Using trusted third parties for outsourcing IT functions often makes good business sense. That said, it’s important to ensure you engage with vendors safely and appropriately. After all, your business’ security responsibility extends beyond what you operate in-house.
Vendor Credibility is Key
Trusted vendors can be invaluable business partners. However, vendor vetting and due diligence are crucial components to establishing partner credibility. Opening your network to an unscreened, unrestricted third party is the equivalent of unlocking the castle gates during a siege. Therefore, your organization must have a thorough vendor vetting process to ensure you are working with partners who share your security consciousness.
Any credible vendor will welcome the chance to earn your trust by responding to security vetting inquiries. Your security questions should address:
- Frequency of security reviews
- Security testing methodologies
- Encryption and access controls
- Stored and shared data security
In addition to vetting processes, your organization also needs to have well-established security controls and vendor rules of engagement. Below we share 6 tips for successful, safe outsourcing.
Vendor Credibility is Key
1. Manage Engagement and Expectations
Before a business even considers outsourcing an IT function, be it Voice Over IP phone systems, desktop management, or server maintenance, it must have vendor policies in place.
These policies should include clear guidelines about how third-party vendors will access your systems, including:
- Types of accounts the vendors are to be provided
- If offshore or “near shore” resources are allowed corporate systems access
- If that access is direct or through screen shares with US-based resources
It is essential to have your organization’s vendor access policies in place and approved before you beginning working with third parties. If guidance is properly communicated in the beginning, that paves the way for a smoother, safer partnership down the road.
2. Require Security Training and Document it
Vendors’ employees who are going to access corporate systems should take the same security training that internal staff receives. This helps communicate that third-party employees are held to the same set of expectations as internal employees. Recommended topics include strong password development, how to detect and thwart social engineering, physical security, and other similar topics. Training modules should feature tests to help ensure information is retained.
Additionally, be sure your compliance officer or equivalent obtains proof that vendor employees completed and passed training. This will be required in the event of an audit.
3. Take a Hard Line on System Hardening
Your system hardening guidelines need to require that ALL systems have antivirus installed on them. This may cause heartburn with some vendors, such as Mac Book Pro users. They may feel that there are a limited number of viruses that impact their operating system and therefore they do not need to have antivirus software installed. Regardless it’s best if you require it. You may ruffle some feathers but it’s better to weed out viruses now than to clean up the mess after malware has infected networks or computing platforms.
4. Consider SOC2 Compliance
SOC2 is an audit procedure designed to help ensure service providers practice secure data management. It is based on five principles: Privacy, security, confidentiality, availability, and processing integrity. SOC2 requirements are adjusted to stay in line with specific business practices and are a bit less rigid than PCI DSS.
It should be noted that audit reports such as those from SOC2 are snapshots in time for an organization. They are important to consider but do not represent the whole picture when it comes to evaluating vendors.
5. Provide VPN Functionality & Logging
This is where the rubber starts to meet the road, so to speak. You’ve vetted and trained the vendors and now you’re going to provide them actual access to your network. You’ll want to provide each vendor with a separate VPN account for logging purposes. This ensures you know who was logging into your network and why. It’s also a good idea to keep a record via email of when people say they are going to log in. That way you can cross check the information to make sure they are doing what they say they are doing.
6. Verify with Two-Factor Authentication
Two-factor authentication provides another level of authentication for your VPN and verifies that the person logging in is who they say they are. This also helps ensure that they are not sharing accounts with other vendor employees since the second factor of authentication is usually a token or the vendor employee’s phone. This level of accountability often deters sharing and is a best practice security control for internal employees as well as vendor employees.
Giving vendors remote access to your network can be scary, but done properly it can be a way for you to get your staff the help they need respond to workload demands. Taking the right steps to protect your networks will go a long way and allow you to use remote vendors in a safe and secure fashion.