Third party cyber security concerns

The team at Dazychain recently participated in GC Summit. To meet a growing interest from GCs in data security and privacy, Dazychain CEO Ian Goddard took to the stage to talk about security risks with the supply chain and to encourage GCs to protect their organisations from cyber weakness.

Data Privacy Officer

  • Have you appointed a person responsible for defining, implementing and enforcing measures to protect personal or commercially important information in a transparent way?
  • Have you ensured that all employees are aware of Data Protection requirements and sufficiently trained in methods for protecting the organisation’s information assets?
  • Are all members of the organisation required to call out observed risks in handling sensitive information to the Data Privacy Officer?
  • Are all members of the organisation made responsible for using personally identifiable information according to the organisation’s rules, legal requirements and aligned with the primary purpose of data collection?

Data loss prevention solution

  • Does a Data Loss Prevention solution prevent sensitive data from leaving the organisation’s security perimeter?
  • Is regular reporting of the identified Data Loss events, response and resolution created for Information Security stakeholders?
  • Is the Data Loss Prevention solution configured to block the movement of large amounts of critical information and warn users before permitting the movement of less critical protected information?
  • Is personally identifiable information only used for the primary purpose it was collected for and contractually agreed between the data subject and the data owner and to which the data subject has not objected or if regulated by law?
  • Maintain an inventory of all usage of personally identifiable information?
  • Is the inventory of personally identifiable information usage checked for currency at least twice a year?
  • Evaluate the severity of each data breach and assess the impact to customers, employees, third parties and the company?
  • For serious data breaches, does the Data Privacy Officer notify affected people and organisations of the breached information? 

Personally Identifiable Information classification

  • Is personally identifiable information generally classified as confidential?
  • Is sensitive information such as passwords, credit card data or bank account information masked during entry and display?

Fraud prevention management

Is it considered a data breach in the organisation if unauthorised third parties have gained access to commercially sensitive information or personally identifiable information?

Business continuity plan

  • Created?
  • Shared?
  • Tested regularly?
  • Specify dependencies on vendors, supplies, supply chain requirements and regulatory requirements

Malware 

  • Is malware prevention in place for all IT assets with external network connections capable of running anti malware detection software?
  • Is an anti-malware solution used as the standard malware protection solution?
  • Is malware protection software enabled on every workstation and prevented from disabling by users?

Data encryption

  • At rest?
  • In transit?

Mobile device encryption

Are all mobile devices that contain information classified as Internal, Confidential or Secret encrypted?

Security Information and Event Management solution

  • Are information security events relevant to availability, integrity and confidentiality of information logged? Is accountability for the event, traceability of actions and the effectiveness of security mechanisms deductible from the logs?
  • Is Security Information and Event Management in place to provide information security executives with actionable information on current threats to the organisation’s information?
  • Does the Security Information and Event Management solution alert Information Security Executives via multiple channels of communication of high risk security events? 

Testing, scanning, segregation and hardening

  • Are all externally accessible applications or applications considered high risk penetration tested on a regular basis and before being introduced into production and before major releases?
  • Are all externally accessible IP addresses subject to vulnerability scanning regularly as well as after a significant change?
  • Does configuration of the operating systems include measures to harden the system against attacks and information leakage?
  • Is access to production environments segregated from access to test and development environments?

Passwords

  • Are Passwords prohibited from being stored unprotected in physical or digital form?
  • Are user passwords required to remain confidential and not be disclosed to any other person?
  • Are passwords required to be changed at least every three months?
  • Are passwords tested for strength?
  • User time out 

Physical security

  • Is physical data classified as Secret or Confidential not left open and unattended within the office space?
  • Are employees required to undergo regular police checks?
  • Is there a tightly maintained pass/key inventory?
  • Are there policies in place that limit office access?
  • Do all managers ensure they are fully aware of their responsibilities in preventing and detecting fraudulent activities of clients, vendors and employees?
  • Are employees terminated and removed from systems immediately on departure?

Development processes

  • Documented application changes
  • Version control for code development
  • Release notes

Service level agreement

  • Availability
  • Disaster recovery time
  • Hours of operations
  • Maintenance windows
  • Response times
  • SLA reporting
  • Release and change cycles
  • Defined maximum periods of disruption
  • Incident tracking to follow issues as the emerge and are solved

Data retention

  • Availability of archived data and legal retention requirement planning?
  • Is all physical and electronic data no longer relevant to the organisation’s business destroyed securely if not required to be retained by law or after the end of the legal retention period?

System account approval

  • Are all system account creation and changes approved by the IT asset’s IT owner?
  • Do users only have access required for executing their assigned tasks in line with the least privileged principle?
  • Do all identities only have one account per system associated to it?
  • Are identities created for non-permanent employees created with a defined end date as contractually specified?
  • Is all user access reviewed on a regular basis?

 Some references

The Law Society, UK

Useful papers designed to help firms understand and mitigate cybersecurity threats.

http://www.lawsociety.org.uk/support-services/practice-management/cybersecurity-and-scam-prevention/

Skadden, Arps, Slate, Meagher& Flom 

The Emerging Need for Cybersecurity Diligence in M&A

https://www.skadden.com/insights/publications/2017/04/the-emerging-need-for-cybersecurity-diligence

ACC

Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information

http://www.acc.com/advocacy/upload/Model-Information-Protection-and-Security-Controls-for-Outside-Counsel-Jan2017.pdf?_ga=2.18008698.2105555974.1496154508-4598426.1496154508

Minter Ellison

Perspectives on cyber risk 2018

https://www.minterellison.com/articles/perspectives-on-cyber-risk-2018

Office of the Australian Information Commissioner

Notifiable data breach statistics

https://www.oaic.gov.au/resources/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterlystatistics/Notifiable_Data_Breaches_Quarterly_Statistics_Report_January_2018__March_.pdf

The Treacherous 12 Top Threats to Cloud Computing
Cloud Security Alliance 2017

https://cloudsecurityalliance.org/download/top-threats-cloud-computing-plus-industry-insights/