Third Party Security: Are your vendors compromising the security of your Agency? Wendy Nather, Texas Education Agency Michael Wyatt, Deloitte & Touche.

Third Party Security: Are Third Party Security: Are your vendors your vendors

compromising the compromising the security of your Agency?security of your Agency?

Wendy Nather, Texas Education Agency

Michael Wyatt, Deloitte & Touche LLP

TASSCC Annual Conference3 August 2010

3rd Parties: Here to stay Size and Nature of the Problem Risks and Risk Mitigation Clouds in our Eyes Policies and Assessments Recommended resources Q/A

AgendaAgenda

33rdrd Parties: Here to Stay Parties: Here to Stay

Public/Private Partnership Specialized Skill Sets Cost Considerations Net: Can’t unscramble the egg and

probably wouldn’t if we could

SIZE OF THE PROBLEMSIZE OF THE PROBLEM

On-Site Contractors access to sensitive information Application Development IT OPS - admin rights to apps and systems

External service providers Business services (HR, payments, printing, etc.) Projects (web site development/hosting) Software / application vendors Outsourced support services

ASP/ SaaS / Cloud Hosting Agency applications Housing sensitive data (PII, PHI) Handy Internet services (Survey Monkey, iTunes U, etc.)

Dimensions of the ProblemDimensions of the Problem

What’s the Risk?What’s the Risk? Verizon Business Data Breach Incident

Report 11% of breach events involved third-party partner as

primary vector*

27% of breach events involve multiple sources (e.g. external + partner)

26% of compromised asset were managed externally; an additional 9 percent were co-managed

*Note: based on data collected by VZB and Secret Service only and are for intentional breaches only, not contributory errors

May 2010 3rd party contractor’s unencrypted

laptop stolen with Sensitive Information 3rd party “certified” all laptops used

encrypted hard drives VA policy requires encryption Over 500 3rd parties refusing to sign

encryption clause

e.g. Veterans Administratione.g. Veterans Administration

RISKS AND RISK RISKS AND RISK MITIGATIONMITIGATION

Shared State of Texas RiskShared State of Texas Risk

How many different accounts does your vendor service?

What are you willing to bet they’re using the same admin password for all of them?

What are you willing to bet that the password is “password”?

Dude, Where’s Our Firewall?Dude, Where’s Our Firewall?

How many trusted entry paths do you have to your network?

How many connections do you have to third-party partners apart from outsourcing?

Do you still really think you have a perimeter?

What’s Most Important?What’s Most Important?

Maintaining control over security Maintaining accountability Ensuring legal compliance

What’s Not?What’s Not?

Data Mapping Asset Classification Security Control Frameworks used

by 3rd parties Technical Controls in the absence

of good business processes SAS-70s *

Methods of ControlMethods of Control

Technical control Business Processes / Procedural

control Contractual control

The Password ProblemThe Password Problem

System administrators have ultimate technical control

CompensationsCompensations Balance: Technical

Privileged Account Management Multifactor Authentication

Balance: Process / Procedural Oversight

Separate, immediate log collection Regular audits

Paper throttle Workflow system Signoff requirements

Balance: Contractual Acceptance or rejection of personnel Compliance with written policies

The Knowledge ProblemThe Knowledge Problem

If they have all the technical expertise, how do you know what they’re doing?

Balance: Procedural Separate technical expertise Regular reviews

Balance: Contractual Solutions and practices must comply with

legal requirements

The Money ProblemThe Money Problem

Vendor can influence decision-making by judicious use of price tags

Balance: Contractual Preserve right to do it yourself On-demand cost reviews and bids

Security Separation of Security Separation of DutiesDuties

Contractor provides high-level security design documents, generic procedures, baseline security settings

Agency determines which technical measures are needed to comply with laws (HIPAA, FERPA, IRS, CJIS, etc.)

Consider having 3rd party assess security of the source code and architecture

This may cost extra

Application SecurityApplication Security

Software Development Life Cycle (SDLC) Do they even have one?

Include them in yours Threat modeling Test cases including security QA phase includes security scanning/pen

testing Don’t forget the platform

WarrantiesWarranties No, really Any security issues relating to flaws in the

implementation or design of the software shall be remediated at the expense of the vendor, regardless of when they are discovered, for the life of the contract.

If anyone screams at this, kindly remind them that Microsoft et al. do this already; it’s called “maintenance.”

What about enhancements?What about enhancements?

Any requests for new security functionality (such as different access control measures, new encryption, more detailed logging, etc.) shall be considered the same as other new operational functionality and shall be handled according to the software enhancement agreements in this document.

System IntegratorsSystem Integrators

Purchased product not under System Integrator’s control

Engagement Acceptance and Signoff Use of Off-shore vs. local resources Product Vendor Professional Services

vs. Independent Professional Services

VerificationVerification

Make the developer do their own security testing

OWASP Application Security Verification Standard (ASVS) Project

Levels of Due DiligenceLevels of Due Diligence

What is our obligation to assess and monitor security?

What is “reasonable” to ask of 3rd Party providers?

What responsibility does the State have in this area?

Additional Additional RecommendationsRecommendations

Eliminate unnecessary data; keep tabs on what’s Eliminate unnecessary data; keep tabs on what’s left left

Make sure essential controls are met Make sure essential controls are met Check the above again Check the above again Test and review web applications Test and review web applications Audit user accounts and monitor privileged Audit user accounts and monitor privileged

activity activity Filter outbound traffic Filter outbound traffic Monitor and mine event logsMonitor and mine event logs

CLOUD COMPUTING AND CLOUD COMPUTING AND SAASSAAS

Clouds get in our eyesClouds get in our eyes

Software as a Service (SaaS)Software as a Service (SaaS) Quick to set up No review by procurement or legal License = EULA No capital procurement required Monthly subscription

(Watch out for ProCard charges!) No internal management costs

Forecast – Cloudy with a 100% of Forecast – Cloudy with a 100% of chance of riskchance of risk

Security by Obscurity: e.g. Amazon S3 Controls: Lack there of for Security Loss:

Of Physical control of agency information, Of Governance of the information Of Information itself

Not Lost: Agency data retention AFTER contract conclusion / termination

Cloudy Staff: Background checks for employees? Third party contractors?

Water Leaks: Multi-tenancy increase chance of intentional and unintentional data access

by one tenant of another tenant’s information

Onward through the cloudOnward through the cloud

One size does not fit all Cloud providers allow different levels

of visibility / auditability Cloud Audit project: aka Automated

Audit, Assertion, Assessment, and Assurance API (A6)

POLICIES, PROCEDURES POLICIES, PROCEDURES AND ASSESSMENTSAND ASSESSMENTS

Third Party Security PoliciesThird Party Security Policies

You have internal Policies but what about third parties?

Explicit third Party Policies and Procedures

Contract language

What to put in the contractWhat to put in the contract General: Applicable All third Parties

Security and Privacy Policies and Procedures & Legal Requirements Incident response Control and auditing of administrative privileges, user access Control and use of security software Right to Audit Laptops and removable media Account Management and Access Controls

Data and Application: Hosting/Housing Agency data Inventory, Data classification levels, and record retention schedules Vulnerability scanning and remediation Security configuration standards Backup security Business continuity / disaster recovery Change Management

Network Connectivity: 3rd parties w/ direct access to Agency Network Business continuity / disaster recovery Encryption Telephone, email Pull vs. Push

AssessmentsAssessments To Self-Assess or Not to Self-Assess References and Referrals Model: Financial Services Industry Components to look at:

IT and Risk Security Policies Asset management Security Awareness Physical and Environmental Access control

Communications and Operations

Business Continuity Management of Privacy Incident management Compliance

The bottom Line: The bottom Line: Are all vendors bad?Are all vendors bad?

Well, not all of them Trusted partners with security

expertise

Questions ? Questions ?

Wendy NatherWendy NatherTexas Education Texas Education [email protected]@tea.state.tx.uss

Michael WyattMichael WyattDeloitte & Touche LLPDeloitte & Touche [email protected]@deloitte.com

RESOURCESRESOURCES

ResourcesResources The Shared Assessments Program – sponsored by BITS

http://www.sharedassessments.org

“ General Electric Third Party Information Security Policy”http://www.geae.com/aboutgeae/doingbusinesswith/docs/GE_thirdparty_policy.doc

The Cloud Security Alliance: http://www.cloudsecurityalliance.org/ The Open Group's Jericho Forum:

https://www.opengroup.org/jericho/index.htm

OWASP Application Security Verification Standard (ASVS) Projecthttp://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

Cloud Audit Project - http://www.cloudaudit.org

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.

About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.

Copyright © 2010 Deloitte Development LLC. All rights reserved.