Educause Security Discussion mailing list archives
Outsourced Service Providers - PII
From: David Shettler <DSHETTLE () HOLYCROSS EDU>
Date: Mon, 8 Sep 2008 13:26:01 -0400
Hi all, If you outsource or use a hosted solution for anything that handles PII, for instance, a bookstore, a ticketing firm, etc., do you: 1) Conduct your own security assessment against them? (pentest them yourselves) 2) Ask them to produce pentest reports 3) Take their certifications as assurance (PCI DSS, etc) 4) Do nothing Doing #1 makes us the most comfortable as we've found that relying on things like PCI leaves a lot to be desired. Most of our pentests find moderate to critical problems, and most vendors are perfectly willing to be pentested by potential clients. More important than our pentest results is how the organization reacts to: 1) the request to conduct a pentest 2) the results of the pentest Generally, if an organization reacts negatively to either, we get apprehensive. Usually organizations respond favorably to both. I find the process mutually beneficial, and we do it primarily because most of these outsourced applications end up being styled identical to our website, making it more difficult for users to discern that they've actually left our network. In addition, these are OUR users, after all, and since we conduct similar assessments against all internal COTS applications and internally-developed applications, why not maintain the practice for hosted solutions as well. Does anyone else do this? If you do, do you get an indemnification agreement before hand, or do you keep it relatively informal with the sales people / sales engineers? Dave Shettler College of the Holy Cross
Current thread:
- Outsourced Service Providers - PII David Shettler (Sep 08)