A CIO is responsible for the security of external and contracted systems. Even when the enterprise has a CISO (Chief Information Security Officer), blame for any security breaches is bound to eventually find its way to the CIO. We asked Dave Frymier, CISO for Unisys for his perspective on steps CIOs should be taking, to assure the services they contract and the systems on which they store their data and processes, can be relied upon to be secure.
According to Frymier, "Unisys uses a variety of SaaS and IaaS vendors to provide travel planning, expense reporting, payroll processing, customer relationship management, HR information content management, compute, storage and other services. Over the years, we have developed a selection / contracting / implementation process – built around three tools - to assist us in protecting our information in accordance with its value.
"First, during the procurement phase, we send each prospective vendor a spreadsheet with questions designed to assess their information security posture. We consider positive answers to these questions basic indications of competence. Difficulty with this questionnaire is usually a flag that the vendor is either inexperienced or cutting corners.
"After our preferred vendor selection, we have a second checklist of contractual terms and conditions we would like to see in the vendor’s contract. These have to do with things like limitations and acceptance of liability, indemnification, control of information, audit rights and incident response. These items are negotiable depending on the type of data involved; we prefer to focus on outcomes instead of method in these areas.
"Finally, we have a third checklist for use by project teams during implementation. It covers areas like asset value assessment, account management, access control, encryption, key management, monitoring provisions, the information life-cycle, security in the operational environment, security in the development environment(s) and any provisions for co-development or vendor access to production or development systems.
"I won’t tell you I’m certain these external systems are secure, but the process we have developed gives us a reasonable level of assurance our information is being properly handled by our vendors."
I think the 3-level process Frymier describes does a few important things. First, it establishes a robust and consistent due-diligence process that can be tracked and referred to as needed. Along the same lines, it provides evidence that significant attention was paid to the selection and vetting of the chosen vendor. As Frymier admits, the process doesn't guarantee security, but I would bet that this level of scrutiny may be deeper than what most companies perform on their internal systems.