On-Going Monitoring
The business environment is dynamic and ever-changing,
and so is technology. Regular reviews of the security
operation and corresponding access controls should
be conducted. Before an outsourcing contract begins,
it is possible that a service provider might have
overlooked some of details in the outsourcing
operation. A regular review provides a channel
for both parties to evaluate the service and make
adjustments as necessary.
-
Security best practices, including the timely
update of virus signatures, detection and
repair engines, proper implementation of security
patches for operating systems and applications,
and enforcement of password policies should
be maintained at all times.
-
On certain occasions, access to privileged
accounts such as the Administrator account
in Windows servers or root in UNIX systems,
might have to be granted to third party service
providers. The use and activities carried
out with these privileged accounts should
be monitored, logged and reviewed periodically
and compared against the change requests raised.
-
When a support employee working for the service
provider resigns or leaves a project, all
user ID and privileges assigned to that person
must be revoked or changed as early as possible.
-
To ensure an effective and comprehensive
review, inventory detailing
-
a list of servers and systems within
the scope of the project, and which servers
/ systems are storing sensitive or personal
information,
-
a list of support staff from third party
service providers as well as the user
IDs and access privilege granted to individual
support staff, and
- a list of data, especially sensitive
or personal data, transferred to the third
party service providers
should be maintained accurately and kept
up-to-date. An inaccurate or incomplete inventory
might be the first sign of problems in the
governance of an outsourcing project.
- Regular audits should be conducted to assure
that the agreed security controls are actually
in place.
|
English
