If you’re like me, you’re probably tired of hearing about Zoom in the news. Whether it’s for the recent exploits in the MacOS installer, the problems with their encryption methods, or the Linux client code security issues, there’s been no doubt that Zoom has become a topic of discussion at many organizations. For all the security personnel out there, this article will serve as a quick guide for evaluating alternatives. It can also be used to influence your decision making process for 3rd party risks in general.
There are four main priorities when evaluating new applications that you are looking to integrate into your organization’s environment:
- Security practices
- Data retention policies
- Adherence to information security and privacy frameworks
- The reputation of the company or product
Let’s dig into each of them.
Priority #1: Security Practices
This is a rather broad category but the key thing to remember is to find out if the application or software is following industry best practices for security. Some things to look for in this category include:
- The use of a proven encryption algorithm for data at transit and at rest.
- Verifiable end to end encryption, if applicable.
- The support of privilege levels for users.
- Support for multi factor authentication.
Priority #2: Data Retention Policies
This category is relatively self explanatory and has some overlap with privacy policies and security practices. You should be able to find what data is collected, how it is stored, where it is stored, and how long they keep it. Many of these items are codified in the frameworks mentioned above. You may have to make a pot of coffee when you get to this one, because these can make for some dry reading.
Priority #3: Privacy Policies
As I stated previously, this category shares some overlap with the previous one. After you’ve established the data retention policies in place, and the security practices that are used, you should evaluate what they do with the data they have collected.
Is it confidential? Do they share data with 3rd parties? If they do, what data do they share, and is it anonymized?
These questions are a good starting point for establishing the confidentiality of your information on their networks. Most companies will acknowledge what privacy frameworks they are compliant with when disclosing their policies.
Priority #4: Reputation
This one is a little less technical than the others, but it’s equally important. If it’s possible you’ll want to read through any historical mentions of the company or product in various media outlets.
Do they have a history of rushing products and ignoring feedback, or are they transparent and listen to their customers?
You may see that they have recently been involved in an information security incident, and that they are now adhering to some of these standards as a way of gaining trust. When many features and pricing are similar, sometimes you’ll be faced with choosing a product based on the reputation of the company, so it’s something to keep in mind.
Aligning priorities with implementation
In an effort to standardize the implementation of the items listed above, several policy and legal frameworks have been published, outlining how IT objectives can align to those important areas of security. Things like the General Data Protection Regulation (GDPR) , California Consumer Privacy Act (CCPA), ISO 27001, Payment Card Industry Data Security Standard compliance.
Becoming familiar with the main points of these frameworks and standards will aid any security professional in their evaluations of third party products, so take a crash course of each one.
Here’s a quick overview of each of them.
General Data Protection Regulation (GDPR)
This law went into effect in May 2018. It is the most wide sweeping of all the frameworks we are going to discuss. While the law was written in the European Union, it applies to any company that operates within the E.U. The law lays out a set of security and privacy guidelines, and imposes fines for violating them. The fines max out at €20 million or 4% of the company’s global revenue, whichever is higher. The subjects of the exposed data also have the right to seek compensation for damages.
California Consumer Privacy Act (CCPA)
California enacted this law in 2019, and similar to GDPR and E.U. citizens, it applies to any company that uses the data of California residents. The law gives consumers five rights regarding their data.
- To know what personal information is collected about them
- To know whether and to whom their personal information is sold/disclosed, and to opt-out of its sale
- To access their personal information that has been collected
- To have a business delete their personal information
- To not be discriminated against for exercising their rights under the act
As you can see, these are pretty aggressive rights that allow California residents to be informed of how their data is used. While these rights are not extended to people outside California, many companies are becoming compliant with this framework nationally.
This is a globally recognized standard that shows companies are following a set of procedures and guidelines for their information security program. Companies can be audited and become certified. Many of the guidelines and policies set forth in this framework are considered to be industry best practices for risk mitigation.
Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard consists of a minimum set of necessary requirements that every service provider must meet in order to protect the cardholder data of their customers. Compliance with this standard is mandatory for any organization that stores, processes, or transmits cardholder data for transactions. Failure to comply with the standard can result in higher processing charges from the card companies, to offset the perceived increased risk to the card company for non compliance to the prescribed security controls.
The large scale frameworks mentioned previously codify many of these items into law, with hefty fines for companies that are not compliant. Combining these categories can give you a holistic view of what a company is doing with your data and how they do it, allowing you to evaluate and assess the risks posed by using the product in question.
Making informed decisions will help professionals mitigate risks appropriately for their organization, and with the current trend of Everything-as-a-Service and the reliance on dozens of others for your supply chain, becoming fluent in 3rd party risk can prove extremely beneficial.
Interested in learning more? Check out our in-depth blog on third party risk, Third Party Risk: 4 Ways to Manage Your Security Ecosystem.