Vendor, Consultant, and Contractor Agreements and Controls
Many organizations require expertise or talent that does not exist inside their organizations. These relationships may exist for goods or services, but both types of acquisition open the organization to risk. Ensuring that these relationships do not expose the organization’s sensitive information requires integrating the vendors, contractors, and consultants into the larger organizational security framework.
Industrial Espionage
Many organizations that rely on contractors have multiple contractors working side by side. While this can create a positive collaboration, care must be taken to ensure that the intellectual property of one vendor does not spill to another. Economic studies have shown it is far cheaper for organizations to steal technology from others than it is to independently develop the technology. In May 2014, the U.S. government indicted a number of Chinese military officers, alleging in part that to pursue business opportunities in China, Westinghouse Electric partnered with a Chinese state-owned nuclear power company (SOE-1). The Chinese partner “stole from Westinghouse’s computers, among other things, proprietary and confidential technical and design specifications for pipes, pipe supports, and pipe routing within the nuclear power plants that Westinghouse was contracted to build, as well as internal Westinghouse communications concerning the company’s strategy for doing business.” Protecting an organization’s intellectual property from compromise in part requires a robust and comprehensive approach to personnel security.
Assessing Risk
At a minimum, the contracting organization should require its vendors to provide an equivalent, or greater, level of control than is maintained by the contracting organization in the absence of the vendor. This applies to the entire information lifecycle for the information being shared. Conducting risk assessments of vendor engagements, consistent with the organization’s practice, should be performed as part of the contracting process, and the vendor’s controls should be monitored during the period of performance. The personnel assurance expectations should be identified as early as possible in the contracting process. This would typically occur as the statement of work or tender is being prepared, so vendor offerings can be evaluated within the context of the security expectations. From the standpoint of the vendor, knowing the expectations allows them to more accurately assess the cost of providing the services to the contracting organization.
There is a broad range of controls that may be appropriate for contractors or vendors. These include nondisclosure agreements, background investigations, training requirements, site escorts, badging, physical and logical access controls, monitoring of information systems use, and dozens of others. It is essential that the controls provide a defense in depth against information disclosure.
Background investigations leading to security clearances are not sufficient to prevent loss. Many of the significant information security breaches that have occurred in recent years were caused by cleared individuals. In the U.S. National Security Agency, contractor misbehavior by Edward Snowden, Hal Martin, Reality Winner, Nghia Hoang Pho, and others has inappropriately managed volumes of sensitive information. All of these individuals had security clearances and used their access to disclose sensitive information.
One of the challenges in placing specific expectations on vendors is the additional overhead in meeting the customer’s requirements. It may well mean increasing the costs of using the vendor. Further, more onerous requirements may discourage competent firms from offering their services simply because of the burdens of compliance. This is particularly true if the method of control is specified, rather than identifying the effect of the control. Finding the right balance between the cost of the control and the level of risk must be determined for each unique circumstance.
Related Product : Certified in Risk and Information Systems Control | CRISC
Compliance Framework Requirements
Many of the risk management and compliance frameworks require organizations to address controls over third-party personnel. In the United States, NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” identifies personnel security controls that vendors must address when managing certain types of sensitive information under federal contracts. Third-party compliance with the Health Insurance Portability and Privacy Act also places expectations on contracting organizations to ensure that their partners use appropriate assurance practices with their personnel.
The ISO 27001 framework and, specifically, ISO 27005, “Information Security Risk Management,” also addresses security risk management activities in outsourcing. Similarly, the Control Objectives for Information and Related Technologies (COBIT) framework identifies third-party management activities in the process area DS2, “Manage Third-party Services.”
Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/
