All companies that leverage third-party solutions especially if the solutions are web-based, in some respect, run an inherent risk of not being in control of their data and perhaps their own company's reputation at that point. If the third party solutions will handle data that the purchasing organization values highly, you might want to consider negotiating with the third-party prior to the purchase to coordinate for some kind of security evaluation. In this two part series, we will cover how to go about evaluating the security risks of third-party solutions and in future blogs, how to find the resources to conduct the assessment.
Too many times, we've seen organizations purchase third-party solutions; where we perform a security assessment after the contract has been signed and then, when it is found that the solutions are full of holes or may possess significant vulnerabilities, we have no negotiating room to get the security issues fixed. At this point the organization is at the mercy of the contract and the only two options are to either live with the security holes or drop the solution possibly losing money agreed upon or not being able to support the business need that the application was purchased for. Regardless it results in an inefficient spend of resources.
If you do decide that you want a security evaluation/assessment, here is a suggested security focused timeline to consider in conjunction with your evaluation of the solution:
Identify business requirements
Determining the exact business requirements will help determine what types of security requirements are needed.
Identify security requirements
Who will perform the security assessment, does your company have the capability/experience to perform your own security assessment or should you hire a security consultant company? A future blog will cover how to evaluate and select a security consultant. Consider if your company will want to include performance and privacy requirements as well.
These should follow your company's pre-existing security requirements.
Identify options i.e. third-party solutions and/or internally developed solutions
By understanding what your security needs are beforehand, you can determine early on which third-parties already have a good understanding of security.
Generally we have found that the companies that understand security have stronger solutions due to the greater care that they take in securing the application.
Set appropriate legal agreements mutually agreed upon between your company and the third party.
NDA - Non-disclosure Agreement: This generally will give assurance to your company and the third-parties that sensitive information is not freely shared with unauthorized parties.
SOW - Statement-of-Work: This documents what will be covered, how it will be achieved and what will be shared. It is important to make it clear that your company is not certifying that the third-party is secure by completing your security assessment; they are just meeting your security requirements.
Communicate business requirements and if possible, some if not all security requirements.
Sharing your security requirements should be considered carefully, the sensitivity and the potential for legal repercussions are there. Consult with your company's legal department.
Request information on any previously completed security reviews done by or on behalf of the third party
This can be a touchy subject, obviously the third-party do not want their vulnerabilities, including ones that were fixed, to be freely passed around. Having this knowledge though will help you evaluate where the third-party started out with at in regards to security and be able to compare it to where they are now.
We have now covered the preparation that needs to be completed in order to set this process in motion. In part two, we will cover the rest of the timeline including the actual security assessment.
Until next time!
Microsoft – ACE Team