Auditing the Auditors: Policies to Limit Third-Party Interaction With Your Data

After your company has finished the laborious task of implementing a back up and disaster recovery plan and finding a Back up and disaster recovery vendor and product for your business, you might roll your eyes at the thought of having to then audit your security product provider to reduce the potential for a third party compromise to your data. Oh the Irony! Fact is: This type of thing happens more than we would like to admit. Sure, natural disasters and power outages have caused their share of nervous breakdowns, but more often than not, human error is at the root of a data breach.

Case in point, The Army National Guard suffered a major data breach due to an employee error in 2015. A contract employee improperly handled a data transfer from one center over to a non-accredited center. CRN.com reported that the event exposed home addresses and even social security numbers of over 850,000 current and former members of the National Guard.

The breach offers us a reminder that any time humans are responsible for anything, errors are almost inevitable. This is why it’s important to take the extra steps.

On top of your in-house auditing- you must audit off site as well. Think of it as an electric fence for sheep, or cows- shocking anything that doesn’t have the key to the fence and zapping anything that tries to get out too. OK, enough about sheep! This is serious! The key to successful disaster recovery is to have a plan well before disaster ever strikes. Included with that plan, you must audit the plan by implementing policies that it addresses all parties who have access to your data: security product providers, maintenance people, people who are there to help, but are wearing a suspicious fake mustache and peculiar glasses with no lenses who keep asking about a key-especially those guys- must be monitored, but fear not! There are several steps your business can take to prevent your sheep from leaving the pasture, and the guy with the crooked mustache from sneaking away with them.

1. First and foremost- make sure your data recovery service provider is ‘legit’. Make sure the provider carries enough insurance to cover even the most disastrous loss. Ensure that the vendor is liable for the appropriate risk related items.

“Limitation of liability provisions commonly limit damages to the total fees paid under the service agreement. However, if the incident affects all of your data, those fees may not cover everything,” explains M. Scott Koller, Counsel, with BakerHostetler Law Group, who recently spoke on the topic in an interview with Network World.

Make sure you understand the limits of your service vendor’s coverage, and asking for continuous updates on the companies wellness “wholeness” should be regularly addressed.

2. Use a single username across the entire third-party provider so that you can disable it and access across that firm when they are not using it. You may never expect the irony, that the very people you pay to protect your data, may be compromising it!

3. Another use for whitelists is by local area network  security. Many network admins set up MAC address whitelists, or a MAC address filter, to control who is allowed on their networks. Limit remote access to a set of approved, whitelisted IP addresses within your organization and disable the list when not in use.

4. According to Network World, another very effective option apart from whitelisting access to your site or network, you could permit and provide remote access for external service providers only on demand. This will allow YOUR IT to automatically disable these tools using time-based and other rule sets.

For more best practices in back up and disaster recovery, browse and extensive collection of how-to’s and latest news at Solutions Review.com.