Third parties can introduce new threats to your data.

Brand Barney, Security Analyst at SecurityMetrics
By: Brand Barney
It doesn’t matter what type of organization you are: third parties impact the security of your organization. Sometimes third parties do a stellar job at security. Other times, they fail miserably. According to the Ponemon Institute, 65% of companies that reported sharing customer data with a partner also reported a subsequent breach through that partner.
Third party vendor security
Third parties are one of the greatest threat agents to your data, and most organizations don’t know how (or if) third parties protect their data.

That’s why you must be hyper-vigilant with every third party that could impact the security of your sensitive data, whether patient information or credit card data.

Who is handling your data?

If you don’t already have a list of third parties, make one. To jumpstart your list, here are some of the most-forgotten third parties that handle sensitive data:
  • Data encrypters
  • Data collectors and charters
  • IT professionals
  • Coders or code reviewers
  • Data transmitters
  • Data backup companies
  • Cloud security
  • Data center
  • Remote DBAs
  • Data destruction companies
  • POS maintainers
  • Phone providers (VOIP)
Remember, if you don’t even know who is handling your data, how can you protect it?
Tweet: If you don’t even know who handles your data, how can you protect it? How to ensure third party security. http://bit.ly/1g1oOnoTweet
Now that we understand who is handling the data, how can you make sure your third parties take care of it?

First, understand your scope

Understanding third parties is really about understanding your scope. Scope is merely defining exactly who handles your data, how it’s handled/maintained, and where it travels throughout its lifecycle. If you have all these processes documented, you should already know exactly who your third parties are, and how your third parties handle your data. Learn more about the best methodologies to define your scope.

Be a professional skeptic: ask a lot of questions

Every organization should be a professional skeptic about its third parties. The best way to understand if your third party vendor is protecting your data is to ask them. If you fail to ask, you’ve already failed security 101.

Remember: blind trust = bad.

Here are a few examples:
  • If you have a third party developer creating software for you, check their code for security errors! If you can’t read code, pay a security auditor to test the code for you. Don’t just trust them at their word.
  • Ask your point-of-sale vendor if they install updates or manage your firewall. (Check out these other good questions to ask your point-of-sale vendor.)
  • If you contract with a document shredder, ask them about their process. Do they shred onsite? Do they collect and shred somewhere else?

Understand the regulations

So much of data security is mandated through strict regulations like the PCI DSS and HIPAA. Let’s go over some HIPAA-specific and PCI DSS-specific regulations regarding third parties. If you handle credit card data at all, pay attention to PCI DSS. If you handle patient data, pay attention to HIPAA regulations regarding third parties.

HIPAA regulations
Healthcare entities often believe their business associate agreements cover them in case of a breach. Unfortunately, that’s not accurate.

HIPAA Omnibus ruling states that even if a business associate (third party) has never signed a business associate agreement, they may still be held liable. This also means the covered entity carries liability as well.

It’s common for third party vendors to not fully realize they are part of HIPAA regulations, as they may not actually view healthcare data. That’s why now is a good time to educate your third party vendors, and to determine the risk that they pose to you and your data. If they are unwilling to sign a BAA, it may be advisable to seek out vendors that will treat your data more securely and are contractually willing to secure it.


PCI DSS regulations
The PCI Council recently and subtly clarified that they are not big fans of businesses pointing fingers at their third parties, and vice versa.

In the recently updated PCI version 3.1, requirement 12.9 states that service providers are required to acknowledge to customers (in writing) that they are responsible for the security of the cardholder data the service provider possesses, stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

Learn more about new changes to PCI 3.0.

Most of the big service providers out there (like Microsoft, Norton, etc.) have already published their responsibility statements to comply with this new PCI DSS requirement. But, it’s not enough just to draw up a contract of who is responsible for what. Merchants must actually implement the security measures they’re in charge of, and the same goes for third parties.

Understand that if you get breached because your third party didn’t configure your firewall correctly, you are STILL responsible for that data breach. Why? As part of the PCI DSS, you are responsible for verifying your service provider is actually acting on their responsibilities. (See information about Attestation Of Compliance below.)

You may have BAAs in place that pass on your responsibility, but remember the Target breach? The breach ultimately happened due to negligence of an HVAC vendor, but Target was blasted in the media.

Best-case scenario would be that your third party vendor would be totally culpable in the event of a breach (which I don’t see happening anytime soon). Even if this did happen, your company will still get lots of negative attention and brand degradation.

Laws may change across borders
When dealing with sensitive data, it’s not just PCI DSS and HIPAA you have to worry about. If your data is sent across country borders (to Canada, to the UK, etc.), regulations regarding your data may change.

For example, as your data moves from one cloud in the U.S to another in Canada, are you aware of and following Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)? Do those requirements even apply to you? This is probably something you want to be aware of. The location of your data and the hosting organization should always be considered.

Additionally, if your data is developed in one country (like the UK), then transmitted through another (not the U.S.) and then ends up being stored in a third location, you may be subject to three separate legal systems.

It is always advisable to consider third parties and the mandates, legal ramifications, and the potential for someone else to gain jurisdiction over your data as it has crossed into a different country.

If you have sensitive data crossing trans-border, discuss the potential issues with your legal counsel.

Ask for an attestation of compliance

Every service provider should provide you with their Attestation of Compliance (AOC) with the PCI DSS. Some are public (like Microsoft), while others (like Amazon Web Services) require a non-disclosure agreement before sending it to you. These attestations of compliance are extremely helpful when choosing and evaluating third parties, even for organizations that don’t deal with PCI DSS.

One thing many organizations fail to understand is that an AOC provided to you may not cover the services you use with your third party. For instance, you may be engaging your third party for infrastructure and networking, but their AOC says they are actually only compliant with ‘storage’ and ‘web’ services. As I mentioned before, it is important to be a professional skeptic, especially when your third party says they are compliant (they may be, but it’s best to double check it and be safe).

More often than not, larger vendors tend to do a better job at their attestation of compliance. They’re more diligent in their efforts because they have a lot more eyes on them. That isn’t to say they are always the most secure choice. In fact, plenty of large third parties have been the cause of recent large data breaches in the news.

Hold third parties responsible. Get an audit!

In this post, we’ve discussed:
  1. Defining your scope
  2. Defining your third parties
  3. Why it’s important to get proof that they’re protecting your data
Yes, it’s a big job to hold third parties responsible, but you don’t have to do it alone. There are security companies out there who audit third party vendors to make sure that their service/product is actually protecting your data.

The role of the third party is evolving. The way we share/transmit and protect data will always change. But what will never change are risks, threats, and vulnerabilities. They will always be around, especially if not addressed. That’s why it’s crucial to get your stakeholders together and decide whether you think the risks your third parties pose are worth it, or if it’s time to find some new, more secure third party vendors.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

Data Security Learning Center
Wednesday, August 5, 2015