Page 52 - Cyber Warnings
P. 52
You may still be able to work out a late-breaking mutually-beneficial SLA with the
vendor. If so, great. A signed agreement is the best insurance you can have.
Realistically though- you might not be able to negotiate an agreement. Whether you
do or not, you still have a responsibility to your client and their data! At the very
least, conduct a service audit of the provider to determine how they are managing
your information. At a high-level your audit should include at least the following:
o Vendor security- platform security (firewall, IDS, etc) and physical security
(building, employees, etc.)
o Data management- encryption, RBAC, data transmission, and other
considerations.
Suggestions outlined in Step Two will offer a good lead-in to the questionnaire. (note:
keep pushing for the SLA! In the meantime, be sure to put this audit on your calendar
and conduct it at least annually- more often if there are changes in your organization-
vendor environment).
While the audit doesn’t give you the assurance that a service-level agreement offers,
it does demonstrate some due diligence on your part. You may decide to switch
providers after a look at the audit results! Forewarned is forearmed and in the event
your vendor is breached, the audit gives you a better understanding of your
exposure.
In our fairy tale, Hansel and Gretel skip innocently into the gingerbread house. Not looking
where they’re going…well, a pretty bad idea. Of course we live in a different place. Our lack of
foresight won’t drop us into any witch’s oven. The fallout from your organization’s unanticipated,
unprepared breach of vendor data isn’t a very happy place either though. Don’t let it happen to
you!
Disclaimer: The ideas offered in this paper are just that- one of the many lists of ideas available
to your organization. Don’t look at this as policy. These thoughts may or may not apply in each
setting, and other approaches may be a better choice!
About the Author
Rob Elgin MBA, CISA is an IS Auditor in Des Moines, Iowa. For a number of
years, he’s been active in data security, compliance, as well as risk identification
and control. Much of his work focuses on PCI compliance and the
assessment/development of internal controls. In his spare time, he enjoys time
with his family and (eventually!) restoring his Triumph TR3.
52 Cyber Warnings E-Magazine – February 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
