By: Mitchell H.Levine.CISA
Audit Serve, Inc.
Organizations often profess that they were forced to compromise their security design principals when selecting a third party vendor product. Unfortuanately this is more of a function of not performing a sufficient amount of due diligence to identify the security design of the 3rd party product being considered. The basis of performing any due diligence review is based on a establishing the functional requirements first.
Establish functional specification of security requirements starts with ensuring that the organization is provided complete flexibility in establishing their resource rules. Many 3rd party vendor products provide predefined resource roles which cannot be changed. This should be a show stopper during the production selection process because each organization structure is different.
The second most important functional requirement is to ensure that all access components can be locked down and assigned through resource roles. Unfortunately many third party vendor products have menus or functions which cannot be locked down.
For outsourced functions the question always arises of the oversight responsibilities. Outsourcing functions extend to hosting equipment to managing the server and database and even managing the application. Some organizations subsribe to the principal that as part of a contract the vendor bears sole responsibility to ensure that security is properly established and monitoring functions are established to ensure all actions were appropriate. Since the level of controls which are established by the vendor may not meet the minimum requirements of an organization, due diligence reviews of these vendor processes are needed to provide comfort to an organization. Unfortunately, most of the due diligence review are simply control walkthroughs which does not include any compliance test to validate the effectiveness of the control or to validate security process and design being represented by the vendor.
The analysis of a proper security design principals is a component of IT Governance. The enforcement of security design principles is a basic component within an SDLC. The analysis of proper security design for new system deployments should be evaluated by the System Architect Review Board. For organizations which are not large enough to mandate these types of IT Governance initiatives, a simple checkpoint to evaluate security design principals is the minimum requirement prior to a product selection.