RE: Third-parties and vendors

Holding third parties accountable to your organization's own security
policy may seem like the right approach, but the security policy of your
organization should be specific to your organization's IT infrastructure
and in support of your company's business objectives. The third party, by
abiding by your company's security policy, may be addressing security
aspects that are not related to the service being offered to your
organization. This fact is compounded by the fact that security policies
do not offer precise details on how the controls (whether manual or
technical) should be implemented and managed.

Most mature organizations spend time to develop a set of standards for
third party service providers. I say standards in lieu of policies b/c
they offer more specific criteria as to what the third party should abide
by. Most service providers will be more thankful to address third party
standards in lieu of policies given that there is more precise information
in the content of a standard compared to the vagueness of a policy
(inherent trait to a policy).

In the financial sector, the BITS group has allowed for the convergence of
its financial industry members to address third party security standards
via the development of various reference material and even toolsets that
serve as a baseline for addressing the security posture of third party
service providers. The BITS organization has allowed for banks and
financial institutions from within the same industry to address some of
the core security parameters that should be pervasive amongst their
service providers. They have done a good job in sharing similar concerns
related to third parties given that their operations are similar in many
respects. More info can be obtained regarding that effort at Other industries will do well to
emulate their efforts and leverage the lessons learned from other peers in
their respective industry.

Going back to your original question, I would begin by addressing the
specific components of your third party's service offering and mapping
those components to your organization's strategic objectives. There will
be parts of their service offering that greatly impacts various components
of your company's strategic objectives; therefore, you should focus on
mapping what specific components to common security domains (use ISO
17799:2005 as a start). Upon doing so, you will be able to identify what
underlying security control objectives you want your third party to comply
with and list for them underlying controls that will be measurable and
serve as your set of third party standards for that particular vendor.
Obviously, if you have numerous vendors, you will want to identify
commonalities across the vendors in order that you don't repeat this
exercise multiple times.

Hope this helps.

Tony UcedaVélez, CISA, GIAC
VerSprite, LLC - True Spirit of Business Technology
(office) 678.938.3434
(email) tonyuv@xxxxxxxxxxxxx

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Stephen Tanner
Sent: Tuesday, December 05, 2006 8:41 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Third-parties and vendors

I was wondering how everyone holds third-parties and vendors to their
security policies. I have a few templates with suggestions, but I'm not
sure that I could get a large corporation to sign the document without
them wanting to have a slew of lawyers look it over.

What do the rest of you do?

Stephen Tanner
Information Security Administrator
Network Support Services
Lee County Clerk of Courts

This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines
can't detect unknown or new threats. LinkScanner can. Web surfing just
became a whole lot safer.

Attachment: smime.p7s
Description: S/MIME cryptographic signature