Quais políticas de segurança você deve considerar ao terceirizar fornecedores de TI?

Organizations can ensure their data is appropriately classified and protected by adopting NIST SP 800-53. Defining data ownership clearly builds vendor trust, demonstrating a commitment to safeguarding assets. NIST SP 800-53 (Rev. 5) outlines security controls for federal systems, with several in the "System and Communications Protection" family addressing data encryption. These cover encrypting stored/transmitted data, ensuring session authenticity, mobile code integrity, and information protection at rest.

Deciding to go with outsourcing vendors for some services is required sometimes to leverage certain skills and for cost optimization. However, the following security policies need to be considered to avoid pitfalls & failure: 1- Ensure vendor's security policies & standards are in compliance with the enterprise standards & regulations. 2- Continuous assessment & periodic audit reviews on the outsourced environment to ensure compliance. 3- Defined SLAs in the contract agreement focusing on the security requirements compliance, RTO for the critical systems & data, incidents response, etc... 4- Ensure robust DR & Business Continuity in place. 5- Establish exit strategy for smooth transition of services & data.

You should classify the data and apply appropiate security controls with independence of working or not with an IT vendor. The IT vendor should be taken into account as another/s role/s in the roles definition when defining the level access and permissions

In my journey through IT service management and security, I've come to realize that clarity in data ownership isn't merely a bureaucratic requirement—it's the keystone of accountability. Beyond mere classification, consider the life cycle of the data. When does the vendor have the right to delete, modify, or archive it? Furthermore, with the advent of edge computing and IoT, where the data resides, and how it migrates between systems can add layers of complexity. Periodically reviewing and updating data classification, especially in dynamic business environments, is essential to ensure that controls remain relevant.

The team you will be working with long term, a values alignment, the business maturity level etc. can all be things to consider and vet prior to going to RFP. If the businesses are not right for each other, don’t waste your time exploring.

While the article touches on the importance of vendor vetting, it's crucial to emphasize that vetting isn't a one-off process. In an evolving threat landscape, ongoing risk assessments, combined with continuous monitoring, keep the vendor's security posture aligned with your organization's standards. It's not enough to check boxes; developing a genuine understanding of the vendor's security culture—how their employees perceive and prioritize security—can provide profound insights beyond what any security rating or audit might reveal.

If a vendor is not guaranteeing their SLA's with some form of compensation for poor performance, what’s the point of them being there. Double check what they say they will achieve & ask what happens if they fall short. Getting a reference from one of their existing clients can help with this step also - Their customers should be more than happy to provide one if they are satisfied with the Service Level.

Contracts and SLAs are the bedrock of the outsourcing relationship. Yet, they need to be seen as dynamic documents, evolving with emerging threats and changing business requirements. Embedding flexibility in contracts, while maintaining strict security protocols, has proven invaluable. For instance, consider the inclusion of periodic "security reviews" within SLAs, mirroring the changing threat landscape. These can act as scheduled checkpoints to collaboratively address newly emerging vulnerabilities.

Biometrics recognition is probabilistic, not deterministic. Hence, biometrics is a bad authentication factor for a deterministic "yes/no" result. Thus, biometrics is unreliable and lowers security. Biometrics has other flaws, such as biometrics spoofs, credential stuffing, etc. Moreover, once lost/stolen/hacked, biometrics data are lost/gone in the hands of cyber criminals forever because biometrics can NOT be reset like a text password.

You should consider the IT vendor as another Group of users, and according to that, establish the permissions and level of access, that, of course, should be the minimum required.

The principle of least privilege, as mentioned, is paramount. However, it's equally crucial to have a robust offboarding process when a vendor's engagement is terminated or if their personnel changes. Swiftly revoking access and credentials ensures security continuity. Moreover, utilizing technologies like AI-driven behavior analytics can detect anomalies in access patterns, adding an additional layer of protection and proactive response against potential breaches.

Additional to the security measures mentioned here, I would highly recommend, checking for compliance Certificates, such as SOC, ISO27001 and depending on industry, PCI DSS or HIPAA. Updated certificates, from a client perspective, is a huge confidence builder.

The intricacies of data transfer and storage have grown manifold with hybrid cloud models and cross-border data flows. From my experience, it's essential to maintain a clear data map. Knowing the journey of your data—where it originates, where it's processed, and where it's stored—enables proactive risk management. Regularly reviewing this data map, especially after major infrastructure changes, ensures that all data touchpoints are secured.

Security isn't just about technology; it's equally about the human element. While the article mentions training, fostering a culture of security mindfulness is what truly sets an organization apart. Regular 'red teaming' and simulated security drills can offer real-world experiences to both your and the vendor's teams, honing their skills beyond traditional training. Such proactive engagements keep security front and center in daily operations.

Biometrics recognition technology is inherently probabilistic and, hence, unreliable. The recognition process of biometrics relies on the probabilistic judgment of human beings' variable physical and behavioral features. Human physiological features continually change with growing age. In accidents, humans may also lose some physical body parts or behavioral characteristics due to diseases. Some biometrics recognition varies with illumination and skin color (such as a face). The probabilistic recognition processes of biometrics may yield unreliable results. Biometrics is not fit to be used as the default authentication factor or password. The promoters of biometrics are hiding the security-lowering features of biometrics technology.

In my years of securing IT engagements, one overlooked aspect is the 'sunset clause'. It defines how data and access are handled once the vendor relationship ends. Detailed procedures on data return, destruction, and verification are vital. Moreover, always consider the ripple effect—a security lapse in one vendor can impact others in interconnected ecosystems. Periodic cross-vendor security syntheses can mitigate these cascading vulnerabilities. And always remember, trust, but verify.