Page 51 - Cyber Warnings
P. 51
Make sure your vendor is vetting his employees. Are background checks
and non-disclosure agreements a part of the provider’s hiring practices?
You may have answered this while screening the vendor. If not, be sure
to review as part of the SLA.
Your provider’s data-security practices:
Is confidential data encrypted at rest?
Is that data masked when viewed?
Does the vendor utilize role-based access practices?
Is vendor employee (and subcontractor) security training
required?
Vendor email policy, ‘saving to local machines’, digital
certificates… password guidelines. How does the provider
manage these?
The list only scratches the surface… but should get the thought processes
going. It’s in your best interest to address these questions in the SLA.
Last, think about an exit plan outlining how you will securely and
completely remove your data in the event you and your provider part
ways.
And what if the provider’s breached?
o Establish who’s in charge of the breach investigation. The vendor’s the one
who’s been breached, but it’s your data. Decide beforehand who’s going to be
doing what.
What vendor procedures are in place for breach containment and
forensics? The provider should have an incident response plan in place.
Are you able to get a copy? That plan should be tested on a regular
basis.
o Make sure you receive timely, regular updates to events, investigations, and
notifications taking place during the breach incident.
Does your organization want to interact with the provider’s forensic
investigator directly?
o Coordinating forensic results and provider’s plans for future security
improvements (if you haven’t cut ties with the vendor!)
Step Three: Managing Existing Vendors With No SLA on File
I’ve spent quite a bit of time talking about new providers- vetting the prospects and
establishing a strong service-level agreement. But chances are your organization
has at least a few provider relationships that already are on the books. If that’s true,
your organization may not have a service-level agreement with these firms. What to
do?
51 Cyber Warnings E-Magazine – February 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
