By Mike Goode
With attention-grabbing headlines about major security breaches occurring almost daily, plan sponsors need to be assured that their service providers are on guard 24-7, protecting sensitive information and intellectual property, wherever it may reside.
One sign that a service provider has a strong commitment to security and controls is SOC certification, which results from successful Service Organization Controls (SOC) examinations. SOC examinations are conducted in accordance with attestation standards established by the American Institute of CPAs (AICPA), and are designed to provide comfort that a service organization meets key security principles, validated through an independent service audit.
Protect Sensitive Information, In Whatever State It Resides
It’s important to understand that sensitive information and intellectual property doesn’t just reside on a storage device, or on a piece of paper. It can also be at rest or on the move, and it’s critical for a service provider to understand the various states in which it resides, and to formulate protective measures for each of those states, including:
- In use: Actions such as copying data to a storage device or printing it
- In motion: Network communications such as email, web traffic and instant messaging
- At rest: Data stored in file shares or on users’ drives or devices
Kicking the Tires of Your Service Provider’s Internal Security
Once we understand the different states of data, we can formulate & implement specific, protective security measures.
Here is an important (but by no means exhaustive) list of some of the internal measures we believe are critical for all service providers to adopt, and that we’ve taken care to effectively implement throughout our organization.
1. Application Security:
- Restricting all internal applications by “role-based” security. All systems applications are restricted to authorized users only, as are application data and sub-functions.
- Requiring two-factor authentication for application login, necessitating identification of users by means of two separate components.
2. Network Security:
- Filtering and blocking internet traffic in/out, including solutions that offer “firewall” protections to prevent external network intrusions.
- Implementing wireless security that secures wireless access points and strongly encrypts wireless data transmissions.
3. Physical Security:
- Requiring all employees and contractors to have ID badges to grant access all general office space entrance points.
- Within the general office space, further securing additional areas with role-based access via ID badges.
- Cameras with recording, at all entrance points.
4. Email and Messaging:
- Filtering email, to ensure that unwanted and dangerous inbound emails, attachments and links are identified and neutralized.
- Completely backing up email, to ensure a complete record of all email communications.
- Limiting instant messaging to internal use only.
5. Telephony, Peripherals, Printing & Faxing:
- Disabling USB storage device read/write and DVD/R writing, to ensure that these vectors for potential attack or data theft can’t be utilized.
- Logging and recording all phone calls.
- Allowing only authenticated printing and faxing.
6. Security as Corporate Culture:
- Holding periodic company meetings to educate our employees, and to re-enforce our security culture.
In the final analysis, all service providers have to realize that effective security is not a destination – it’s a constant discipline that relies upon continuous evaluation, testing, validation and improvement.
The results are well-worth the effort!