Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: When your service provider has a breach - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
When your service provider has a breach

As the day progresses more and more Epsilon clients are notifying their customers that their details have been compromised, I got to thinking about what information is readily given to third parties for many different purposes.  The outsourcing of certain specialist tasks is nothing new.  What I've found in the past though is that information is often handed over without really thinking through any of the consequences should the information be compromised. So here are some of the things I believe you should be doing when handing over client information to third parties. as per usual feel free to add your own experiences and suggestions.

Before handing over any information over you may want to ask the following:

  • What is the minimum amount of information that is needed in order to perform the tasks requested? - We often find that people are handing over substantial amounts of data when all that is really required is an email address and a first name. This will of course depend on what the third party is doing for you, but having a think about what they really need is a good starting point.  Then it can be risk assessed and a decision taken.
  • How are you protecting my information? - Likely you will get a warm fuzzy answer and you will have to sift through it to find out what the real answer is. What you want to look for are things like operational security processes.  How are they going to notice if there was a breach? Do they utlise IDS/IPS. Do they have firewalls (and yes sometimes you will get the answer of "no we don't need a firewall"
  • Do you have the right to audit? - The answer to this will often give an indication as to what the real answer is to the previous question. If the answer is "no", well ...
  • Do they have an incident response process?
  • What steps will be taken in the event of a breach and when will you be notified? - i.e. how long will they sit on the compromise before they will let you know that it is gone?
  • What happens if the breach is at a subcontractor of the organisation? - Many companies subcontract processes to others.
  • Who will carry any additional costs? - In some jurisdictions there is a notification requirement. In some cases this may need to take the form of snail mail, those stamps can be expensive, who will pay for that.
  • You may need to communicate any special security requirements you have for your information. You will need to communicate these clearly to the provider so they can meet your expectations.

Collect the answers and have it put into the contract/agreement, that way nobody can forget who would do what and when.

That's my quick start list before handing information over.

Mark H

 

 

Mark

391 Posts
ISC Handler
The above referenced suggestions as to how to handle information disclosure are beautiful in theory, but the ::REALITY:: of the situation is that consumers don't get the opportunity to ask a list of questions before doing so. In almost every instance, the agreement is a shrink wrapped one. Case in point: I consented to doing business with Kroger, et al., and opted out of their spam emails accordingly, however, I *never* consented to giving the companies whose spamming endeavors are managed by Epsilon to play fast & loose with my email address. I hold Epsilon *and* their client gravy train accountable for this latest breach. Further, patting the companies in question on the back for disclosing the breach isn't something that should be lauded given that the only reason they did disclose was because there are database breach laws in numerous states. They did not -as handlers seem to think- out of the kindness/goodness of their ever loving corporate hearts.
Peyton

5 Posts
@PrattleOnBoyo
I didn't say it would be easy :-) but the reality is if you don;t ask you certainly won't get it. If you ask you have a better chance. You also have the opportunity to go elsewhere. Nothing like customers going elsewhere that makes vendors change their "standard" agreement.
Mark

391 Posts
ISC Handler
Germany has a pretty Law that covers some topics:
http://en.wikipedia.org/wiki/Informational_self-determination

The English article is pretty short and not as good as the German one. The Google translation may give a hint:
http://translate.google.de/translate?js=n&prev=_t&hl=de&ie=UTF-8&layout=2&eotf=1&sl=de&tl=en&u=http%3A%2F%2Fde.wikipedia.org%2Fwiki%2FInformationelle_Selbstbestimmung
Mark
27 Posts
I was informed of this through the media (The Toronto Star), not by the two companies that were mentioned in the article. I'm not amused at all. I should have been informed immediately via email from each of these companies. One advises when you login, the other doesn't mention it at all.
Glenn

17 Posts
@PrattleOnBoyo
I believe you misread Marks post. And Mark forgive me but you state "when handing over client information to third parties" and that is very different from what Prattle on is prattling on about.
Terms of Service, AUP's, Privacy policy, they are not negotiable, you agree or you don't agree. And they define the terms by which you consent to use of your information among other things.
But when negotiating a contract with a third party and it's dealing with clients information, you absolutely should be asking the above questions and writing them into the contract.
Otherwise, move on to a partner that will accept your terms...if they don't...you don't need the added risk...ala Epsilon.
Glenn
9 Posts

Sign Up for Free or Log In to start participating in the conversation!