Wendy Nather, information security officer for the Texas Education Agency, today addressed the second day of Security Boot Camp at GTC in Austin on the subject of maintaining security controls when outsourcing.

Wendy Nather
How can you claim to have control of security when an outside contractor has root passwords? Distributed systems do not have levels of security as in the old mainframe environment, so a new approach is necessary. Nather suggested escrowing the administration passwords, so the agency can go in and change them if necessary.

You can have a customer support desk creating accounts as long as you have workable policies in place and audit what the support desk is doing. Nather also suggested that the agency have a separate collection of logs that are taken off the box immediately. Collect everything in a separate location that nobody else has access to, she said. That provides "a separation of powers."

Bureaucracy can be a useful tool, also, she said. (Nather made clear at the start of her presentation, that the examples she used were not from Texas state agencies, but from previous work with banking systems.) Forms, accounting procedures and sign-offs help keep things manageable she said, as do contract provisions that contractors must comply with written policies. And while you can't fire a vendor's employees, you can shut them out of the system, she said.

And even though outsourcing sometimes is for the purpose of reducing FTE, the agency must maintain its own source of technical expertise to monitor the contract and to supply backup if the contract is pulled back in house.

Cost reviews on bids, critiques of strategies can be obtained from third parties or vendors who are not involved in the project, she said.

Nather said that such things as software maintenance, security appliances, penetration testing, network-level monitoring and security consulting such as engineering and incident response can be outsourced, but you can never outsource liability or ultimate responsibility.

The contract can contain such things as: record-retention schedules, security policies, control and auditing of administration privileges, user access, control and use of security software, vulnerability scanning and remediation, incident response, security configuration standards, backup security, audit and legal requirements, business continuity and disaster recovery.

Nather, who also presented on Monday, handed out some URLs for articles she suggested as further reading:

"BITS IT Service Provider Expectations Matrix" (Banking Industry Technology Secretariat)

Wayne Hanson  |  Editor