To follow the trail, you need a good map

How IT security teams are tackling the challenges posed by the growing use of third party platforms and services? These changes in the way the company’s IT infrastructure is secured give malicious participants a much larger area of ​​attack to play with, and once access is gained, a wider range of options for accessing the company’s IT infrastructure. the target company.

Assuming the security team has a solid understanding of the organization’s business and its internal and external processesa good starting point would be to outline all the processes and sub-processes – IT, paper and others.

The purpose of this mapping is to identify the different boundaries between applications and services, including when third parties themselves use third party services. In this way, you should be able to determine what type of control you need to have over the individual services and the boundary between the services.

The ability to identify these controls or the lack of such, combined with business knowledge of what is at stake if the control fails (or is not present), leads to the development of a risk environment and thus to a risk management strategy. Keep in mind that at this stage this is an exercise only on paper.

The first step is to identify what is under the direct control of the organization – for example, IT infrastructure and on-site equipment such as computers, laptops or mobile phones used by staff, provided and maintained internally and subject to security policies, procedures and standards.

The second step is to identify those infrastructure areas and services that a third party relies on to provide, maintain and maintain – for example, there is a reliance on the third party’s own security policies, procedures and standards.

The third step is to identify those areas that are essential to the functioning of the organization’s infrastructure, services and operations, but where there is no organizational control over the security of these services – such as the use of the Internet or other third-party networks.

Once these areas have been identified, documented, risks assessed and risks prioritized, the task of assessing available controls and their effectiveness can begin. The difference between what “should” be in place and what is “in place”, along with the priority of risk, will lead to a corrective action plan.

What follows is my opinion on what controls I usually look for. It is not exhaustive and I have not gone into details – there are many sources of useful information, be it books, courses or internet searches.

Look first at step three, where you have no control. The security measures you can take fall into three areas:

1. Encryption of data in transit – for example, point-to-point encryption between systems and services, inducing opportunistic encryption of email servers, encryption of email content on end devices.
2. Control the data output so that only non-sensitive data is provided.
3. Control data intrusion – for example, make sure all interfaces are up-to-date and subject to regular IT checks to ensure that no vulnerabilities are detected. Make sure your e-mail systems and related Internet domain settings are fully compatible with the SPF, DMARK, and DKIM protocols.

For the second step, which relies on third parties to be protected to a level acceptable to the organization, the main control is the service contract.

This should not only clarify the security requirements of the organization, but also how they should be qualified. Simply stating that the acquired service is certified according to an official standard such as ISO 27001 is insufficient. The contract must identify the areas that certification must cover (eg ISO 27001 Declaration of Applicability), must include all areas that are part of or affect the service provided, and must be able to provide official evidence of currency certification.

Other areas not covered by official third party certificates may include recruitment and discipline processes, internal audits, and service assignment in accordance with the organization’s provision of services. These areas must be contractual statements.

The first step, of course, is to review and evaluate internal organizational policies, procedures and standards – such as staff audits. Has the CV of the future tenant been checked and is more than one reference used? Are any security policies and supporting procedures and standards up to date and are they being followed? Is there sufficient training and education of staff? Do IT and IT security departments have adequate resources? Are regular IT health checks performed on the internal infrastructure as well as on the external interfaces? Do the contractors follow the rules and procedures of the organization? Was the IT subject to the organization’s official certification, such as ISO 27001, Cyber ​​Essentials, etc.? Are other ISO standards met, such as ISO 27004 (monitoring, measurement and analysis), ISO 27005 (Information Security Risk Management) and ISO 27033 (Network Security)?

All this should be second nature for the experienced IT security specialist.