General third party security resources
Beating IT Risks by Ernie Jordan and Luke Silcock is a book aimed squarely at IT managers
, addressing commercial, technology and information security risks (~US$85 from Amazon). Chapter 7 covers IT service providers and vendors, in other words 3rd parties. The book contains numerous examples and case studies to illustrate the importance of managing IT-related risks.
Don’t export security is about the pitfalls of offshore outsourcing. “I’d say fewer than 20
percent of my clients audit the security of their providers,” says Atul Vashistha, CEO of NeoIT, an offshore outsourcing consulting company. “They just accept the suppliers’ defined security plan
and don’t check to see if they are living up to it.” Some suppliers probably take advantage of this laxity.
PortAudit for FreeBSD is an example of a tool for monitoring security vulnerabilities with third party products.
Rather than manually scanning the websites of all your third party software suppliers for news of security
patches, you simply run the tool and it checks for you. There are also several public databases that collate this kind of information for various platforms.
University of Pittsburgh’s security guideline for third party computer access and use is a useful example of a
more informal definition of the organization’s security requirements on 3rd parties.
Trusted Third Parties
 Compliance with recognized information security standards such as ISO/IEC 27001 and 27002 is another way to build trust. Organizations are starting to use standards compliance as a way of defining
broad requirements for information security controls and mandating these on their business partners without necessarily having to conduct all their own audits. Entrust, for example, is proud of its certified compliance
with various standards, demonstrating an independent acceptance of the security of its PKI products.
Information security is so important for some organizations that they insist on auditing 3rd parties against
their own security specifications. VISA, Mastercard and others insist on independent audits against the
Payment Card Industry (PCI) standards by accredited PCI auditors. In the government and military arenas, similar processes exist for testing and auditing of 3rd party organizations and their products against Common Criteria and similar security standards.
Independent audits are certainly one way to gain more trust in third parties’ information security arrangements. India’s National Association of Software and Service Companies (NASSCOM) has promoted
the idea of independent security audits of its people as a way to share the burden of raising trust in the
Indian offshore IT outsourcing industry.
Trusted Third Parties (TTPs) are commonly involved with key issue and escrow in encryption schemes.
The risks of key recovery, key escrow, and trusted third party encryption was written at a time when the US
Government was promoting Clipper and similar proposals for key escrow. Governments through the ages have spied on their own and foreign organizations, whereas strong encryption is seriously restricting this
ability. There are implications for espionage, terrorism, organized crime ... and also for freedom of speech, privacy and human rights.
As escrow companies have become quite popular for large transactions on online auction sites, so too have escrow frauds. Here is another page of advice on avoiding the fraudsters and finding an escrow service you
can actually trust. Escrow companies have even been involved in phishing scams.
Related NoticeBored links collections
Internet security, confidentiality, integrity, compliance, physical security, general information security and security awareness
NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk. Please let us know about new or broken links.
|
