Its often said that you are only as secure as your weakest link. In most cases this weak link is described as your end users. But in more cases an often forgotten risk is the weak link in your supply chain. Third party vendors and providers must be reviewed as part of your security management strategy.
The best example of this is one of the first lessons of a web application penetration tester (or a malicious hacker) is to identify how many websites are being hosted on the same server as their target. Once they have this list they can go through each to identify the site with the weakest security and use that to attempt to gain access to the hosting server.
For other third parties who may have a VPN tunnel established with your corporate network; without adequate consideration and controls put in place to manage this access any compromise of your third parties network also compromises your network. Similarly any of your third parties staff, without appropriate controls in place, could damage your organisation.
The solution is to never assume security when dealing with third parties. Where possible several steps should be taken;
- Security requirements should be detailed in contracts and compliance monitored.
- Access to the organisations network should be managed, segmented and monitored to ensure only authorized actions are taking place.
- Only reputable third parties should be contracted.
- At a minimum all internal security policies, process, guidelines and standards should be applied to all third parties.
What does ISO27001 say?
Security category – 15.1. Information security in supplier relationships
15.1.1. Information security policy for supplier relationships.
Rules should be in place that govern what a vendor can access and how they should access it, as well as specifying other security requirements. These should require the security a vendor should have on their own network, how incidents should be reported and any other requirements your organization deems necessary, depending on the value of what the vendor will have access to. Having a policy outlining what is expected can help guide us when we are considering vendor relationships.
15.1.2. Addressing security within supplier agreements.
The rules we set out in our Information Security Policy for Supplier Agreements should be included in all contracts with vendors and they should commit to upholding these requirements. Periodic auditing can be considered to ensure compliance.
15.1.3. Information and communication technology supply chain.
It stands to reason that if there is access allowed between
your network and your vendors network, then any party with access to your
vendors network potentially has access to your organization, such as your
vendors suppliers. There should be policies in place to ensure access between
you and your vendor is restricted and controls to protect against unauthorized
access. Ensuring your organization and your vendor keep an audit and log trail
to track access and requests can provide accountability and requiring your
vendor to screen their suppliers can also reduce this risk.
Security category – 15.2. Supplier service delivery management
15.2.1. Monitoring and review of supplier services.
This will provide us with the confidence that are suppliers are adhering to the security requirements of their contract. Reviewing the audit trail of a vendor, conducting vulnerability assessments on their network and engaging in regular meetings to ensure the vendor understands their obligations can all prove helpful.
15.2.2. Managing changes to supplier services.
Vendors should not be able to make any ad-hoc changes to their service. This can include patching, upgrades and improvements. Any changes should be managed to limit disruption and ensure service continuity in the event of problems occurring. This also gives us a chance to review our security posture and introduce new controls as required to ensure the changes do not weaken our security position.