Читать книгу Cybersecurity and Third-Party Risk - Gregory C. Rasner - Страница 29

We delve into the policies and legal documentation pertaining to cybersecurity and third‐party risk in later chapters. However, it is worth noting a problem often misunderstood: Why are standards or policies for vendors often more strict than internal corporate standards? Many complain that it doesn't seem fair or is a case of “do as I say, not as I do,” or worse, that it is being hypocritical.

The answer is explained in this analogy: Say you have a hard drive in your house that contains sensitive data, which is likely a 100‐percent accurate statement as nearly every reader of this book surely has a home computer containing sensitive data. This sensitive data, such as electronic bank statements or downloaded documents, is known as PII. Do you specifically lock that up when you leave your home? Not likely; you likely lock your door and turn on your security alarm, which is secure enough.

Let's say you'll be on a vacation while your house is going through a major renovation and while that is going on, you don't want to leave your computer where contractors have access (which is good vendor risk management, by the way). Your trusted neighbor offers to store it in his home while you are away. (He is your neighbor and friend but not family.) Before he receives the computer, you decide to encrypt the hard drive, install a basic input/output system (BIOS) password (i.e., what a user will see when the computer is first starting up), as well as ensure that your Windows account password is complex. (Please stop using your dog's name plus your birth year!) Again, you feel you're taking the proper due care to secure your data before it's given to a third party.

As you drop off your laptop at your neighbors' house, you ask where he plans on storing it. Surprised, because he had not thought about it, your neighbor casually replies, “Over there on that shelf.” This idea makes you uncomfortable for two reasons: First, he does not seem to appreciate how much you value this data. Second, storing it on an open shelf, where people you do not know can walk by and view it, leads me back to the problem with the strangers (i.e., the contractors) in your home. You then bribe him with a promise to bring him back a nice bottle of rum from your trip, in exchange for him storing it in his safe.

In your own home, you did not encrypt the data (not recommending this, just making a point) or have the best access rights administration. In addition, your data never was locked up when it was in your home. When you decided to move the data outside of your area of control, not only did you increase the security on it, but you required your neighbor to place it in a safe. He probably thinks you are ungrateful and demanding, but the thought of the rum is enough to make the extra work worth the effort. Your risk of a data leak is vastly reduced, as the only people who have access to it have the safe's combination. If there is a data breach, the list of culprits likely will not be lengthy.

A vendor has a business relationship with a company—it's business, nothing personal. As a company paying for a service or product, there is nothing wrong with requiring certain risk reduction behaviors that your company does not require internally. Most often the internal and external standards are the same; however, in some areas, such as encryption or access management, they can diverge. For example, internally a company could have a standard of AES‐128 encryption; however, that same company would require a standard of AES‐256 or equivalent externally from others. They want the assurance that their data is kept even more secure when housed outside their environment.