Security Interconnected

In a recent blog post, Is Your Security Harming Someone Else’s Business?, Tripwire CTO, Dwayne Melancon, talks about mapping out the relationships your business has with other outside entities to "connect security to the businesses we depend on and those who depend on us."

This is a novel concept considering that many organizations have such a hard time mapping out their own internal processes, let alone ones that stretch outside their environment.  One of the main points that Dr. Eric Cole discussed this year during his SANS 2013 keynote in Orlando was that when he has been called into organizations to do an investigation or analysis, the first thing he asks for is a network diagram and a list of locations of critical data.  He then conducts a discovery of critical data on the client's network and maps out the true location of critical data to find that it rarely matches the client's list.

One of the questions that Melancon asks in his blog is, do you know what impact changes in your organization might have on contractual commitments with outside parties?  Many times the people engaged in writing, reviewing and signing contracts within an organization do not have the level of technical understanding to know what good security practices are, let alone whether they are properly included in the contract.  In the financial sector, there are regulatory requirements for this sort of thing (see Interagency Guidelines Establishing Information Security Standards)

Under the Security Guidelines, each financial institution must:

• Develop and maintain an effective information security program tailored to the complexity of its operations, and 
• Require, by contract, service providers that have access to its customer information to take appropriate steps to protect the security and confidentiality of this information.

You Get What You Pay For (and Prepare For) 

If the people writing and signing these contracts do not understand InfoSec, then this whole process seems a bit like going off a cliff and not knowing what's up ahead.   

I was reviewing some BCP/DR documents for a small financial institution not long ago and found a contract with a technology service provider (TSP) that was storing off-site backups for them.  The TSP provided the proof of breach insurance that was requested and it showed that the coverage limit was $1 MM per incident.  That sure doesn't sound like much given the amount of money lost by small and medium sized banks recently due to phishing and account take over attacks which led to ACH/Wire Fraud.  But then after taking a closer look at the contract, I found this statement in the section titled "Limitation of Liability":

"If VENDOR becomes liable to the CUSTOMER under this Agreement for any other reason, whether arising by negligence, willful misconduct or otherwise, (a) the damages recoverable against VENDOR for all events, acts, delays, or omissions will not exceed in aggregate the compensation payable to VENDOR […] for the lesser of the months that have elapsed since the Operational Date […]"


Say what? [Unnecessary Risk]

Somebody obviously didn't take the time to read this garbage before whipping out their John Hancock.  Let's just say the amount paid to this vendor each year is much less than the value of the data the customer was backing up with this vendor.  

Managing the security of interconnected systems is not just an IT issue.  It is a business issue which means taking the time to read and understand the contracts that your business is agreeing to abide by.  Does your company have a process for reviewing contracts?  Is your IT/InfoSec team involved in that process?  Are contractual requirements communicated to your IT/InfoSec teams?  If you are missing these steps, then it will be impossible to do any sort of impact analysis across interconnected outside entities... just say'n.