Third Party Security: Are
your vendors compromising
the security of your Agency?
Wendy Nather, Texas Education Agency
Michael Wyatt, Deloitte & Touche LLP
TASSCC Annual Conference
3 August 2010
Agenda







3rd Parties: Here to stay
Size and Nature of the Problem
Risks and Risk Mitigation
Clouds in our Eyes
Policies and Assessments
Recommended resources
Q/A
3rd Parties: Here to Stay




Public/Private Partnership
Specialized Skill Sets
Cost Considerations
Net: Can’t unscramble the egg and
probably wouldn’t if we could
SIZE OF THE PROBLEM
Dimensions of the Problem

On-Site Contractors




External service providers





access to sensitive information
Application Development
IT OPS - admin rights to apps and systems
Business services (HR, payments, printing, etc.)
Projects (web site development/hosting)
Software / application vendors
Outsourced support services
ASP/ SaaS / Cloud



Hosting Agency applications
Housing sensitive data (PII, PHI)
Handy Internet services (Survey Monkey, iTunes U, etc.)
What’s the Risk?

Verizon Business Data Breach Incident
Report



11% of breach events involved third-party partner as
primary vector*
27% of breach events involve multiple sources (e.g.
external + partner)
26% of compromised asset were managed externally;
an additional 9 percent were co-managed
*Note: based on data collected by VZB and Secret Service only and
are for intentional breaches only, not contributory errors
e.g. Veterans Administration





May 2010
3rd party contractor’s unencrypted laptop
stolen with Sensitive Information
3rd party “certified” all laptops used encrypted
hard drives
VA policy requires encryption
Over 500 3rd parties refusing to sign
encryption clause
RISKS AND RISK
MITIGATION
Shared State of Texas Risk



How many different accounts does your
vendor service?
What are you willing to bet they’re using
the same admin password for all of them?
What are you willing to bet that the
password is “password”?
Dude, Where’s Our Firewall?



How many trusted entry paths do you
have to your network?
How many connections do you have to
third-party partners apart from
outsourcing?
Do you still really think you have a
perimeter?
What’s Most Important?



Maintaining control over security
Maintaining accountability
Ensuring legal compliance
What’s Not?





Data Mapping
Asset Classification
Security Control Frameworks used by 3rd
parties
Technical Controls in the absence of
good business processes
SAS-70s *
Methods of Control



Technical control
Business Processes / Procedural control
Contractual control
The Password Problem

System administrators have ultimate
technical control
Compensations

Balance:



Privileged Account Management
Multifactor Authentication
Balance:


Separate, immediate log collection
Regular audits
Paper throttle



Workflow system
Signoff requirements
Balance:


Process / Procedural
Oversight


Technical
Contractual
Acceptance or rejection of personnel
Compliance with written policies
The Knowledge Problem


If they have all the technical expertise,
how do you know what they’re doing?
Balance: Procedural



Separate technical expertise
Regular reviews
Balance: Contractual

Solutions and practices must comply with
legal requirements
The Money Problem


Vendor can influence decision-making by
judicious use of price tags
Balance: Contractual


Preserve right to do it yourself
On-demand cost reviews and bids
Security Separation of Duties




Contractor provides high-level security design
documents, generic procedures, baseline
security settings
Agency determines which technical measures
are needed to comply with laws (HIPAA, FERPA,
IRS, CJIS, etc.)
Consider having 3rd party assess security of the
source code and architecture
This may cost extra
Application Security

Software Development Life Cycle (SDLC)


Do they even have one?
Include them in yours




Threat modeling
Test cases including security
QA phase includes security scanning/pen
testing
Don’t forget the platform
Warranties



No, really
Any security issues relating to flaws in the
implementation or design of the software shall
be remediated at the expense of the vendor,
regardless of when they are discovered, for the
life of the contract.
If anyone screams at this, kindly remind them
that Microsoft et al. do this already; it’s called
“maintenance.”
What about enhancements?

Any requests for new security functionality (such as
different access control measures, new encryption, more
detailed logging, etc.) shall be considered the same as
other new operational functionality and shall be handled
according to the software enhancement agreements in
this document.
System Integrators




Purchased product not under System
Integrator’s control
Engagement Acceptance and Signoff
Use of Off-shore vs. local resources
Product Vendor Professional Services vs.
Independent Professional Services
Verification


Make the developer do their own security
testing
OWASP Application Security Verification
Standard (ASVS) Project
Levels of Due Diligence



What is our obligation to assess and
monitor security?
What is “reasonable” to ask of 3rd Party
providers?
What responsibility does the State have in
this area?
Additional Recommendations







Eliminate unnecessary data; keep tabs on what’s left
Make sure essential controls are met
Check the above again
Test and review web applications
Audit user accounts and monitor privileged activity
Filter outbound traffic
Monitor and mine event logs
CLOUD COMPUTING AND
SAAS
Clouds get in our eyes

Software as a Service (SaaS)





Quick to set up
No review by procurement or legal
License = EULA
No capital procurement required
Monthly subscription


(Watch out for ProCard charges!)
No internal management costs
Forecast – Cloudy with a 100% of
chance of risk



Security by Obscurity: e.g. Amazon S3
Controls: Lack there of for Security
Loss:




Not Lost:


Agency data retention AFTER contract conclusion / termination
Cloudy Staff:


Of Physical control of agency information,
Of Governance of the information
Of Information itself
Background checks for employees? Third party contractors?
Water Leaks:

Multi-tenancy increase chance of intentional and unintentional data
access by one tenant of another tenant’s information
Onward through the cloud



One size does not fit all
Cloud providers allow different levels of
visibility / auditability
Cloud Audit project: aka Automated Audit,
Assertion, Assessment, and Assurance API
(A6)
POLICIES, PROCEDURES AND
ASSESSMENTS
Third Party Security Policies



You have internal Policies but what about
third parties?
Explicit third Party Policies and Procedures
Contract language
What to put in the contract

General: Applicable All third Parties








Data and Application: Hosting/Housing Agency data







Security and Privacy Policies and Procedures & Legal Requirements
Incident response
Control and auditing of administrative privileges, user access
Control and use of security software
Right to Audit
Laptops and removable media
Account Management and Access Controls
Inventory, Data classification levels, and record retention schedules
Vulnerability scanning and remediation
Security configuration standards
Backup security
Business continuity / disaster recovery
Change Management
Network Connectivity: 3rd parties w/ direct access to Agency Network




Business continuity / disaster recovery
Encryption
Telephone, email
Pull vs. Push
Assessments




To Self-Assess or Not to Self-Assess
References and Referrals
Model: Financial Services Industry
Components to look at:






IT and Risk
Security Policies
Asset management
Security Awareness
Physical and Environmental
Access control





Communications and Operations
Business Continuity
Management of Privacy
Incident management
Compliance
The bottom Line:
Are all vendors bad?


Well, not all of them
Trusted partners with security expertise
Questions ?

Wendy Nather
Texas Education Agency
Wendy.Nather@tea.state.tx.us

Michael Wyatt
Deloitte & Touche LLP
miwyatt@deloitte.com
RESOURCES
Resources






The Shared Assessments Program – sponsored by BITS
http://www.sharedassessments.org
“ General Electric Third Party Information Security Policy”
http://www.geae.com/aboutgeae/doingbusinesswith/docs/GE_thirdparty_po
licy.doc
The Cloud Security Alliance: http://www.cloudsecurityalliance.org/
The Open Group's Jericho Forum:
https://www.opengroup.org/jericho/index.htm
OWASP Application Security Verification Standard (ASVS) Project
http://www.owasp.org/index.php/Category:OWASP_Application_Security_V
erification_Standard_Project
Cloud Audit Project - http://www.cloudaudit.org
This presentation contains general information only and Deloitte is not, by
means of this presentation, rendering accounting, business, financial,
investment, legal, tax, or other professional advice or services. This
presentation is not a substitute for such professional advice or services, nor
should it be used as a basis for any decision or action that may affect your
business. Before making any decision or taking any action that may affect
your business, you should consult a qualified professional advisor.
Deloitte, its affiliates, and related entities shall not be responsible for any
loss sustained by any person who relies on this presentation.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein,
and its network of member firms, each of which is a legally separate and
independent entity. Please see www.deloitte.com/about for a detailed
description of the legal structure of Deloitte Touche Tohmatsu and its
member firms. Please see www.deloitte.com/us/about for a detailed
description of the legal structure of Deloitte LLP and its subsidiaries.
Copyright © 2010 Deloitte Development LLC. All rights reserved.