Ken Morrison, principal of IT consultancy Morrison Consulting, led security and risk professionals in a discussion about outsourcing as part of the Peer-to-Peer discussion at RSA Conference 2015 in San Francisco. Below is Morrison's notes from the session. networks

Outsourcing to global partners is a regular activity by companies seeking to leverage their resources. Our session, Who’s invited to Your Party? Minimizing Risk From Outsourced Partners addressed these concerns head-on. RSAC USA 2015 had a total of eight sessions focused on partner security.  Ours was a fully attended session with a great mix of participants, representing large and medium businesses, health care, retail, and government.  We organized the discussion using a Prevention, Detection, and Response framework.

Most of the discussion focused on prevention, particularly activities typically conducted in advance of engaging partners. We opened with an examination of processes and documents, that help us understand and describe the risks from partner delivered services, covering partner supported operations, the data partners used and produced, and the access they have to our systems.  We discussed evaluation templates, those that are “home-grown” and those based upon standards, such as:

  • SSAE 16
  • NIST 800-53 (FIPS)
  • ISO 27001/2 (ISO 27001:2013 includes a new section on outsourcing, A.15, Supplier Relationships (5 controls))

A related discussion followed about the importance of contracts and Service Level Agreements (SLAs), and the role of the Legal Department. This expanded into a broader conversation about the need for good vendor management skills to address the problem of a lack of direct partner control and visibility.

In addition to highlighting the importance of partner on-boarding and management, other key messages addressed the importance of evaluating our own processes, data and networks.  Here the lessons learned were: the importance of systems partitioning for partners connecting to our networks; enforcement of least privilege for access to our systems and data; managing change during partner engagements; and logging and monitoring that extends to partner activities.  At the end of a partner contract it is essential to securely wrap up the systems interactions, ending access, reclaiming documents and data, and eradicating any information residue.

As outsourcing activities continue to grow so will their risks, with significant financial implications.  We are presented an excellent opportunity for enterprises, large and small, regional and global, to collaborate on effective solutions. The Target breach was merely the bellwether. 

The dynamic of this discussion demonstrated a call to “continue the conversation!”  I encourage RSAC USA 2014 attendees, as well as any other interested professionals reading this blog, to do so. Please feel free to post a comment, or write to me directly.