Outsourced Service Providers - PII

[David Shettler <DSHETTLE () HOLYCROSS EDU>]

Hi all, 

If you outsource or use a hosted solution for anything that handles PII, for instance, a bookstore, a ticketing firm, 
etc., do you: 

  1) Conduct your own security assessment against them? (pentest them yourselves) 
  2) Ask them to produce pentest reports 
  3) Take their certifications as assurance (PCI DSS, etc) 
  4) Do nothing 

Doing #1 makes us the most comfortable as we've found that relying on things like PCI leaves a lot to be desired. 

Most of our pentests find moderate to critical problems, and most vendors are perfectly willing to be pentested by 
potential clients. 

More important than our pentest results is how the organization reacts to: 

  1) the request to conduct a pentest 
  2) the results of the pentest 

Generally, if an organization reacts negatively to either, we get apprehensive. Usually organizations respond favorably 
to both. 

I find the process mutually beneficial, and we do it primarily because most of these outsourced applications end up 
being styled identical to our website, making it more difficult for users to discern that they've actually left our 
network.  In addition, these are OUR users, after all, and since we conduct similar assessments against all internal 
COTS applications and internally-developed applications, why not maintain the practice for hosted solutions as well. 

Does anyone else do this?  If you do, do you get an indemnification agreement before hand, or do you keep it relatively 
informal with the sales people / sales engineers? 

Dave Shettler 
College of the Holy Cross