Information Technology
Risk Management
3rd Party Supplier Security
Assessment
Introduction
This document outlines the process of planning, establishing, maintaining, and terminating
Information Technology (IT) interconnections between the company and one or more external
organizations. In this case an interconnection is defined as the linking of two or more IT systems
for the purpose of exchanging data. The following types of interconnections are addressed in this
document:



Any network connection to corporate owned infrastructure.
Any transit/storage of corporate data labeled ‘Classified’, ‘Internal Use Only’, ‘Confidential’,
and/or ‘Restricted’.
Any exchange of corporate proprietary data.
This document outlines the lifecycle for managing interconnections with external
organizations – This lifecycle emphasizes the necessity for adequate security. The four phases
of the interconnection lifecycle are:




Planning: IT Security Assurance performs a preliminary evaluation of the external organization
during which all relevant technical, security, and administrative issues are examined. An
appropriate level of risk is assigned and an agreement is made regarding the management,
operation, and use of the interconnection.
Initialization: The corporate department requesting the interconnection, IT Security Assurance
and the external organization(s) in question develop and execute a plan for establishing the
interconnection.
Maintenance: The corporate department responsible for the interconnection in conjunction with
the external organization(s) in question maintains the interconnection after it is established to
ensure that it operates properly.
Termination: The company maintains a plan for disconnecting an interconnection. The
termination of an interconnection should be carried out according to the policies outlined in this
document to avoid disrupting either organization’s systems. However, in response to an
unforeseen critical incident, one or both organizations may terminate an interconnection
immediately.
Planning
The process of connecting an external organization to the company begins with a planning phase,
which includes an examination of all relevant technical, security, and administrative issues by IT
Security Assurance. The purpose of the planning phase is to ensure that the interconnection will
operate as efficiently and securely as possible.
Define the Business Case
The company and the external organization should work collectively to define the purpose of the
interconnection, determine how it will support their respective requirements, and identify potential
risks. As part of this process, both organizations should examine privacy issues related to data
that will be exchanged or passed over the interconnection and determine whether such use is
restricted under current statutes, regulations, or policies. Examples of data that might be
restricted include personally identifiable information such as names, addresses and social security
numbers, or confidential business information such as contractor bid rates and trade secrets.
Determine Interconnection Requirements
The joint planning team should identify and identify all relevant technical and administrative
issues surrounding the proposed interconnection. This information will be used to develop an
implementation plan for establishing the interconnection. The joint planning team should
document an agreement governing the interconnection including the terms and conditions under
which it will be operated.
IT Security Assurance Assessment
After the joint planning team has properly documented the proposed interconnection, IT Security
Assurance should be engaged to perform a security evaluation of the external organization. This
assessment consists of several parts:
Phase 1: Assessment of the Security Environment
IT Security Assurance will perform an organizational-level process review on the non-technical
security functions within the external organization. This will consist of an examination of security
policies, procedures, architectures, and organizational structures in place to support the
organization.
The external organization should provide as much of the following documentation as possible. It
is understood that the below documentation might be referenced under different document titles
at the external organization.
(The company understands the potential criticality of the documentation being requested and as
such will treat any documentation as proprietary and confidential.)
Policies
1.
2.
3.
4.
5.
6.
7.
Information Security Policy
Information Systems Security Policy
Personnel Security Policy
Physical Security Policy
Organizational Chart
Disaster Recovery Plan / Continuity of Operations Plan
Acceptable Use / Internet Usage Policy
Network Architecture / System Builds
This documentation should be focused on the network(s)/system(s) involved in the
interconnection.
1.
High-level Network Diagrams
2. High-Level Architecture Diagrams
3. System Build Documentation
Prior Security Assessments
1. Results of prior security assessments (internal or external)
2. Results of prior security control reviews (might be included as part of a financial audit)
In addition to this document a questionnaire has been provided which should be completed by the
external organization. Please complete and return the accompanying document entitled
Security_Battleground-Sample-Supplier-Audit-Access_Questionnaire.xls.
Phase 2: Classification of Data
All information assets must be classified according to their level of confidentiality, sensitivity,
value and criticality. Classifications and protective controls should take account of business
needs for sharing or restricting information access, and the business impacts associated with
such needs. Information classifications can change over time and should be periodically
reviewed for appropriate classification. Information assets should be classified using the following
categories:
GENERAL: This classification applies to information that has been explicitly approved by
corporate management for release to the public. By definition, there is no such thing as
unauthorized disclosure of this information and it may be freely disseminated without
potential harm. Examples include product and service brochures, advertisements, job
opening announcements, and press releases.
INTERNAL USE ONLY: This classification label applies to all other information that does
not clearly fit into the above two classifications. Though unauthorized disclosure is
against policy, it is not expected to seriously or adversely impact the company, its
employees, its suppliers, its business partners, and/or its customers. Examples include
the telephone directory, dial-up computer access numbers, new employee training
materials, and internal policy manuals.
COMPANY CONFIDENTIAL: This classification label applies to sensitive business
information that is intended for use within the company. Unauthorized disclosure could
adversely impact the company, its customers, its suppliers, its business partners, and/or
its employees. Information that some people would consider to be private is included in
this classification include employee performance evaluations, customer transaction data
and customer contracts, personal information as defined by the company’s privacy policy,
strategic alliance agreements unpublished internally generated market research,
computer passwords, identity token personal identification numbers (PINs), internal audit
reports, network diagrams or application process flow diagrams.
RESTRICTED: This classification label applies to the most sensitive business information
that is intended strictly for use within the company. Unauthorized disclosure could
seriously impact the company, its customers, its business partners, and/or its suppliers.
Examples include merger and acquisition documents, corporate level strategic plans,
litigation strategy memos, reports on breakthrough new product research, and trade
secrets such as certain computer programming techniques.
Corporate information, data, and documents must be clearly labeled (i.e. on title pages,
header/footer, and or message subject lines) so that users are aware of its sensitivity and security
implications. Data/Information classifications are as follows: General, Internal Use Only,
Company Confidential, and Restricted.
Note on Personal Information:
Personal Information will be treated as Company Confidential data. Personal Information is any
information that identifies or can be used to identify, contact or locate the person to whom such
information pertains, or from which identification or contact information of an individual can be
derived. Personal Information includes, but is not limited to: name, address, phone number, fax
number, email address, financial information, medical information, credit card information and
social security numbers. Additionally, to the extent that unique identifiers such as customer or
grant numbers are associated with personal information, such unique identifiers will also be
considered personal information.
Phase 3: Risk Determination
Based on an evaluation of existing IT Security controls (Phase 1) and the classification of data
(Phase 2) a risk rating is assigned – Ratings include Low, Medium, and High.
LOW: A Risk Rating of low designates little to no threat to IT assets and/or intellectual
property. Only Data Classifications of ‘General’ can be assigned a low Risk Rating.
MEDIUM: A Risk Rating of medium designates a moderate threat to IT assets and/or
intellectual property. Data Classifications of ‘General’ or ‘Internal Use Only’ can be
assigned a medium Risk Rating.
HIGH: A Risk Rating of high designates substantial threat to IT assets and/or intellectual
property. Data Classifications of ‘Company Confidential’ or ‘Restricted’ are automatically
assigned a high Risk Rating.
Phase 4: External Security Audit (Attack & Penetration)
Prior to the interconnection being established a preliminary vulnerability assessment using
commercially available vulnerability assessment tools will be conducted by the company to
validate the basic integrity of the external organization’s perimeter network environment.
Additionally, the results of Phases 1, 2, and 3 will determine if a more thorough attack &
penetration assessment is required. If necessary, an attack & penetration assessment will be
performed after the interconnection is fully established but prior to any corporate data being
loaded/exchanged with the external organization.
Initialization
Only after the system interconnection is planned and approved may it be implemented. This
section provides recommended steps for establishing an interconnection.
Develop an Implementation Plan
To ensure that the organizations are connected properly and securely, the joint planning team
should develop an implementation plan. This plan should be submitted through the IT Program
Management Office (PMO). The purpose of the plan is to centralize all aspects of the
interconnection effort in one document and clarify how technical requirements will be
implemented. A well-developed implementation plan will greatly improve the likelihood that the
interconnection will operate successfully and securely.
Execute the Implementation Plan
After the implementation plan is developed, it should be reviewed and approved by senior
members of the joint planning team. Pending approval, it may then be executed. Detailed
procedures associated with each task should be described in the implementation plan.
Maintenance
After the interconnection is established, it must be actively maintained to ensure that it continues
to operate properly and securely. This section outlines the recommended activities for
maintaining the interconnection.
Maintain Clear Lines of Communication
It is critical that both organizations maintain clear lines of communication and communicate
regularly. Open lines of communication help to ensure that the interconnection is properly
maintained and that security controls remain effective. Open communications also facilitate
change management activities by making it easy for both sides to notify the other about planned
system changes that could affect the interconnection. Finally, maintaining clear lines of
communication enable both sides to promptly notify each other of security incidents and system
disruptions and helps them to conduct coordinated responses.
Maintain Equipment
Each organization should agree to maintain the equipment used to operate the interconnection to
ensure its continued integrity and availability. Equipment should be maintained at regular service
intervals and in accordance with manufacturer specifications. Only authorized personnel should
be allowed to service and repair the equipment. All maintenance activities and corrective actions
should be documented and the records should be stored in a secure location. Finally,
organizations should notify each other before performing maintenance activities, including
scheduled outages.
Manage User Profiles
Both organizations should actively manage user profiles. If a user resigns or changes job
responsibilities, the appropriate organization should update the user’s profile to prevent access to
data or information that is no longer appropriate. Establish procedures for investigating,
disabling, and terminating access to users who do not actively access the interconnection over a
specific period of time.
Periodic Security Reviews
IT Security Assurance and the external organization should review the security controls
for the interconnection on an annual basis or whenever a significant change occurs to ensure that
it is operating properly.
Report and Respond to Security Incidents
Both organizations should notify each other of intrusions, attacks, or internal misuse, so the other
party can take steps to determine whether its systems have been compromised. Both
organizations should take appropriate steps to isolate and respond to such incidents in
accordance with their respective incident response procedures. In some cases, both parties
should coordinate their incident response activities, especially if a major security breach occurs.
If the incident was an attack or an intrusion attempt, appropriate law enforcement authorities
should be notified, and all attempts should be made to preserve evidence.
Coordinate Contingency Planning Activities
Both organizations should coordinate contingency planning, testing, and exercises to minimize
the impact of disasters that could damage the connected systems or jeopardize the confidentiality
and integrity of shared data. Special attention should be given to emergency alerts and
notifications; damage assessments; and response and recovery including data retrieval. The
organizations should consider developing joint procedures based on existing contingency plans.
Termination
This section describes the process for terminating the system interconnection. If possible, the
interconnection should be terminated in a methodical manner to avoid disrupting the other party’s
IT system.
Planned Disconnection
The decision to terminate the interconnection should be made by IT staff only with the advice of
appropriate managerial and technical staff. Before terminating the interconnection, the IT organization
should notify the external organization in writing, and it should receive an acknowledgment in
return. The notification should describe the reason(s) for the disconnection, provide the proposed
timeline for the disconnection, and identify technical and management staff who will conduct the
disconnection.
The schedule for terminating an interconnection should permit a reasonable period for internal
business planning so both organizations can make appropriate preparations, including notifying
affected users and identifying alternative resources for continuing operations. In addition,
managerial and technical staff from both organizations should coordinate to determine the
logistics of the disconnection and the disposition of shared data, including secure destruction of
sensitive data. The disconnection should be conducted when the impact on users is minimal,
based on known activity patterns. Following the disconnection, each organization should update
its system security plan and related documents to reflect the changed security environment in
which its respective system operates.
Emergency Disconnection
If one or both organizations detect an attack, intrusion attempt, or other contingency that exploits
or jeopardizes the connected systems or their data, it might be necessary to abruptly terminate
the interconnection without providing written notice to the other party. This extraordinary
measure should be taken only during critical incidents and only after consultation with appropriate
technical staff and senior management.
The system owner or designee should immediately notify the other party’s emergency contact by
telephone or other verbal method, and receive confirmation of the notification. Both parties
should work together to isolate and investigate the incident, including conducting a damage
assessment and reviewing audit logs and security controls, in accordance with incident response
procedures. If the incident was an attack or an intrusion attempt, law enforcement authorities
should be notified, and all attempts should be made to preserve evidence. The initiating party
should provide a written notification to the other party in a timely manner. The notification should
describe the nature of the incident, explain why the interconnection was terminated, describe how
the interconnection was terminated, and identify actions taken to isolate and investigate the
incident. In addition, the notification may specify when and under what conditions the
interconnection may be restored, if appropriate.
Restoration of Interconnection
Both organizations may choose to restore the system interconnection after it has been
terminated. The decision to restore the interconnection should be based on the cause and
duration of the disconnection.