IT Hygiene – No Longer Only for “your” Organization

2021-11-18 0 By SecureSteve

Supply chain logistics and management, and the vulnerabilities therein, rarely get the exposure they deserve. However, this most recent pandemic has shown a bright light into what it actually takes to get products into the stores and onto the shelves. I even wrote about some of this in a post about your wipes and toilet paper. It is fascinating to learn about what it takes to keep an organization moving, and producing.

It is also interesting to find out how vulnerable to disruption some supply chains are. This could be for a variety of reasons beyond the scope of this article, but planning for disruption is an exercise that every organization undertakes to some degree. IT and Cyber security are key pieces to these exercises, and recent breaches are absolutely forcing organizations to take this seriously. Do you rely on a single vendor for certain piece of your business? What happens if they are impacted with a cyber security event?

Frameworks? Hygiene? – Every organization has to do it?

I’ve written previously on the concept security frameworks. Beyond compliance obligations, many organizations find them helpful to establish some guidelines and metrics around how they establish their security posture. This is an excellent strategy.

The concept of IT Hygiene is deeply embedded within most frameworks, and is often pointed to as a foundational component of any security posture. Of course it makes sense – it doesn’t make sense to worry about the siding on the house if there isn’t even a roof installed. (Although, the security vendor community should do a better job emphasizing these basics, as opposed to hyping “silver bullet” type solutions.)

There is a fantastic write-up about how to use the CIS (Center for Internet Security) framework, and specifically the Implementation Group 1 items, to craft a strategy for an organization’s IT hygiene. If you are not familiar with these controls, or are looking for an opportunity to refresh and reevaluate your hygiene strategy, it is an excellent starting place.

The Thing is, You Just Have to Ask

To date, I’m not aware of a single, all encompassing resource to be able to find out if your vendors are ‘safe’, and practicing effective cybersecurity. While you can potentially look for media or other indications of data breaches, there is not today a formal obligation to disclose a data breach in many cases.

Wait, what?

In the United States, while each of the 50 states have enacted some form of security breach notification requirement, there is not today a single, federal statue or guideline around these notifications. Many of the statues tend to focus on things like physical security breaches, or financially impacting ones (breaches of finacial/PCI data, etc). In many cases, the notification requirements lean heavily around “user” (Personally Identifiable Information, or PII) data breaches. So, if your breach isn’t “user data”, it often can be swept under the rug.

It is still fair to ask.

Vendors today generally do expect to have questions asked of them, of their ability to prevent and recover from a security event. For many vendors it is a standard part of the sales transaction process. But what to do if you don’t know if your vendor will tell you anything about their security situation?

Just ask. Again, in this day and age, these types of questions are not at all out of bounds. If a vendor pushes back to say their security program is proprietary or confidential, you may need to recraft the way you ask about their program. However, if a vendor is flat-out unwilling to talk through some of their existing security strategy with you, that should be considered a big red-flag when determining if your organization can truly rely on that vendor.

There is a common item in the industry for “asking” a vendor about their cybersecurity program – a cybersecurity questionnaire. This questionnaire can start as the basis of your conversation with your vendors, and provides an excellent initial picture of what type of security program they have in place. What your organization chooses to do with that information is on you, but at least you’ll be informed.

What should I ask my vendors?

The company Security Scorecard offers some excellent guidance on the makings of a CyberSecurity Questionnaire. I’ll provide those questions below as well. However, the questions provided are certainly fairly formal. You may not quite have this level of relationship with your vendors. So, I’ll also provide some thoughts on how to simplify the question.

Do you have a formal information security program in place?
Do they have any dedicated people, (i.e. with written job descriptions, or titles, procedures, etc.) for information security?
Is security testing performed by a qualified third-party vendor? How often are these tests performed and what was the date of the last test?
Is any security testing done at all? Are tools generally up-to-date?
How is data protected as it is in transit and at rest?
How is my data stored at your organization? Is it stored locally? Is it encrypted? Backed up at all? Is it stored in the cloud? Are unique, strong passwords in use?
Are all employees and contractors required to complete security training courses?
I like this question as is. It is a fair question to ask.
How do you perform third-party due diligence with vendors and contractors?
I also like this question as is. It shines a light on how they perform their due diligence, and can also possibly help to expand your efforts as well.
Is there a risk management and disaster recovery program in place?
Also, have you ever tested your Disaster Recovery program out?