IT Security: Are Your Vendors Following These 5 Compliance Controls?
1. Password Controls
It is important to make sure that as a vendor you implement the necessary technical and organizational controls to ensure that your customer’s information, in any form, is protected from unauthorized access, modification, disclosure or deletion, and complies with all applicable laws and regulations.
Examples of best practice password controls include:
Mix of uppercase, lowercase, numeric, and special characters, if possible.
Minimum length should be eight (8) characters.
Expiration of user accounts
Internal user account passwords should be configured to expire at least every 90 days.
Expiration of service accounts
Service account passwords should be configured to expire every 366 days.
Users should not be able to reuse at least their last five (5) passwords.
User accounts should be suspended after six (6) failed attempts at a maximum.
All passwords must be changed to passwords that follow requirements similar to those listed above. You should immediately change the user or system account password when an account has been compromised.
2. Access Controls
Access to your information should be granted on a need-to-know basis and consistent with any contractual agreements. Vendor should ensure segregation of duties by using role-based access controls, including privileged information and non-production environments. Just as with password controls, ensuring that you implement solid logical access controls for verification and authorization of users accessing the system will help protect your customer data and ensure that only those who need to access it can. You should obtain customer approval prior to sharing any information or granting access to customer’s information to any external entities including contract personnel, suppliers, or subcontractors. These external entities should also be required to comply with these requirements.
Examples of best practice logical access controls include:
The system should require a user’s identity to be verified before their password can be reset.
All access to the system should be authorized and authenticated. This includes console access, wireless access, individual accounts, administrative accounts, and any system accounts used to interface into other systems.
No end users for service accounts
Service accounts should be configured to disallow end users from logging into the system.
Unique user accounts
All accounts should be assigned to a specific, traceable and uniquely identifiable individual and should under no circumstances be shared.
All accounts and access rights should be reviewed at least semi-annually to determine if access is appropriate based on business need. Evidence of this review should be retained for a minimum of one year.
User access should promptly be revoked when access is no longer required. User accounts that are inactive for more than four months should be suspended. This requirement does not apply to service accounts or external-facing customer accounts.
Need-to-know basics for access
Access to your information should be granted on a need-to-know basis and consistent with any contractual agreements.
Vendor should ensure segregation of duties by using role-based access controls, including privileged information and non-production environments.
3. Network Controls
All vendor networks should implement access control mechanisms, bi-directional monitoring, and protection of the network perimeter (e.g., firewalls, packet filtering technologies such as intrusion detection systems or intrusion prevention systems). Network access control devices should not allow access by default; “deny all” should be the default state. Networks, addresses, protocols, and ports should be specifically authorized before access is permitted between vendor networks and any other networks.
4. Wireless Controls
Vendor wireless networks shall be configured to protect communications of information and must be Wi-Fi Protected Access II (WPA2 or above) compliant.
5. Physical Controls
Your vendors should be expected to implement a secure and controlled physical environment, including both environmental and access controls. These physical controls are a common requirement across multiple regulatory frameworks and a best practice for securing any information shared by your organization with the vendor.
Vendor should protect physical locations where customer information or customer- owned equipment is located from the following:
- Physical intrusion, unlawful and unauthorized physical access
- Heating, ventilation or air conditioning problems
- Power failures or outages (i.e., uninterrupted power service)
- Natural disasters (reasonable protection)
Access to areas where customer information is stored or customer-owned equipment or devices are located should be controlled and restricted to authorized persons using reasonable physical access and authentication controls (e.g., access control cards, video camera monitoring).
Audit trail of all physical access, including times, should be securely maintained.
Vendor should ensure that any equipment or device used to record, store or process customer information (e.g.: laptops, removable media) are physically secured when unattended.