This is my first blog post from Melbourne, Australia. Sorry
it took me so long, but moving to a new country is not an easy thing. Anyways,
having finished one of my first projects here, I thought that it was a good
moment to blog… and what better way to start with third party provider compliance.
Organisations today are switching from Capital Expenditure
(CAPEX) to Operational Expenditures (OPEX). Just as a reminder, CAPEX are
generally investments such as buying buildings, servers and software. OPEX on
the other hand, is the budget for things you rent or purchase in increments
like payroll, utilities or maintenance. Hence, OPEX is more controllable,
flexible and has more accounting benefits.
This is one of the main reasons why organisations are switching
from investing in infrastructure to “renting” or outsourcing it. Infrastructure (hardware and server
management), cloud services, security services and software development are
typical examples of outsourcing.
But outsourcing is not simply switching from CAPEX to OPEX,
you are actually giving a third party the possibility to access, create, modify,
transfer or delete data and information. This requires an analysis of inherent
risks and a proper compliance monitoring from organisations, which in my
opinion, is not normally executed.
Let us use the following software development outsourcing
example (which in my opinion is quite real):
Organisation XYZ decides to outsource a web development to
organisation ABC. The web development requires access to customer’s information.
Once the deliverables were finished, organisation XYZ signed off the
deliverables for production. Months later, Organisation XYZ’s new web
development got hacked and millions of records containing customers’ information
were exposed. After analysing what happened, it turns out that organisation ABC
didn’t include information security best practices as part of their SDLC (Software
Development Life Cycle) and neither tested their deliverables for
vulnerabilities. Now organisation XYZ is facing lawsuits for privacy breaches.
Who is responsible for this breach? Did organisation XYZ applied due diligence
and due care? What could organisation XYZ have done to reduce the risk of this from
happening?
Note: In my following post I will write about a proper
compliance framework, so for this post I assume legal and regulatory compliance
requirements are already known.
Step 1: Create a third party provider outsourcing policy
Depending on what we are going to outsource; we need to have a policy specifying which are the organisation’s outsourcing requirements. For example, if we outsource software development, policy might specify:- Risks of outsourcing must be analysed and mitigation controls implemented during SDLC.
- A SDLC framework according to best practices must be applied by provider.
- A proper change management process with approvals from both organisations must be in place.
- Threat Risk Assessment (TRA) should be included as part of the change management process.
- Information protection mechanisms should be in place to protect its CIA (Confidentiality, Integrity and Availability).
- Vulnerability scans and penetration tests should be performed for a development to achieve a security certification.
- Development must be accredited before entering into the production stage.
- Requirements for compliance to this policy must be included in outsourcing contract.
- Provider must have a proper information security program.
- Provider must execute annual risk assessments on its infrastructure.
- Provider must have a proper information security framework in place.
Also we can create a generic policy, which ever approach
fits best an organisation.
Step 2: Perform a risk assessment
Going back to our example, the development required access
to customers’ information and that itself requires an analysis of what are the
possible risks and impacts. Here are some questions that might have been asked:
- What would happen if the code is contains bugs? Will that allow a hacker to get into our systems?
- What would happen in the platform has vulnerabilities and we do not apply patches to them?
- What if the connections to the database are insecure?
- What if the customer information gets stolen?
- Is the provider properly screening its employees?
- Does the provider outsource to another provider?
- What regulations could be breached if something goes wrong?
Step 3: Include compliance requirements in contract
This is a key step, because we will be checking compliance
on the contract. The contract should have a special compliance clause that
lists all the requirements that the third party provider must comply with. You can
use your outsourcing policy (internal) as a source plus any new requirements
that resulted as the risk assessment process.
Other key requirements that might be specified (as an
example) are:
- Rights to audit the third party provider
- Liability issues (if their deliverables are vulnerable without proper due care taken)
- Personnel screening by third party provider
- No “outsource” requirement (do not allow the third party provider to outsource to a fourth one).
- Reporting and monitoring requirements (KPIs and reports to be created). This is important to perform monitoring.
Step 4: Monitor compliance
Now that we have a contract that includes compliance
requirements which are based on the organisation’s policies and risks detected,
we can monitor the third party provider for compliance based on that contract.
The compliance monitoring process can be fed from the
following sources:
- Assurance activities (external / internal audits)
- KPI measurements that might indicate a non-compliance (i.e. number of changes requested and approved do not match the changes placed in production)
- Results from penetration tests and Vulnerability scans
- Self-assessment reviews
- Regulatory reviews
- Consulting reviews
- Changes in regulatory requirements that might affect the development
A key thing is having a good compliance framework and a
management system to track non-compliance issues resolutions and associated
risks. I’ll adress that in my next post.
Hope it helps :)
