Security matters

If you’re reading this close to its publication date, security breaches and vulnerabilities are everywhere in the news. From Heartbleed to the massive Target credit card breach, digital security has never been more important to the average person.

Nancy, our CEO, recently wrote about how you must take responsibility for protection of your personal data, but what about data in the workplace? Choosing the partners you entrust with your company’s and your customers’ data is vitally important nowadays.

When to talk about security

In short—right away. Assessing a prospective partner or vendor’s security posture is critical to determining the long-term risk in working with them. Therefore, due diligence on a company’s security practicies is necessary upfront, before engaging a new partner.

But how do you know that a partner takes security seriously (and walks the walk)?

Basics

There are a few basic questions that any technology partner should be able to answer without “getting back to you about that.”

  1. Who is responsible for information security at your company?
    A ready answer here means a company has formally assigned this responsibility to an accountable individual, a crucial first step in ensuring a consistent security practice. Do not accept “everyone at our company is responsible” as an answer.
  2. Do you have an information security policy?
    A “yes” here means that a company values writing down rules for fostering and maintaining secure business practices, a very good sign. Ask to see the policy if you like, but know that many companies restrict sharing of internal policies and procedures without an NDA.
  3. When was the last time you received security training?
    Most policy frameworks recommend a minimum of annual security training. A lack of regular training may mean security policies exist, but are not known or followed.

Operations

How a company performs its daily operations has a huge impact on their overall security. These items will help you understand how securely a company operates day-to-day, not just at their datacenter:

  1. How do you dispose of paper documents? Computers?
    Look for on-site shredding or secure document storage containers for a shredding service. Dealing with paper (even in the digital age) is important, since an attacker can learn lots of information to prepare an attack from discarded documents—sensitive or not. For hardware, the best practice is to physically destroy any media capable of containing sensitive data so that it is rendered unreadable.
  2. How should I send you sensitive information?
    The wrong answer is “e-mail just me” because e-mail is not a secure channel. Better answers include:
    • We use a commercial e-mail encryption product (e.g. Voltage, Postini, etc.)
    • We have a secure file sharing portal; I can call you with a username and password
    • We can use S/MIME or GPG—do you have a public key?
    • I can encrypt the file and share the key with you in person or on the phone.
  3. Do you have an incident response plan?
    Companies with a good security practice will have a documented plan for handling security incidents, including communication with necessary authorities. The plan should be tested at least annually. This is important to ensure a consistent, no-panic response in the event of a true security incident.

Apps

Using a company’s app requires trust; you are giving them some information and expect them to treat it appropriately. Here are some ideas for quickly assessing an app’s basic security (beyond looking for the ‘lock’ icon for SSL in your browser):

  1. Can you set up an account for me to try?
    Wait to see how you receive your login credentials. Was it secure? The best companies will ask for your e-mail address, set up an account, and e-mail or otherwise share a one-time password that forces you to choose a new password on first login. It’s also acceptable to receive a one-time password over the phone or in person.
  2. Help! I’ve forgotten my password.
    Try to recover access to your account via their forgot password feature or similar. What happens? Run away from the app if it e-mails you back your original password—that means their employees can read it, too. Better apps will e-mail you a password reset link that expires, or force you to go through other identity proof measures.
  3. How does your app save passwords and other sensitive data?
    The biggest risk of sharing data with an app is typically your exposure to a breach. Breaches happen when apps are compromised and hackers make off with poorly protected data like e-mails, telephone numbers, passwords, or worse.

    Specifically, look for:

    • Server-side encryption of sensitive data while at rest and in transit
    • Strong password requirements (length, complexity)
    • Passwords are hashed with unique salts and bcrypt (not SHA-1 or MD5, and not just “encrypted”)

Compliance frameworks

There are many formal, international standards and industry standards available for companies to align their security practices against. Asking about these standards is a good way to gauge if a partner has awareness of security best practices, even if they don’t meet a given standard. A competent partner should know what all of these are:

  1. Are you PCI-DSS compliant?
    PCI compliance is required for companies handling credit card information (termed “cardholder data” in the standard). Companies are required to either self-attest to their compliance or engage an external auditor to verify compliance depending on the volume and type of transactions they process. Insist on PCI-DSS compliance for any vendor that will receive credit card information.
  2. Do you have an information security management system in place?
    ISO 27001 is one such management system, related to ISO 9001. While not required, it means a company has put effort into aligning with international standards on how to implement security controls within their business. Companies can optionally certify against the ISO standard.
  3. Have you completed an independent audit?
    SAS 70 and SSAE 16 provide reports by independent auditors on the goals, implementation, presence, and effectiveness of controls in place within an organization. These rigorous, costly audits are a standard means of assessing a company’s posture of compliance beyond the scope of a PCI-DSS QSA’s (qualified security assessor) report. Ask to see the audit report if you can.

In-depth questions

For more in-depth questions to ask, I recommend the Cloud Security Alliance’s Consensus Assessments Initiative (CAI) questionnaire. It’s lengthy but comprehensive, covering a number of standards and compliance frameworks such as PCI and ISO 27001 with simple “Yes” or “No” control question answers.

You can send this questionnaire to a potential partner and solicit their responses. Even if there are many “No” answers (and there likely will be), you must decide if they matter to you and your business.

Image credit: Sharyn Morrow