Educause Security Discussion mailing list archives
Re: Vendor Access
From: Ozzie Paez <ozpaez () SPRYNET COM>
Date: Thu, 4 Mar 2010 17:24:01 -0700
Dear Adam, As a consultant with several decades of experience traveling from one client's office to another, my experience with vendor controls have been troubling. For example, I have been to a variety of places where I was left ALONE in a data center, network closet, locations with 'secured clients', etc., within a few hours after arriving. In some cases, no one even bothered to check my ID or validate why I was there. In other cases, because I was a 'known face', I was allowed to come into sensitive areas long after my work contract had ended and hang out until my old buddies showed up. My colleagues in other cases experienced similar security issues and, of course, social engineering remains a highly effective tool for breaching security. With the above in mind, here are a few suggestions: 1. Identify key entry points for vendors and try to limit the numbers. In general, it is better to channel them through as few entry points as possible, 2. Establish procedures that are supported by the organization's legal department and incorporate them into your service agreements and contracts, 3. Rather than handwritten entry logs, have an electronic system or database client that includes the name and ID method, i.e. driver's license number, vendor id card, known person, etc., 4. Have a visitor badge system that includes valid dates and authorized access areas - many badges that we have seen do not clearly indicate the valid date range and thus someone can just pocket one and use it later, 5. Have standard procedures for when a vendor needs to be accompanied by someone in the organization, i.e. whenever access to an area may compromise sensitive data and systems, you may need additional controls - escorts should receive training so that they don't just get the vendor in and leave them alone while they return to their desks, 6. Train your personnel to check and challenge anyone who is not supposed to be in a control area and log violations, 7. Post a clear set of rules vendor security requirements and have those available where vendor reps sign in. Once you have the process and system in place, use a combination of automated analysis and reviews to check for potential areas of concern, including a vendor rep who tends to show up during times when there is limited personnel around, i.e. evenings, weekends, holidays, etc. Due diligence makes a difference in these cases. The above does not have to be complicated, but it would need to be tested and adjusted. By the way, don't forget that there are now an increasing number of connected devices such as copiers. Thus, you have to consider companies that provide support for equipment beyond network components. I have worked in many secure facilities and can provide additional input if necessary - Hope this helps, Ozzie From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Drews, Adam Sent: Thursday, March 04, 2010 9:00 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Vendor Access Hello All, I was wondering how other people are handling vendor access to their networks. I searched the EduCause Security archive and didn't find much there. Do you have them fill out a form stating who they are, who they work for, what access they need, how long they need the access, etc.? Any input would be greatly appreciated. Thanks, -- Adam Drews Information Security Analyst Information Security Office Joliet Junior College 1215 Houbolt Rd. Joliet, IL 60431 P: (815) 280-2667 F: (815) 280-2668 CONFIDENTIALITY NOTICE: The information contained in this e-mail message is legally privileged and confidential, and is intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copy of this message is strictly prohibited. If you receive this in error, please notify the sender by reply e-mail and delete this message.
Current thread:
- Vendor Access Drews, Adam (Mar 04)
- <Possible follow-ups>
- Re: Vendor Access Bradley, Stephen W. Mr. (Mar 04)
- Re: Vendor Access Kevin Wilcox (Mar 04)
- Re: Vendor Access Ozzie Paez (Mar 04)