Re: Vendor Access

[Ozzie Paez <ozpaez () SPRYNET COM>]

Dear Adam,

As a consultant with several decades of experience traveling from one
client's office to another, my experience with vendor controls have been
troubling.  For example, I have been to a variety of places where I was left
ALONE in a data center, network closet, locations with 'secured clients',
etc., within a few hours after arriving.  In some cases, no one even
bothered to check my ID or validate why I was there.  In other cases,
because I was a 'known face', I was allowed to come into sensitive areas
long after my work contract had ended and hang out until my old buddies
showed up.  My colleagues in other cases experienced similar security issues
and, of course, social engineering remains a highly effective tool for
breaching security.  With the above in mind, here are a few suggestions:



1.       Identify key entry points for vendors and try to limit the numbers.
In general, it is better to channel them through as few entry points as
possible,

2.       Establish procedures that are supported by the organization's legal
department and incorporate them into your service agreements and contracts,

3.       Rather than handwritten entry logs, have an electronic system or
database client that includes the name and ID method, i.e. driver's license
number, vendor id card, known person, etc.,

4.       Have a visitor badge system that includes valid dates and
authorized access areas - many badges that we have seen do not clearly
indicate the valid date range and thus someone can just pocket one and use
it later,

5.       Have standard procedures for when a vendor needs to be accompanied
by someone in the organization, i.e. whenever access to an area may
compromise sensitive data and systems, you may need additional controls -
escorts should receive training so that they don't just get the vendor in
and leave them alone while they return to their desks,

6.       Train your personnel to check and challenge anyone who is not
supposed to be in a control area and log violations,

7.       Post a clear set of rules vendor security requirements and have
those available where vendor reps sign in.



Once you have the process and system in place, use a combination of
automated analysis and reviews to check for potential areas of concern,
including a vendor rep who tends to show up during times when there is
limited personnel around, i.e. evenings, weekends, holidays, etc.  Due
diligence makes a difference in these cases.



The above does not have to be complicated, but it would need to be tested
and adjusted.  By the way, don't forget that there are now an increasing
number of connected devices such as copiers.  Thus, you have to consider
companies that provide support for equipment beyond network components.



I have worked in many secure facilities and can provide additional input if
necessary - Hope this helps,



Ozzie



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Drews, Adam
Sent: Thursday, March 04, 2010 9:00 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Vendor Access



Hello All,
I was wondering how other people are handling vendor access to their
networks.  I searched the EduCause Security archive and didn't find much
there.  Do you have them fill out a form stating who they are, who they work
for, what access they need, how long they need the access, etc.?  Any input
would be greatly appreciated.

Thanks,
--

Adam Drews
Information Security Analyst
Information Security Office

Joliet Junior College
1215 Houbolt Rd.
Joliet, IL  60431
P: (815) 280-2667
F: (815) 280-2668

CONFIDENTIALITY NOTICE:
The information contained in this e-mail message is legally privileged and
confidential, and is intended only for the use of the individual or entity
named above. If the reader of this message is not the intended recipient,
you are hereby notified that any dissemination, distribution or copy of this
message is strictly prohibited. If you receive this in error, please notify
the sender by reply e-mail and delete this message.