[Apologies for the blank post yesterday, here is the real one]
The timing for this part of the Going Beyond the Standard series is almost perfect given the SSC’s release of their ‘Information Supplement: Third-Party Security Assurance‘. Which, despite it’s gratuitous use of the word ‘may’, and the ongoing generic-ness of the SSC supplements, is actually pretty good.
It has always irritated me that the phrase ‘third parties’ is now the established norm in these scenarios, when it’s actually SECOND parties that create the most challenges;
So third parties are the service providers that YOUR service provider hires to do [part of] the work for which you (the first party) hired the original provider. Third parties are fairly common, but not as common as second parties, and while third parties ARE an issue, they should be addressed in the same way as any other outsourced service; with proper due diligence.
Unfortunately, this due diligence is almost universally performed badly, or there would be no need for the SSC to issue an information supplement in the first place. Or course, if the requirements in the PCI DSS were written better perhaps there would be less confusion, but it’s too late now.
Because the supplement is quite good, I’ll not go into the nitty gritty of vendor management, but it is important to realise that the choice of an outsourced service does not start with vendor due diligence, it starts with a business need that has been PROPERLY analysed, and a risk assessment performed.
PCI itself has driven an enormous growth in outsourcing, and not because there was suddenly a need for more services, but because so many organisation wanted PCI to just go away. The thought was if you outsourced, you could just point at them and shirk all further responsibility.
In reality, you can outsource almost every function relevant to PCI, but you can NEVER outsource the responsibility for the protection of the cardholder data. Yes, you can throw financial liabilities into the contract, you can buy cyber-insurance, you can even drag your service provider down with you if things go horribly wrong, but it’s going to be YOUR name in the papers.
The other big mistake organisations make at the beginning phases of outsourcing is, as always, asking the wrong questions. While a service provider does not have to BE PCI compliant for the service they are providing, their services have to SUPPORT yours. Not only that, if they do not have a Report on Compliance backing up their services, they will have to be fully assessed and validated against yours.
I’ve had small clients whose PCI assessment costs and effort increased FIVE fold because they had not performed the correct due diligence.
Even if I assumed you are outsourcing for the right reasons, CHOOSING vendors is next step where things go wrong. DSS v3.0 has built in the requirement for ‘third parties’ to qualify their services with detailed analysis of EXACTLY what is being provided against the requirements themselves. This was always a requirement in my mind, but rarely followed, and has led to significant gaps based on assumptions.
However, if if your chosen service provider is PCI compliant for the services, there is surprisingly little they can do in terms of reducing your effort;
1. DSS Requirement 1.x – You can outsource management, but you will always own the policies, the final configuration standard(s), and of course, the ruleset(s). About the only things that can be 100% outsourced is stageful packet inspection.
2. DSS Requirement 2.x – Again, you can have a service provider put together configuration standards for you, but you will always own them, the business justifications for every available service and listening port is yours to document, and insecure protocols are yours to fix or compensate for.
3. DSS Requirement 6.x – Outsourced development is great, but unless their SDLC supports your compliance, YOU won’t be.
4. DSS Requirement 10.x – The most egregiously overstated service provider coverage of them all. The issue is rarely in the collection of the events, it’s what events should be logged in the first place and how. And how ANY service provider dares to say they can cover a daily review without establishing a baseling is beyond me.
5. …and so on.
I’m already ay 700 words and I’ve barely starched the surface, but that should be an indication of just how messy this topic can be. It deserves a white paper, but that will have to wait.
Bottom line; If you don’t have a program for vendor selection and vendor management, get one, and make it retroactive. Get help if you need it, but in the end, if your service providers fail, YOU fail, and deservedly so.
Read the SSC supplement, implement what it says, they have not missed much.