I'll be traveling again in the next few weeks, this time to Vietnam. We've been outsourcing some of our operations to low-cost nations for years: Russia for source-code development, India for help desk services and China for manufacturing, among others.
Vietnam is new to the list, but as I stressed during the meetings about this engagement, there are no special security considerations. We follow the same procedures wherever our partners are located. From my perspective, the only difference is in the local cuisine.
To enhance security as my company works with third parties, I wrote a policy and had it ratified by my CIO. It sets the security requirements for all partner connections, including physical security. It also lays out audit requirements and contains some contractual verbiage specifying the partners' responsibilities.
Sin Cities
The policy is actually quite simple: Any partner connection to our company's internal network requires my approval, and my approval hinges on successful compliance with our partner connectivity policy.
A first visit to a partner is crucial, since it sets the stage for the relationship. It's my opportunity to demonstrate the importance my company places on the protection of its intellectual property and the integrity of its network. After all, visiting a country on the other side of the world isn't as easy as driving across town.
So here's my agenda for my first visit with any new partner. My company's policy states that a secure connection must be established between the partner and our company. We typically accomplish this via a small Juniper firewall on the partner's premises and a VPN tunnel between it, and a much larger firewall at our headquarters or a closer regional office. This allows us to maintain control of all the IP addresses, ports and protocols involved in data traffic between the partner and our internal network.
Plugging the leaks
We also require that all Internet connections be routed through our gateways, not the partner's. We learned about the need to do this the hard way, after various partners' employees used their companies' Internet connections to steal our intellectual property.
We mandate that the partner's systems be logically separated from its company network and that all systems have all the latest patches and employ the leading antivirus software. What's more, no unnecessary security software (such as sniffing, scanning or password-cracking utilities) can be installed on any of the systems.
Best for both worlds
Getting Physical
I also have to check on physical security. I don't like mingling workspaces; the thought that a partner might have people who are working for my company sharing space with people who might be working for one of our competitors doesn't sit well with me. Therefore, our policy requires a physically separate work area for the employees who will be handling our sensitive data. Sometimes the partner has to bear the expense of building walls, installing doors and implementing a badge system, but the cost usually isn't onerous. Labor is inexpensive in all of our partner countries; that's why we're there.
Security violations
Finally, I inspect physical and personnel security controls for the building. Cameras, door and window alarm systems, sign-in logs, and badge access systems are all reviewed. I also restrict the use of wireless access points for the partner network.
Once my audit is complete, I create a report and mark the calendar. Once a year, a new audit will be conducted to ensure that the partner is complying with our security policies.
Of course, on a personal level, it's always interesting to visit a new place. Bring on the pho!
"Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.