Who bears more responsibility for the infosec posture of your organization – your company or your IT partners and vendors?
Some would argue that organizations as consumers bear the ultimate responsibility – much like radio and television pundits telling viewers to change the channel if they don't like the programming. Others might suggest it is the responsibility of technology vendors to thoroughly test their offerings, cure defects, and produce quality secured technology products and services.
The issue is more than who should bear the legal or financial risk. The heart of the problem is collaboration. How much is there between organizations and vendors working towards reducing common information security risks?
Collaboration is an elusive word that conjures up different interpretations for different organizations. What kind of collaboration is necessary between organizations and vendors to help reduce information security risks, for example? I've come up with a win-win solution that might serve as a guide.
But first, I'll need to digress for a moment. Healthcare. The word brings to mind images of hospitals, clinics, pharmacies and pharmaceutical companies. but today, the business of healthcare is becoming more and more dependent on the IT industry. Just visit your local hospital and see how many IT systems it has. IT systems within healthcare are, in some cases, responsible for monitoring and even administering care to patients. In an environment so dependent on IT systems, information security risks can affect the outcome of life-and-death decisions in the care of patients. A very sobering thought.
Many wonder what level of risk should be shared in healthcare, indeed in any industry, between organizations and IT vendors, but that is the wrong question. The first priority should be on identifying information security risks.
The healthcare system I serve is a large, non-profit system serving the needs of patients in several counties of Pennsylvania. We have a workforce of 8,500 and a large IT infrastructure, supporting one of the nation's largest electronic medical records systems. Information security risks are of paramount importance. Managing them has forced us to rethink how we approach and discuss risks with vendors.
When we partner with IT vendors before purchase, we ask them to fill out an IT systems requirement questionnaire, co-written by our IT department, Internal Audits, and the Information Security Office. We explain that its purpose is to document any potential infosec risks inherent to their products or as a result of our implementing them, and that it acts as a mutually beneficial starting point for dialogue.
There are three main areas of focus. First, what are the technical requirements of network communications, their compatibility with our network infrastructure, the remote-access capabilities of vendor products, and so on?
Does the vendor product or system require TCP/IP connectivity? And is it compatible with, and supported in, an environment that includes Windows 95, 98, NT, 2000 and XP desktop OSs?
Second, how compatible is the application with existing software applications, application-level security audit logs and so on? Is all browser functionality available using Microsoft Internet Explorer version 5.x and above? Is Java support needed?
And, third, what about product security? Is there a need for patch management, explanation of product security and audit controls within systems?
For example, if the system is maintained by the vendor, will it apply security-related patches within 48 business hours after they become available? And will it agree that all confidential information transmitted via modem is encrypted with a key of at least 128 bits?
Further requirements are:
- The system must automatically check password length at the time users construct their password. Passwords must have at least six characters and contain a combination of alpha and numeric characters. The password field must be masked (not displayed) at any time.
- The system must suspend a user account after no more than three consecutive, unsuccessful login attempts. Account re-activation must require administration-level intervention.
- The system must encrypt the internally stored password files.
- All vendor-supplied default passwords must be able to be changed.
- The system must grant access only by combination of the user identifier and the password, not independently.
From these points, we can work together as partners to devise steps to rectify, minimize, or mitigate any potential risks to our organization.
Vendors find the process valuable and often take feedback back to their product development teams to enhance future technology products and services. We make our vendors aware of our needs and accountable for their solutions, and provide them with valuable market research for future product development. It is a win-win situation for our organization and our IT partners.
During 2004, we gained valuable cooperation from vendors by constantly refining and learning from this mutually beneficial process. We realize vendors cannot fix everything, and we cannot provide absolute security in product implementation. This dialogue has allowed us to find solutions to address information security risks more effectively.
Jaime Chanaga is chief information security officer at Geisinger Health System