are PCI DSS compliant.
Avoid the blame game: take control of cyber security throughout your supply chain
So, what should companies be doing for themselves?
- The first step is to understand what your own security needs are.A full risk assessment would be the best basis for this but even just adopting a baseline of common good practice is a start.
- Build consideration of security into your procurement and due diligence processes.
- Understand what your primary suppliers sub-contract to others and, since you have no direct power over the sub-contractors, require that any sub-contracting has your approval and passes on contractual responsibility for relevant controls.
- Review the SLAs you have with your providers and determine whether these cover security or just performance measures.If you are subject to a compliance regime such as PCI DSS, ensure that who is responsible for what is understood even if your suppliers have their own PCI compliance. This should be documented requirement by requirement. Be prepared to pay more if you want your service provider to provide things like anti-malware, vulnerability scanning and intrusion prevention.
- Don’t take false comfort from your own security policies.A policy requiring, say, twelve character passwords and two actor authentication is meaningless if you don’t manage it yourself.Make sure your policy requirements are built into the contracts.
- Carry out your own testing using vulnerability scans and specialist penetration testers. Then work with your suppliers to remediate any vulnerabilities found.
- Ensure that service providers are required to give access to and co-operate with your auditors and assessors.
The trend for outsourcing isn’t going away soon but always remember that the responsibility for the security of your information remains with you.
# # #
To speak to a PA & 7Safe information security consultant and PCI DSS expert, contact our sales team on +44 (0)1763 285 510
Visit our website for more information: https://www.7safe.com/risk-and-compliance