Sunday, July 1, 2012

Compliance and third party providers



This is my first blog post from Melbourne, Australia. Sorry it took me so long, but moving to a new country is not an easy thing. Anyways, having finished one of my first projects here, I thought that it was a good moment to blog… and what better way to start with third party provider compliance.

Organisations today are switching from Capital Expenditure (CAPEX) to Operational Expenditures (OPEX). Just as a reminder, CAPEX are generally investments such as buying buildings, servers and software. OPEX on the other hand, is the budget for things you rent or purchase in increments like payroll, utilities or maintenance. Hence, OPEX is more controllable, flexible and has more accounting benefits.

This is one of the main reasons why organisations are switching from investing in infrastructure to “renting” or outsourcing it.  Infrastructure (hardware and server management), cloud services, security services and software development are typical examples of outsourcing.
But outsourcing is not simply switching from CAPEX to OPEX, you are actually giving  a third party the possibility to access, create, modify, transfer or delete data and information. This requires an analysis of inherent risks and a proper compliance monitoring from organisations, which in my opinion, is not normally executed.

Let us use the following software development outsourcing example (which in my opinion is quite real):

Organisation XYZ decides to outsource a web development to organisation ABC. The web development requires access to customer’s information. Once the deliverables were finished, organisation XYZ signed off the deliverables for production. Months later, Organisation XYZ’s new web development got hacked and millions of records containing customers’ information were exposed. After analysing what happened, it turns out that organisation ABC didn’t include information security best practices as part of their SDLC (Software Development Life Cycle) and neither tested their deliverables for vulnerabilities. Now organisation XYZ is facing lawsuits for privacy breaches.

Who is responsible for this breach?  Did organisation XYZ applied due diligence and due care? What could organisation XYZ have done to reduce the risk of this from happening?

Note: In my following post I will write about a proper compliance framework, so for this post I assume legal and regulatory compliance requirements are already known.

Step 1: Create a third party provider outsourcing policy

Depending on what we are going to outsource; we need to have a policy specifying which are the organisation’s outsourcing requirements. For example, if we outsource software development, policy might specify:
  • Risks of outsourcing must be analysed and mitigation controls implemented during SDLC.
  • A SDLC framework according to best practices must be applied by provider.
  • A proper change management process with approvals from both organisations must be in place.
  • Threat Risk Assessment (TRA) should be included as part of the change management process.
  • Information protection mechanisms should be in place to protect its CIA (Confidentiality, Integrity and Availability).
  • Vulnerability scans and penetration tests should be performed for a development to achieve a security certification.
  • Development must be accredited before entering into the production stage.
  • Requirements for compliance to this policy must be included in outsourcing contract.
  • Provider must have a proper information security program.
  • Provider must execute annual risk assessments on its infrastructure.
  • Provider must have a proper information security framework in place.

Also we can create a generic policy, which ever approach fits best an organisation.

Step 2: Perform a risk assessment

Going back to our example, the development required access to customers’ information and that itself requires an analysis of what are the possible risks and impacts. Here are some questions that might have been asked:
  • What would happen if the code is contains bugs? Will that allow a hacker to get into our systems? 
  • What would happen in the platform has vulnerabilities and we do not apply patches to them? 
  • What if the connections to the database are insecure?
  • What if the customer information gets stolen? 
  • Is the provider properly screening its employees? 
  • Does the provider outsource to another provider? 
  • What regulations could be breached if something goes wrong?

Step 3: Include compliance requirements in contract

This is a key step, because we will be checking compliance on the contract. The contract should have a special compliance clause that lists all the requirements that the third party provider must comply with. You can use your outsourcing policy (internal) as a source plus any new requirements that resulted as the risk assessment process.

Other key requirements that might be specified (as an example) are:
  • Rights to audit the third party provider 
  • Liability issues (if their deliverables are vulnerable without proper due care taken) 
  • Personnel screening by third party provider 
  • No “outsource” requirement (do not allow the third party provider to outsource to a fourth one). 
  • Reporting and monitoring requirements (KPIs and reports to be created). This is important to perform monitoring.

Step 4: Monitor compliance


Now that we have a contract that includes compliance requirements which are based on the organisation’s policies and risks detected, we can monitor the third party provider for compliance based on that contract.

The compliance monitoring process can be fed from the following sources:
  • Assurance activities (external / internal audits) 
  • KPI measurements that might indicate a non-compliance (i.e. number of changes requested and approved do not match the changes placed in production) 
  • Results from penetration tests and Vulnerability scans 
  • Self-assessment reviews 
  • Regulatory reviews 
  • Consulting reviews 
  • Changes in regulatory requirements that might affect the development


A key thing is having a good compliance framework and a management system to track non-compliance issues resolutions and associated risks. I’ll adress that in my next post.

Hope it helps :)

2 comments:

  1. Great post. I came across your post while looking up centris consulting reviews. I am glad I did because this was a very interesting read. My husband would love this, I will have to send this to him. Thanks for sharing Agustin.

    ReplyDelete
  2. I know very well that it is extremely difficult to come up with worthwhile article subjects all the time. So I just want to say: well done! Regards,

    ReplyDelete