Page054
Divestitures
Divestitures (also known as de-mergers and de-acquisitions) represent the flip side of Acquisitions: one company becomes two or more. Divestitures can represent more risk than acquisitions: how exactly will sensitive data be split up? How will IT systems be split?
It is quite common for formerly unified companies to split off, and inadvertently maintain duplicate accounts and passwords within the two newly spun-off companies. This allows (former) insider attacks: where an employee of the formerly unified company hacks into a divested company by re-using old credentials. Similar risks exist with the reuse of physical security controls, including keys and badges. All forms of access for former employees must be revoked.
Third Party Assessment and Monitoring
Third parties (including vendors, consultants, and contractors) can introduce risks to an organization. They are not direct employees, and sometimes have access to systems at multiple organizations. If allowed to, they may place an organization’s sensitive data on devices not controlled (or secured) by the organization.
Third party personnel with access to sensitive data must be trained and made aware of risks, just as employees are. Background checks may also be required, depending on the level of access required. Information security policies, procedures, and other guidance should apply as well. Additional policies regarding ownership of data and intellectual property should be developed. Clear rules dictating where and when a third party may access or store data must be developed.
Other issues to consider include: how does a vendor with access to multiple organizations’ systems manage access control? Many vendors will re-use the same credentials across multiple sites, manually synchronizing passwords (if they are able or allowed to). As we will discuss in Chapter 6, Domain 5: Identity and Access Management (IAM), multi-factor authentication mitigates the risk of stolen, guessed, or cracked credentials being reused elsewhere.
Also, from a technical perspective, how are the vendor’s systems secured and interconnected? Can a breach at the vendor’s site (or any of the vendor’s clients) result in a breach at the client organization? Who is responsible for patching and securing vendor systems that exist onsite at the client?
All third party connections should be tightly secured and closely monitored. If VPN access is granted: it should allow connectivity only to the systems and services required, and firewalls should drop (and log) all other traffic. The risk of pivoting (compromising one internal system from another) should be carefully considered and mitigated.
Outsourcing and Offshoring
Outsourcing is the use of a third party to provide Information Technology support services that were previously performed in-house. Offshoring is outsourcing to another country.
Both can lower Total Cost of Ownership by providing IT services at lower cost. They may also enhance the information technology resources and skill set available to a company (especially a small company), which can improve confidentiality, integrity, and availability of data.
Offshoring can raise privacy and regulatory issues. For example, for a US company that offshores data to Australia, there is no Health Insurance Portability and Accountability Act (HIPAA, the primary regulation covering healthcare data in the United States) in Australia. There is no SOX (Sarbanes-Oxley, protecting publicly traded data in the United States), Gramm-Leach-Bliley Act (GLBA, which protects financial information in the United States), etc.
A thorough and accurate Risk Analysis must be performed before outsourcing or offshoring sensitive data. If the data will reside in another country, you must ensure that laws and regulations governing the data are followed, even beyond the laws of the offshore jurisdiction. This can be done contractually: the Australian company can agree to follow HIPAA via contract, for example.
Learn by Example
Do You Know Where Your Data Is?
University of California at San Francisco (UCSF) Medical Center outsourced transcription work to a Florida company. A transcriptionist working for the Florida company subcontracted some of the work to a man in Texas, who then subcontracted it again to Ms. Beloch, a woman working in Pakistan.Unbeknownst to UCSF, some of their transcription work had been offshored. UCSF’s ePHI—Electronically Protected Healthcare Information (federally regulated medical information) was in Pakistan, where HIPAA does not apply.
Ms. Beloch was not paid in a timely fashion, and emailed UCSF, threatening if she was not paid, “I will expose all the voice files and patient records of UCSF … on the Internet” [^17]. She attached UCSF ePHI to the email to prove her access. She was paid, and the data was not released.
You must always know where your data is. Any outsourcing agreement must contain rules on subcontractor access to sensitive data. Any offshoring agreement must contractually account for relevant laws and regulations such as HIPAA.