Another reminder of the importance of managing third party vendor relationships…
The Commodity Futures Trading Commission fined AMP Global Clearing (an electronic trading firm) $100,000 for a disclosure of 97,000 files containing customer information to an unauthorized third party due to a misconfigured network attached storage device.
AMP had outsourced parts of it information systems security program to a third party provider who had failed to detect the exposed data during three successive vulnerability audits of AMP’s systemes.
Outsourcing can be a really effective tool for augmenting a firm’s infosec program, but business leaders and CSOs need to remember that the ultimate responsibility for protection of corporate and customer data still remains with them. However, when the firm is a regulated entity, the risks of relying on an outsider to perform critical parts of the infosec program without adequate supervision outweigh the (admittedly attractive) cost savings.
Monitoring third party service provider performance is a hard problem. Most firms don’t have the resources to perform in person audits and most providers don’t have the ability to allow every customer to audit them. This is why external independent audits of third party providers’ security practices are so important. These audits need to be performed against generally accepted security standards with objective audit criteria. ISO27001 and SSAE18 SOC2 are two examples of such audit types.
Even if a business partner gets a clean bill of health from an independent auditor, their performance must be monitored by the line of business who engaged them as well as by the infosec department. Recently, I have been seeing more and more inquiries from my firm’s customers coming between their annual due diligence reviews of our services. Most of these inquiries occur when there is a “celebrity vulnerability” like Spectre/Meltdown – what I am hoping to see in the future are more questions confirming “security 101” procedures and practices.
The advent of security ratings firms like Security Scorecard and Bitsight can also be helpful in this area. While their security ratings cover specific aspects of a vendor’s security program (practices that can be seen from the Internet), they can provide an ongoing data point to be used to detect potential problems in between those annual security reviews. I believe that this industry is in its early stages and that the results that they provide must be examined carefully against the specific requirements of your security program.
As companies outsource infrastructure, applications and services to third parties in order to concentrate on their core competencies, the importance of third party vendor management is going to continue to grow.