Wendy Nather
How can you claim to have control of security when an outside contractor has root passwords? Distributed systems do not have levels of security as in the old mainframe environment, so a new approach is necessary. Nather suggested escrowing the administration passwords, so the agency can go in and change them if necessary.
Bureaucracy can be a useful tool, also, she said. (Nather made clear at the start of her presentation, that the examples she used were not from Texas state agencies, but from previous work with banking systems.) Forms, accounting procedures and sign-offs help keep things manageable she said, as do contract provisions that contractors must comply with written policies. And while you can't fire a vendor's employees, you can shut them out of the system, she said.
And even though outsourcing sometimes is for the purpose of reducing FTE, the agency must maintain its own source of technical expertise to monitor the contract and to supply backup if the contract is pulled back in house.
Nather said that such things as software maintenance, security appliances, penetration testing, network-level monitoring and security consulting such as engineering and incident response can be outsourced, but you can never outsource liability or ultimate responsibility.
The contract can contain such things as: record-retention schedules, security policies, control and auditing of administration privileges, user access, control and use of security software, vulnerability scanning and remediation, incident response, security configuration standards, backup security, audit and legal requirements, business continuity and disaster recovery.
Nather, who also presented on Monday, handed out some URLs for articles she suggested as further reading:
"BITS IT Service Provider Expectations Matrix" (Banking Industry Technology Secretariat)
