Views:
FRAMEWORKS AND STANDARDS

CIS Critical Controls 15 Explained

An overview of CIS control 15, its purpose, and how to implement the control.

 

Published Date: October 28, 2024

Product Line: CIS Controls

Audience: Executives, Security Administrators

Get your copy of the CIS Controls V8.1 here.

What is a Service Provider

A Service Provider is an organization responsible for an aspect of another company’s assets. Providers can store an organization’s sensitive data, oversee a company’s IT platforms and processes, establish network connections for resources, and much more.

Service Provider Security Challenges

Companies today rely on third-party vendors to provide services that help streamline business processes, especially when it comes to IT infrastructure, platforms, and data. The benefits of service providers such as expertise, knowledge, resources, and cost savings also come with the hardship of security and relying on third-party trust, meaning transferring risk outside an organization to other entities. Since the 2000s, third-party breaches have been a serious issue when it comes to relying on vendors. The sensitive information held by third-party vendors can be compromised and ransomware attacks can leave entire organization systems and data encrypted and inaccessible.

Data Security Regulations

To aid the protection of sensitive data, especially when it comes to third party vendors, certain compliance laws must be abided when storing specific information.

  • HIPAA: for storing health data. 
  • FFIEC: for storing financial information.
  • FERPA: for storing student educational information.
  • PCI DSS: for storing credit card information.

Current Methods of Securing Third-Party Vendors

As there is no universal way to assess the security posture of vendors, organizations rely on their own checklists or sets of criteria to audit vendors to ensure third-party compliance. However, as each organization has their own checklist, this results in providers getting audited multiple times a month which can greatly disrupt a vendors’ productivity.

Checklist Program

To ease the process of auditing, centralized platforms that hold standard checklists are used by many companies for auditing.

Techniques, Tips, and Tricks for Implementing Access Control Management

  • Establish and Maintain an Inventory of Service Providers
    • List all service providers used by your organization including their classification and contractual obligations. Update this list when necessary. 
  • Establish and Maintain a Service Provider Management Policy
    • Create a policy to establish monitoring, assessment, and decommissioning of service providers. Update this policy when necessary. 
  • Classify Service Providers
    • Classify your service providers through a variety of attributes which may include data sensitivity, data volume, inherent risk, etc. Update this when necessary. 
  • Include Security in Service Provider Contracts
    • Example requirements in contracts include but are not limited to incident response, breach notification, data encryption, and data deletion commitments, all of which must be consistent with your management policy. Review this annually and update if necessary. 
  • Assess Service Providers
    • Ensure providers are consistent with the management policy and their contractual obligations. 
  • Monitor Service Providers
    • This includes periodic reassessment of providers, monitoring provider release notes, dark web monitoring to ensure the provider is compliant, and being aware of any vendor policy changes. 
  • Securely Decommission Service Providers
    • Decommission service providers when contracts are no longer active. This includes securely disposing of data within the vendor platform, termination of data flows, account deactivation, etc.

Extra Precautions to Take When Utilizing a Third-party Vendor

  • Constantly review the auditing checklist used and update it in accordance with new regulations. 
  • Ensure vendors are contractually responsible if an incident impacts the organization. 
  • Check for fourth-party providers: other companies providing vendors with services. 
  • Utilize third-party assessment platforms to choose a vendor that fits your risk tolerance.
    • These platforms have an inventory of thousands of service providers. 
    • Review service providers, inventory, and risk of an incident before choosing a vendor.
  • When auditing, focus on the departments of the vendor that directly impacts your organization.
     
Keywords: Control 15