Click to Play |
Facebook's Latest…
Facebook has been receiving some extra media attention lately. Some analysts believe the social networking site may not be worth as much as everyone thinks. Get all the details on WebProNews. |
| Recent
Articles |
Do You Really Need a Domain Controller?
Let's start out with the good points: there are advantages to a Microsoft Domain Controller model. Centralized user control, fine grained resource access control: these are often useful and very helpful.
Ops Mgr 2007: Certificate-based Authorization...
Certificate-based authorization scenarios in Operations Manager 2007 are something we've tested and documented, but there is one question that's been...
An Introduction to Network Forensics
Have you ever heard of network forensics? Not everyone has but the meaning is actually very important. It basically means the recording, analyzing, and...
3 Methods of Linux System Administration
When you are a new Linux user needing to get Linux training, it is often confusing to decide what to focus on. Should you learn how to use Linux for just one Linux distribution (a.k.a. version, distro)? Should you...
The 802.1X Supplicant...
First let me state that those are words I barely understand, and until recently have never even used the word "supplicant", correctly or otherwise. Having...
We Don't Need An...
As much as I respect Bruce Schneier, and usually follow what he says with few if any questions, I think what he is missing with his speech in London is the Human Element. Humans are flawed, and human creations are...
Fortinet Firewall Transparent Mode
The Fortinet 50A is a firewall router designed for 10 users or less (this is an older model, now replaced by the 50B).
Security Pen Testing - Google Hacking
If you are a security pen tester, you should know about the Google Hacking Database over at Johnny I Hack Stuff.
Information Security Leaders
This was written soon after having listened to both the CISO of Cisco, and one of the primary think tank leaders from Gartner Group in December of 2005.
|
 |
|
07.19.07
Do You Trust Your Vendor?
 By
Dan Morrill
One of the things that I get to do in my new job with VMC is find out what people's pain points are and as I was doing research yesterday on vendors, what has been traditionally outsourced, and who has written authoritatively on it some interesting trends show up in the list.
Traditionally companies have outsourced:
Log monitoring and Tier 1 SOC/NOC operations
Software implementation and programming
Systems integration and design
If we look at the trust involved in each of these, the idea of "partner" comes to mind. If you are going to outsource the traditional items, then really what you are doing is hiring a partner, someone who is responsible for bits of the business, and each group, vendor and business need to agree on SLA's, management, notification, and above all, trust.
Would you trust your vendor not to cover up a mistake, let alone would the vendor trust the company not to totally go drama queen and spin out of control if a mistake is made. Realistically, mistakes are going to happen, how mature the relationship on each side of the partnership is will tell just how badly everything will spin out of control. We also need to ask how bad was the mistake, was it little with no damage, or did it expose the entire DMZ when there are known vulnerabilities in that network segment?
While the contract can specify fines, penalties, actions needed on both sides of the vendor/company relationship, as well as damage control when needed. The real issues are from the vendor side, how much can I trust the company to let me know what is going on, for example a new system coming on line, or a change to the IDS signatures that are going to look like a mushroom cloud of evil when implemented.
On one network, a windows network, someone in the company had enabled every single rule on all the IDS systems, and the poor monitoring folks thought the whole network was going to come down around them and did escalation up to the CIO, waking them up at 2AM thinking that the network was under a major attack. When all it was really was a new IDS rules person who enabled every single rule in the IDS system rather than really understanding what those rules did.
On the flip side of that, a contractor was found not to be escalating important data to the client, only to end up splashed across the news papers for a major data breach, that was actually watched by the outsource company, with triggers going back weeks that something evil was happening on the network.
While most of this can be covered via contract, and some by common sense (if in doubt, call) the other common issue was escalation, who to call, and then who to call if the first person was not available? This is something that the vendor and company need to work out up front. As well, have either a person on site, or available to be on site to verify what is happening. The escalation path should be Vendor Tier 1, Vendor Tier 2, Company Tier 1 (notification), Vendor Tier 3, Company Tier 2, Company Tier 3 then triage. Nevertheless, few think of how the process should happen (and even the one above might not work in all situations, some companies want to be notified for everything, even if it means false positives).
Overall, the trust that needs to be between the vendor and the company needs to be built and established over time. As well, that trust needs to be extended to everyone who on is both sides of the outsourcing fence. People come and go, and everyone has to be given the benefit of the doubt when dealing with new people on the job.
The question of "how much do you trust your vendor" should apply equally to "how much do you trust your partners", and that relationship firmly developed from the start. While it might sound very dull to set up escalation paths, contact lists, plans, procedures, backups, disaster recovery, and a whole host of other issues from the onset. Having the outsource contract firmly spelled out, with measurable metrics to see if everyone is getting what they want is really important to observe. This kind of detail is what will help establish trust from the start, and answer the question "how much do we trust each other".
About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community. |
