Ensuring Security with Managed Service Providers
By Stephen Northcutt

This article continues a series in CyberDefense magazine about three tasks in which information security professionals tend to skimp. If we skimp now, then later that lack of effort may come back to haunt us and our organizations. The three areas are: 1) determining requirements for systems or software; 2) making sure disaster recovery and business resilience plans are updated against the current known threat level; and 3) reviewing service contracts for security requirements. In this article, we explore service contracts for security requirements. Government regulatory requirements such as Sarbanes Oxley, HIPAA and FISMA increasingly enforce accountability for security performance.

One effect of regulatory guidance is that people look for help from Managed Security Service Providers (MSSPs). According to Bruce Schneier, the CTO of Counterpane, compliance requires organizations to actively monitor the security of their networks in real-time, and maintain a robust audit trail of events than can be used to investigate an intrusion after the fact. Organizations simply don't have the manpower or expertise to do this kind of sophisticated monitoring in house; outsourcing to a company like Counterpane is the only cost-effective way to maintain compliance with these regulations.

That sounds great, but who is ensuring the MSSP is compliant with the regulations? In the case of organizations covered by the Gramm-Leach Bliley Act (GLBA), the interagency guidelines state that financial services must confirm that its service providers have implemented an effective information security program to protect customer information and customer information systems. Increasingly, transferring the risk -- one of the classic approaches to information security risk -- is less of an option.

Kevin Behr, the CTO of IP Services, points out that many executives believe that when they outsourced the management of their infrastructure, they also outsourced their regulatory obligations. The hard truth is that management, not the outsourcer, is responsible for its compliance. Outsourcing is not a free ticket to the abdication of management's responsibility for compliance with all applicable state, federal and international laws.

In today’s increasingly regulated environment, an organization must exercise appropriate due diligence in managing and monitoring its outsourcing arrangements for safeguarding customer information. This can be very challenging, particularly if the organization already has signed a multi-year contract with a service provider. In general, changing contract terms requires offer and acceptance. Though you can sometimes get provisions of a contract changed simply by asking, more often this will require money and there probably will be some bargaining along the way.

California Senator Liz Figueroa supports Senate Bill 1451 to ensure medical privacy is protected when outsourcing. Her fact sheet relates the following story. “In October of 2003, the San Francisco Chronicle first reported the story of a medical transcriptionist in Pakistan who had subcontracted with a Florida firm that had a contract with a Texas company that did business with the Medical Center at UC San Francisco. The woman claimed she was not being paid for her work and threatened to publicly release some of the information she possessed if she was not paid immediately. The UCSF Medical Center was not even aware this information had left the country, though it appears no laws had been broken until the Pakistani transcriptionist threatened to reveal the highly confidential medical information. While the woman was eventually paid and no records were actually released, the incident exposed a dangerous problem.” http://democrats.sen.ca.gov/senator/figueroa

According to Susan Orr, the Vice President of Regulatory Compliance for Catbird Networks Inc., contracts alone are not sufficient for oversight. In the case of GLBA, a provider who does transaction process or sees customer information for whatever reason would be critical to the privacy of the customer’s data and high risk. So, logically more monitoring or oversight would have to be done.

Organizations should be reviewing controls that service providers have in place to confirm adequacy. Service provider monitoring/oversight should be consistent with the institution’s risk assessment. A service provider that processes, hosts or has access to confidential customer information would fall into a high-risk category and would require strong monitoring. Reviewing third party audit reports of service providers’ security and summaries of test results are ways of monitoring. Orr goes on to say the following specifics that should be considered:

1. Review of third party audits
2. Review of tests/test results performed on service provider’s controls
3. Review results of security configuration tests -- such as Center for Internet Security metrics -- on the service provider’s servers and routers
4. Review of vulnerability assessments, how they are performed and how often
5. Remediation. what is the patch management process following identification of a vulnerability 6. Performance monitoring
7. Service Level Agreement compliance
8. Monitoring performed on or testing including:
* Antivirus protection
* Firewall port scans
* Website monitoring including defacements and weblinking
* Rogue LAN and wireless devices
* Evidence IDS/IPS are used effectively

The medical transcriptionist’s story exposes a significant problem with outsourcing. What if your service provider is also outsourcing? Contracts may not be enough to achieve oversight, but they can be used to your organization’s advantage. A contract is your opportunity to specify your security requirements for your service provider. Elements to consider include: Every employee of the service provider with any possibility of access to your data signs a confidentiality agreement with severe penalties for intentional or accidental disclosure. The provider agrees to the strict principle of least privilege and separation of duties and any access is only granted with the need to know. The provider agrees to notify you of any outsourcing to additional providers they are currently using and to notify your organization of any outsourcing they begin to use in the future. If your organization does not approve of the new service provider, that should be grounds for terminating the contract.

This puts enormous pressure on service providers to demonstrate they meet the standards regulations require.

“We have made the due diligence process easier by seeking out trusted third-party validation of our operations and skill-sets,” said Steve Drew, the COO of LURHQ. “In terms of operations, a SAS 70 review from a Big 5 consultancy helps to validate our process, controls and technology to our clients. The SAS 70 was originally developed to certify financial industry service providers, thus removing the audit burden from the financial institutions themselves. The SAS 70 has since been adopted by many other industries to solve this problem and we believe by attaining this certification that it will deliver the same benefits to our clients as well.

“In terms of validating skill-sets, LURHQ requires that every single Intrusion Analyst and Threat Researcher become a SANS' Global Information Assurance Certified Intrusion Analyst (GCIA),” Drew continued. “This certification validates to our clients that these personnel have the necessary skills to analyze both known and unknown security events for signs of malicious activity and that they will be able to respond with speed and accuracy.”

One of the real dangers to organizations is that while we all know government regulations want us to do better, the regulations can be vague, confusing, and incomplete or spread across multiple guidance documents. Perhaps the most telling statement in the Gramm-Leach Bliley Act (GLBA) is "interagency guidelines to be established.”

Section 501(b) is the section of GLBA mandating that agencies -- including the FTC, FFIEC and SEC -- develop standards for safeguarding customer information. It is in those Interagency Guidelines where the requirement for overseeing third party relationships comes in. However, we can be sure that as time marches forward, the regulations will be increasingly spelled out. Since contracts are often multi-year vehicles, if your organization is considering outsourcing security or operations services, we hope you will take some time and diligently assist in reviewing the security requirements of the contract. It might save your organization a lot of time, pain and money down the line.

<< Previous Page