As of late 2004, a staggering 75 percent of U.S. companies outsourced some or all of their IT activities. That percentage has continued to grow. At the same time, the number and complexity of compliance dictates, like Sarbanes-Oxley Section 404, force companies to focus increased time, effort and money on IT control and governance. It is therefore no surprise that IT outsourcers, with their foundational role as the IT service providers, are beginning to find themselves under the microscope.
In particular, outsourcers are increasingly being asked to "get in front" of the "Top 10" most commonly identified IT control deficiencies. Why? In simplest terms, while control has been transferred to the outsourcer, the client continues to own the liability.What are the common strategies a company will deploy to assure outsourcers are living up to expectations, and getting ahead of the Top 10?
Strategies fall into two basic categories, pre-vendor selection and post vendor selection. Here are some of the industry best practices within each:
1. Include information security metrics as part of the vendor selection process. Specifically, evaluate whether vendors could meet internal corporate policy and legal requirements at minimum.
2. Assess the reputation of the vendor. This includes positive references and negative references.
3. Perform site evaluations and/or (preferably and) independent audit.
4. Assure that the vendor has a documented incident response and disclosure policy for security and privacy, which form the backbone of a security SLA.
5. Include contract language that defines the outsourcer's responsibility for ensuring and reporting it is in compliance with corporate mandates.
1. Perform iterative site evaluations and/or (preferably and) independent audit.
2. Monitor and report against security SLA performance on pre-defined intervals.
Did you pay for that Slurpee?
It is this last strategy, monitoring and compliance reporting against the security SLA, which is quickly becoming both the buyer and the providers preferred security control.
New log management, monitoring and compliance reporting technology allow organizations to assure that online behavior of outsourcers is consistent with the behaviors you expect.
How does it work? Within a networked environment, people's behaviors are being "taped" within log files. Increasingly, owners of security, risk, audit and compliance function are turning to these logs in order to investigate abnormal activities or just test whether the organization is in compliance with legislative dictates (like SOX and HIPAA).
Unfortunately, until now, this has been a difficult, unreliable and expensive undertaking. Each of these log files is written in a different format requiring a subject matter expert with special tools to decipher the output, and generates such a huge volume of data that it is impossible for any company to do anything other than sample the data they collect.
Monitoring and compliance reporting solutions makes it possible for organizations to translate chaos into what is akin to a video tape - a complete picture of "who is doing what, when" - continuously monitored for suspicious or illegal activity. If your policy is violated, you are alerted and presented with a variety of reports and reporting options along the way. Effectively, the solution acts as would a security guard, monitoring your business and alerting you when your inventory of information or technology assets are at risk, when your employees or customers are acting inappropriately, or if your processes have failed. The end result is decreased cost, higher reliability, sustainable compliance, and more importantly - confidence that your brand is safe.
The Top 10 Most Common IT Control Deficiencies
Improper Change Management
1. Lack of a formal, documented change procedure.
2. Inadequate oversight of changes and review of change logs.
Insufficient Segregation of Duties
3. Insufficient separation of requestor, approver, implementer (financial systems, particularly relevant to SOX).
4. Insufficient separation of developers and system operators.
Excessive Access to Systems/Databases by Privileged Users
5. Developer/programmer access to production environment/data.
6. Unrestricted and/or unmonitored DBA access. Unrestricted and/or unmonitored System Administrator access.
7. Administrator access.
Lack of Access Policies and Controls
8. Failure to manage and monitor account creation, deletion and privilege escalation (with a particular emphasis on the creation of root/privileged accounts).
9. Failure to manage and monitor access changes driven by changes in responsibility or in the organization.
Failure to Implement General Monitoring
10. Failure to collect and review security logs associated with business critical data, systems and applications.
-Kristin Lovejoy is CTO and vice president of technology and services at Consul risk management.