Smartphone Security Controls for Enterprise

Enterprises need to define their minimum and recommended level of security controls to support minimal and standard levels of access. A minimum baseline is a powerful position by which all smartphones can be assessed for their suitability for use in the company. Do you recognize the essential relationship between device configuration and device security? It’s not possible to keep a device secure if there is no management framework to set and audit compliance parameters.

Consider the following suggestions when developing or reviewing a smartphone security. A typical list may include

  • Synchronization controls:Allows or disallows synchronization over the air (OTA) or via a local workstation.
  • Roaming controls:Prevents or allows the use of roaming voice and data networks to control expenses.
  • Usage limitations of local and peripheral networks (such as Wi-Fi, Bluetooth, IrDA and USB):Limits usage of and exposure through direct device connections.
  • Limit accepted devices by hardware certification:Requires a means of identifying the device to control access to company e-mail and company Wi-Fi access points.
  • Enhanced password controls:Requires the use of a local power-on password with minimum length and complexity requirements.
  • Lock device after password retry limit:Foils brute-force login attacks.
  • Lock device after inactivity timeout:Reduces possibility of device context exposure.
  • Data encryption:Requires encryption in core memory and, ideally, on removable media.
  • Remote lock and or wipe: Remotely disables and/or eliminates access for a device that has been lost, stolen or otherwise compromised.

A more comprehensive controls may may include:-

  • Require user to periodically reauthenticate, even if the phone is in continuous use.
  • Limit use of the phone camera. Conditional usage may require central authorization, a password, or registration within or outside a designated wireless network.
  • Change phone behavior, including remote lock and wipe thresholds, if the SIM card is removed or the phone’s network connections are shut down.
  • Allow or deny applications completely (blacklisting and whitelisting).
  • Limit application access to the radio, system data and sensitive application programming interface. This status could be made modifiable through blacklisting and whitelisting.
  • Add or change options for using applications on the phone while it is in a locked state.
  • Introduce additional authentication methods.

Ways of Conducting Risk Assessment

There are many ways to conduct a risk assessment. For example, companies may conduct interviews or surveys of key personnel, review key documents, conduct facilitated workshops, perform targeted reviews, or utilize any combination of these options. The following table discusses options to conduct an effective risk assessment.

Interviews Online Surveys Paper Surveys Document Review Facilitated Workshops Targeted Reviews
Description Individual stakeholder interviews to identify potential events and prioritize associated risk Online survey consisting of either a checklist of events or risks OR an open-ended request Hard copy survey consisting of either a checklist of events or risks OR an open-ended request Review of existing public documents, regulatory reviews, audit reports, special purpose studies and other materials An in-person or online workshop attended by key stakeholders Special studies or targeted analyses to evaluate questions about specific events or anticipated concerns
Advantages Interaction provides opportunity to:

“Set the stage”

Ask the appropriate follow-up questions

Probe/ understand underlying root causes

Clarify questions, if necessary

Cover sensitive topics more thoroughly

More insight and depth regarding potential future events

Can be accessed by participants without the limitations of time or geography

Can support the process with links to risk definitions and additional resources

Can be delivered efficiently at low cost (relative to interviews)

Can be administered to large groups of people

Self-documenting and reporting

Efficient, easy to administer to large numbers and geographies

Standardized scales can lead to common aggregation

Can track status

Can be completed by participant without limitations of time or geography

Can be delivered efficiently at low cost although not as cost-effective as online

Can be administered to large numbers of people

Standardized scales can lead to common aggregation

Comprehensive in scope


May provide basis for quantifying risk

Less time required of stakeholders during fact gathering process

Not limited to internal documents

Interaction among knowledgeable participants creates a broad picture of potential events and related business impact

Interaction stimulates discovery of previously unidentified risk areas, which can remain undetected in other formats

Structure provides for efficient use of time

Collaboration builds consensus around priority risks and their impacts

Similar to interviews, interaction provides opportunity to:

“Set the stage”

Ask the appropriate follow-up questions

Probe/ understand underlying root causes

Clarify questions, if necessary

Cover sensitive topics more thoroughly

More insight and depth regarding potential future events

Same advantages noted for document reviews

Conducted by subject matter experts

Accommodates in-depth understanding of specific potential events and related business impacts

May be applied on a macro or micro basis

Can integrate external/ internal perspectives

Can provide recommended risk responses

Issues Time sensitive

Scheduling challenges

Logistics must be managed

Interviewer must subjectively aggregate data points

Individual interviews do not directly support consensus-building

Limited follow-up

Post-survey time is required to review and understand responses

Risk of misinterpreting responses

Depth of responses may be limited

Individual responses do not gain from the perspective of others

Same issues noted for online surveys

Not considered “best practice”

Greater elapsed time to send and receive

Compared to online surveys, more time and effort to:



-Monitor progress

-Compile results

Higher cost to review and analyze existing material

Often not forward-looking

May not reflect current business realities

If unfocused, can waste time and money

Effectiveness is dependent of facilitator and sufficient structure

Requires advance planning

Logistically challenging to arrange participant’s time and location

Can be time-consuming due to numbers of people and need to clarify event definitions

Expectations must be clearly set

Must be carefully scoped

Often requires more time than other options

Developing Security Awareness Program

The purpose of a security awareness program is to notify information system users about security policies, guidelines for acceptable use and business risks or technological hazards. This article discusses some components that should be included in a security awareness program including: policies, communication methods, and topics for ongoing communications with systems users.


• Develop written policies related to all aspects of security, and post to an employee handbook (hardcopy or intranet). Best security policies for end users include the “why” as well as the “what.”
• Include examples of the risks and the consequences to other users either in general, or specifically at your company. Policies must include consequences for serious or repeated violations.
• Ask users to read and understand the policies.
• Obtain written agreement that states that the users understand the policies and agree to abide by them. Without this framework, it is difficult to structure good communication to end users, and it is more difficult to achieve a high rate of compliance.

Communication methods

• Establish periodic communication with the end user community discussing the latest threats, how the organization is mitigating the risks, and what users can do to protect themselves and/or contribute to mitigating the risks. This can be accomplished by the following means:

 Briefings. Briefings should be concise and provide a clear outline of requirements. A combination of verbal and written security briefings are favored.
 Discussions. Discussions between small groups of users are recommended and encouraged.
 Newsletters and staff bulletins. These should include security articles, puzzles, competitions, quizzes, cartoons, and case histories. Competitions with prizes are useful in motivating users toward good security.
 Reminder notices. Notices placed on computer screens, electronic mail, and voice mail serve as useful reminders, but should be changed frequently to retain impact. Assorted security notices should be placed in the organization’s regular newsletter to promote information security.
 Posters. Eye-catching posters attract the attention of users to basic security matters, and should be rotated frequently to retain impact.
 Analysis of incidents. Analysis of incidents and risk assessments may be issued periodically. Where applicable, these matters should be brought to the attention of all users.

• Institute a “Management By Walking Around” policy. This is an effective way of alerting users that security is a high priority for management and that noncompliance has consequences. Desktop reviews should be performed on a continuous basis to look for workstation lockdown, passwords that are written down, and other security violations. A method of rewarding users who comply and for alerting those who don’t can be as simple as leaving a checklist of the security objectives, and how the user scored in complying with those objectives. This can be left-behind with some kind of nominal reward (chocolate, candy, soda, etc.)

• Designate a single point of contact to be used to report security violations to, and to answer security-related questions. This allows users to feel confident that if they discover a problem there is help and they know where to find it. A specific member of the Information Security team or Helpdesk is the logical choice for this role. Even if the designated team member only collects and escalates information, having a specific contact allows users to feel security needs are important enough to warrant a designated contact.

Topics for security policies and ongoing communication:

1. Password construction and management

The goal when choosing a password is to make it as difficult as possible for a cracker to make educated guesses about what has been chosen. This leaves him no alternative but a brute-force search, trying every possible combination of letters, numbers, and punctuation. A search of this sort, even conducted on a machine that could try one million passwords per second (most machines can try less than one hundred per second), would require on average over one hundred years to complete.

What Not to Use
• Don’t use your login name in any form (as-is, reversed, capitalized, doubled, etc.);
• Don’t use your first or last name in any form;
• Don’t use your spouse’s or child’s name;
• Don’t use other information easily obtained about you. This includes license plate numbers, telephone numbers, social security numbers, the brand of your automobile, the name of the street where you live etc.;
• Don’t use a password of all digits, or all the same letter. This significantly decreases the search time for a cracker;
• Don’t use a word contained in English or foreign language dictionaries, spelling lists, or other lists of words. If you type your password into a word processor and the spellchecker recognizes the word as a misspelling, it is a poor choice;
• Don’t use a password shorter than six characters.

What to Use
• Do use a password with mixed-case alphabetic characters;
• Do use a password with non-alphabetic characters, e.g., digits or punctuation;
• Do use a password that is easy to remember, so you don’t have to write it down;
• Do use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder.

Choose Secure and Easy to Remember Passwords
• Choose a line or two from a song or poem, and use the first letter of each word. For example, “Get your kicks on Route 66.” becomes “GykoR6;”
• Alternate between one consonant and one or two vowels, up to eight characters. This provides nonsense words that are usually pronounceable, and thus easily remembered. Examples include “houtey,” “guatdop,” and so on;
• Choose two short words and concatenate them together with a punctuation character between them. For example: “cat;dog,” “page+turn,” “holy!moly.”
Other considerations
• Change your password often, at least every 60 days;
• Do not share your password with other users;
• Do not give out your password to anyone;
• Do not write down your password on paper (esp. on a yellow sticky note!) or store it on a computer;
• Do not use the same password for your Network that you use as a password for another computer system, such as your ATM card PIN number or as your password to a Web site on the Internet;
• Do not let anyone see you type in your password. Stop typing if you notice someone watching you;
• Make sure your password is not being compromised whenever you type it in. Some people add extra flourishes of their fingers and hands to hide their movements over the keyboard for any observers.

Passwords should be routinely cracked by authorized personnel, and weak passwords should be changed immediately. These results, communicated to the user group, reinforce how important security is to the company’s management.

2. Internet Usage
• Acceptable use policy is paramount regarding user access to the Internet. Usage should be monitored to the extent possible and violators of the company policy should be disciplined or terminated;
• Avoid downloading and running programs over the Internet from people or places that you don’t know or trust. It is safest to avoid executing any software downloaded from Internet unless it can be cryptographically verified;
• Internet access should never be left available when you are not at your desk. This protects you from someone else using your connection inappropriately.

3. Telephone Fraud
• Always identify caller’s numbers or extensions, where possible, via caller ID technology;
• Never disclose confidential information to an unknown party, especially login names and passwords. Company policy should forbid even legitimate parties from making phone requests for these items or have a very rigid call back policy or other safeguards;
• Report any suspicious calls to the appropriate individual for tracking to determine if the company has become a target for a scam. This allows a warning to be issued to others who may be at risk.

4. E-mail usage
• Don’t leave e-mail access open when you leave your desk. This allows malicious individuals to read your mail or send inappropriate mail to someone else in your name.

5. Viruses
• Never disable antivirus software;
• Make sure the software is updated frequently;
• Do not install new programs without scanning them first, whether from a trusted source or not;
• Do not open unsolicited e-mail from unknown sources;
• Include latest virus alerts in communications to users.

6. Corporate workstation security
• Lock down workstations at all times either in a desk or cabinet or with a security cable;
• Do not leave laptops unsecured in hotel rooms or in the home;
• Never leave your lock key visible, in your top desk drawer or pencil holder. Keep your lock key on your person;
• Store your workstation in a locked credenza or drawer after hours and on weekends or take your laptop home with you – even if equipment is locked down it is still at risk when visible and unattended;
• Don’t check your laptop with luggage at the airport and stay with it when you go through airport security. Always keep your equipment in sight in airport terminals and hotel lobbies;
• Never leave equipment visible in your parked vehicle;
• If you need to place equipment in your automobile trunk for a short period of time, be sure you are not observed and that your vehicle doors are locked;
• Never leave equipment and diskettes exposed to extreme temperatures (below 50 or above 95 degrees);
• Never allow food or drink near any workstation hardware;
• Back up your data regularly to guard against permanent data loss. Delete any unused files and keep files not used frequently on the network, not your hard drive.

Physical Security Checklist for Information Systems

This document suggests controls for the physical security of information technology and systems related to information processing.

1. Introduction

Physical access to information processing and storage areas and their supporting infrastructure (e.g. communications, power, and environmental) must be controlled to prevent, detect, and minimize the effects of unintended access to these areas (e.g., unauthorized information access, or disruption of information processing itself). Access control is established by imposing standards for protection at the building, processing area, and supporting infrastructure areas. The level of control imposed on these areas will reflect the nature of the importance of the information handled or supported by the area to corporate operations. The effects of unwanted intrusion can be painful and costly. If managed properly, physical security policies and procedures can provide the protection that they are designed to give while providing the security that is necessary to keep the resources around it safe from outside threats as well as those from the inside. The purpose of this document is to present the physical security standards as they relate to their strategic use within an organization. Out of this one should be able to follow the information and guidelines to effectively audit the state of a given physical security policy.

2. Building Access Controls

The building access control standards implemented must be commensurate with the type of information processing and the confidentially of information acquired and distributed that is occurring at the physical location. Buildings containing a designated data center will necessarily employ stricter access controls than those that do not. There are also minimum physical access controls, which should be practiced to govern access to all buildings in an effort to protect information resources. The following standards specify the baseline controls for all buildings and additional standards appropriate for buildings that house a data center.

3. Data Center Physical Access

The information processed here is normally deemed critical to operations and is of a sensitive nature in terms of confidentiality issues. Correspondingly, access controls to the data center require a high level of personnel restriction and authentication to safeguard the information processed therein.

4. Supporting Infrastructure Physical Access Controls

Access to facilities that support information processing systems such as the telecommunications room, the emergency power source room (generators, batteries, etc.), the air conditioning unit room and closed areas where network hubs may be stored must be restricted to authorized individuals. Degradation of infrastructure services can jeopardize continuity of information processing and impact operations as a whole. As such, the physical access controls afforded these support systems should reflect the importance of the information processing systems they serve. In most cases, locked doors will suffice to safeguard these support systems. The IT Support Group will implement such physical access controls and will be reviewed and audited by the IT Controls Group and the Internal Audit department.

5. End User Portable Laptop Computers Physical Access

Due to the high risk of loss, laptop computers should be traceable to individual users, and sensitive information (to the extent possible) should not be stored on the unit’s permanent disk drive. Portable laptop computers containing sensitive information (non-disclosure) should be protected using a PC security/disk encryption package. All portable laptops must be physically secured via an appropriate security device during any period that the unit is left unattended in the office (normal business hours inclusive).

6. Local Area Networks

Local area networks (LANs) utilized by the business units to accomplish their functions should have the following physical access control standards applied:

• Network servers should be located in a data center which is in an area free from physical dangers (e.g., high traffic areas, water leaks, fire hazards, etc.).

• Access to the servers should be physically restricted to authorized personnel (network administrators) by locating them in a closed area (e.g., a locked office).

• Additionally, unauthorized system access via bypass booting of the server (to defeat password authentication) should be prevented. Software should be scanned for viruses on a separate machine before being loaded on a network server.

7. Employee Termination or Change in Job Responsibility

If an employee has a change in their job responsibility or is terminated for any reason, all of the following items in their possession which control physical access to information must be returned, when applicable. These items include:

Keys to safes and control panels
Keys to cupboard/filing cabinets
Keys to Entrances/doors
Telecommunications equipment
Diskette boxes
Personal Authentication Devices, Secure ID Cards, Random Password Generators
Credit Cards/Charge Cards
Parking Pass/Garage Space
Company files (hard and soft copies)
Amounts owed to the company

The Supervisor’s Termination Checklist should be used for each occurrence. If keys have not been returned, it may be necessary to replace locks that protect sensitive information. Combination locks should be changed at the discretion of management. It is the responsibility of the employees’ manager along with the Human Resources department to inform the IT Controls Group and other appropriate departments of an employee termination or change in employee job responsibility.

All copyright licensed and business confidential information held on magnetic media as information, programs, operating systems and utilities, must be returned, recorded, and checked.

8. Management of Computing Resources

IT Support and Data Center Groups are responsible for the movement of all types of information system media equipment, and special equipment such as file servers or other related equipment and devices that may reside in any facility or business unit area. The user must not relocate or remove any equipment without the expressed consent of IT Support and Data Center Group.

IT Support and Data Center Groups are responsible for all changes to the network configuration and attached workstations regardless of their physical location, function, application, or use of the network device. To ensure that all networking policies, standards, and procedures are being adhered to, monitoring software may be installed across all LANs and non-company LANs connected to the network.

9. Backup Power for Power Outage Situations

Mainframe and network computer systems and their supporting infrastructure (e.g., air conditioning systems and security alarm systems where applicable) must have a dependable, consistent electrical power supply that is free from surges and interference that could affect operation of the equipment. Backup power is necessary to ensure that computer services are in a constant state of readiness and to help avoid damage to equipment if normal power is lost. A backup Un-interruptible Power Supply (UPS System) must be utilized for the computer systems and supporting equipment. Where appropriate, generators and batteries should also be employed to ensure continuous operations. In areas susceptible to outages of more than 15 to 30 minutes, diesel generators are recommended. Backup power facilities must be regularly tested to ensure reliable functionality.

10. Emergency Power-off Switches

In data centers, emergency power off switches, that shut-off all power supplies, must be installed and be readily accessible with posted notices showing their location. Where justified, the use of these switches must be protected against unauthorized physical access. It is recommended that a power-off switch be located inside and outside of data center rooms.

11. Emergency Lighting

Automatic emergency lighting must be provided in data centers and network server closet areas for use during power outages.

12. Water Sensors and Temperature/Humidity Alarms

The computer environment must be protected from all forms of water, temperature and humidity damage. Locations with the potential for water damage must be avoided when selecting information-processing areas (e.g., locations below ground level, or those under toilets, showers, cafeterias, or similar facilities where water or drainage malfunctions could occur). In data center environments, sensors and alarms must be installed to monitor the environment surrounding the equipment to ensure that air, humidity and cooling water temperatures remain within the levels specified by equipment design. Water sensors must be placed in the floor and ceiling to ensure leakage detection. If proper conditions are not maintained, alarm systems must be configured to summon operations and maintenance personnel to correct the situation before a business interruption occurs.

13. Fire Detection and Suppression Controls

Measures must be taken to minimize the risks and effects of a fire occurring within the information processing areas, or from spreading into these areas from an adjoining location. The degree of automatic fire detection and suppression mechanisms deployed depends upon the criticality of the operation attributed to the information processing system. Data centers may have halon gas (or approved equivalent) systems or dry pipe sprinkler systems and heat sensors installed, while closed area network server rooms may only have smoke detectors and fire extinguishers. Regardless, fire detection and suppression mechanisms must be utilized in the information processing areas. Where possible, detection devices should notify appropriate personnel.

14. Site Construction Capabilities

Buildings that contain information processing area(s) must minimally conform to local and federal construction regulations especially with regard to natural physical security threats (e.g., fire, flood, earthquake, hurricane, etc.). Selection of new sites should consider the presence of such threats and avoid high-risk conditions where possible. Continual assessment of construction in the area of the facility should be conducted, especially in the case of digging. Many of these issues should be addressed in the company’s Business Continuity Plan.

15. Sign Posting

External signs notices or maps must not identify the information processing area or data center location.

16. Insurance
Insurance coverage should complement an effective system of physical security controls as a countermeasure against threat realization and impact on company operations. The following items should be considered in regards to associated asset values versus insurance cost to mitigate losses.

IS equipment and facilities
Employee fidelity
Media reconstruction
Extra expense
Business interruption
Errors and omissions
Loss of items in transit
Liability to customers resulting from EFT systems activities

Common Mistakes in Business Continuity Planning

With increasing reliance on electronic markets companies are becoming more and more concerned about business continuity planning (BCP). Yet, simply having a business continuity strategy is not enough.

Common mistakes are:

1. Reliance:

Relying on a BCP can lead to a false sense of security and potential business failure if the plan is not updated regularly and fully tested. In addition, recovery personnel must be trained on plan execution and employees must be aware of the plan’s provisions.

2. Scope:

Companies often limit the scope of their efforts to systems recovery. Business continuity planning requires consideration of both business process and systems recovery.

3. Prioritization:

A formal process prioritizing key business processes is a critical step that often does not get its due attention by senior management. Without prioritization, a plan may recover less-than-critical business processes rather than the ones crucial for survival.

4. Plan Update:

Formal mechanisms are not in place to force a plan update on a regular basis or when significant systems or business process change occurs.

5. Ownership:

Senior management often appoints the wrong person to manage the BCP process; someone with the power to lead, influence, support, prioritize and organize the project should be named.

6. Communications:

Communications issues are often overlooked. Formal plans to contact employees, vendors, business partners and clients often lack specific communications strategies. Strategies to address how these groups obtain recovery status updates is often inadequate.

7. Security:

Information systems security controls are often disregarded during plan development, resulting in a greater risk exposure during recovery operations.

8. Public Relations:

Practitioners often fail to plan for public relations and investor considerations, therefore missing the opportunity to limit perceived impact by the public and investors.

9. Insurance:

Many BCPs fail to adequately plan to support the filing of insurance claims resulting in delayed or reduced settlements.

10. Service Evaluation:

Many companies poorly evaluate recovery products (hot site, cold site and planning software), relying on vendor-supplied information. This often leads to a solution that may not adequately address a company’s needs.

Companies that avoid these ten common BCP pitfalls significantly increase their odds of a successful and timely resumption of business and information technology operations.

IT GRC and RM Tools

Check updated links for the IT-GRC vendors and some IT based risk management tool/software providers.
IT-GRC solution Providers:


Archer ( acquired Brabeion)

Trustwave GRC

Symantec (Control Compliance Suite)

Compliance Spectrum



eIQ Networks SecureVue


Relational Security – RSAM

Logicalis grace (acquired Iconium Assets)

Lumension (acquired Security-Works)

Oracle (formerly Logical Apps and Oracle GRC Manager)






Metric Stream



Paisley (now Thomson Reuters)



IDS Scheer Axentis



Cura Software



McAfee Risk and Compliance Manager (formerly McAfee Preventsys),

Greenlightcorp (SAP GRC)

Trintech -Financial GRC only

SAI global



Simeio Solutions GRCAXS (IT GRC module)

Compliance 360 ( eGRC )

Risk Management Tools


Casis (clearpriority)
Strategic Thought Active Risk Manager



Alion – Countermeasures (makers of Buddy System)

Siemens – CRAMM

Acuity Stream


GStool (mainly German) Sigea GxSGSI (this site is in Spanish only)



Risicare (French)






PTA Risk Assessment Tools and Technology

Avedos Risk2Value

Non-IT Risk Software

Methodologies for Risk Assessment and Management

ISO 14971 – Risk Management for Medical Technologies
NIST 800-30 Risk Management Guide for IT Systems – National Institute of Standards and Technology
OCTAVE (Carnegie Mellon)
The Institute of Risk management (IRM) The Risk Management Standard
ISO 13335-2 Information Security Risk Management, To be replaced by ISO/IEC IS 27005
BS 7799-3:2006 Information security management systems. Guidelines for information security risk management
BSI Grundschutz Handbuch
ENISA Regulation (2004)
PARA – Practical application of risk analysis
PTA – Practical Threat Analysis for Securing Computerized Systems
Austrian IT Security Handbook
Federal Financial Institutions Examination Council’s (FFIEC) IT handbook covers information security risk assessment
Threat and Risk Assessment Working Guide from The Government of Canada Security Policy
CRAMM – British Office of Government Commerce or The CCTA’s (Central Computer and Telecommunications Agency) Risk Analysis and Management Method
Afhankelijkheids- en Kwetsbaarheidsanalyse (Dutch A&K)
EBIOS (French Government)
FRAP: Facilitated Risk Assessment Process
ISF –IRAM : Information Security Forum Ltd. Information Risk Analysis Methodologies . Also check FIRM (Fundamental Information Risk Management), SARA (Simple to Apply Risk Analysis) , SPRINT (Simplified Process for Risk Identification)
CLUSIF MEHARI – Club de la Sécurité de l’Information Français
Calpana CRISAM
Securitree from Ameneza
OSSTMM RAV (RAV stands for Risk Assessment Values)
SOMAP – Security Officers Management and Analysis Project
FAIR Factor Analysis of Information Risk
DRAM Delphic Risk Assessment Method
Buddy System
AS/NZS 4360 (2004) Risk Management. Australia/New Zealand standard for risk management

Compliance Management/SIM/SIEM solutions which partially present GRC.

Tivoli Security Compliance Manager

Novell Compliance Management Platform

Easy2comply (formerly Dynasec)




RSA enVision



Security evaluation before outsourcing

Enterprises that outsource without properly evaluating the provider’s security profile are at risk of losing their data, reputation, and customers. Protect the organization’s interests by following best practice guidelines for gauging outsourcer security risks.

Enterprises outsource a variety of tasks for a variety of reasons. Typical IT services slated for outsourcing include application development, Web design, data center services, and help desk. Many of these functions are shipped overseas, where security oversight and governance are logistically difficult to monitor.

Also at risk are outsourcers that collect, dispense, or process personal data. These outsourcers are often targeted by hacker’s intent on stealing personal information for identity theft purposes. Potential candidates for hacking include:

• Financial and banking services.

• Credit card transaction processors.

• Human resources providers.

• Application hosting services.

• Payroll companies.

The severity and frequency of threats continue to rise. As the outsourcing trend grows, so too may the number of security breaches at the provider end.

Enterprises seeking to outsource IT and processing services must evaluate provider security from the outset. Incorporate the following recommendations into the enterprise’s RFP process.

1. Outsource highly sensitive IT services only to SAS 70-certified providers.

The Statement on Auditing Standards No. 70 (SAS 70) is a third-party report on a service organization’s security and the effectiveness of its internal controls. SAS 70 Type II defines the standards an auditor must employ in order to assess the internal controls of a service organization that is contracted by any enterprise subject to SarbOx evaluation.

2. Ask the right questions and seek evidence.

Does the IT outsourcer firm have appropriate security policies and management procedures in place?

Does it have development systems for maintaining an accurate inventory of IT assets? Are outsourcing workers and business partners qualified to fulfill their responsibilities? Are data centers physically protected against access by unauthorized individuals? Have comprehensive business continuity plans been developed and tested?

3. Follow the banking industry’s best practice guidelines.

A consortium of top U.S. financial services firms – known collectively as the Banking Industry Technology Secretariat (BITS) - released a set of guidelines for evaluating the security risks of outsourced IT. The ISO 17799-based IT Service Provider Expectations Matrix provides a single set of rules for evaluating outsourcers. Regardless of industry, all IT shops should follow the BITS matrix – the banking industry is a high liability trade that’s very stringent about to whom they outsource. The questionnaire-style matrix focuses on the following outsourcer security control areas:

• Security policy.

• Organizational security.

• Asset classification and control.

• Personnel security.

• Physical and environmental security.

• Communication and operations management.

• Access control.

• System development and maintenance.

• Business continuity management.

• Compliance with legal and regulatory requirements.

4. Ensure the privacy and confidentiality of personal data. Privacy-focused industries such as healthcare must take additional safety steps when personal data is outsourced. Not only should the outsourcer ensure confidentiality, but it must further guarantee that any entity (e.g. a medical transcriptionist) to which the outsourcer sends personal information also ensures data confidentiality. Healthcare organizations should also demand the following from outsourcers:

• Indemnification for breach of contract.

• Subcontractors must adhere to the same standards as the initial outsourcer.

5. Establish a contract exit plan. Despite best efforts, an outsourcer may still experience a negative security event. Depending on the severity of a breach, it may be necessary to break the contract with the outsourcer. This cannot be accomplished without a well-crafted disengagement clause in the contract. Before signing anything, negotiate disengagement scenarios with the outsourcer and agree on disengagement provisions. Also include financial penalties for security breaches, as you would for any other SLA. For an idea on how this might look, see Transport for London’s Exit Plan for service provider contracts.


When outsourcing, enterprises must be able to evaluate and track the security of the service providers with whom they wish to do business. It is the only way to ensure that the company’s data and intellectual property remain secure once they leave the organization.

Information Security Management System Knowledge Sharing


Get every new post delivered to your Inbox.