The black hole in government information security: your vendors!
Expense management providers get your metadata. Is it being managed securely?
Remember the old days when spies used to bug PCs? Famous cases abound, where embedded code woke up at nighttime, secretly dialled out on the modem and transmitted secrets off to foreign governments.
In the old world of the 20th century, securing information was a matter of making sure it never left the building.
How the world has changed.
Today, information has become the new frequent flyer of the technology world, living in different clouds and moving back and forth between client and vendor, vendor and vendor and all other combinations.
Suddenly, the information security challenge starts to look like a travel security challenge.
Is the trip really necessary? Is your information travelling to safe destinations? Is it staying in approved premises? How do you audit the security of premises and infrastructure in high-risk destinations?
All OECD national governments, and most OECD sub-national governments, have specific policies regarding the use of cloud services by government agencies. All focus on vendor risk profiles, regular monitoring of processes, and the internal information security policies of the vendor.
One key element in almost all these approaches is ISO 27001, the international standard for information security.
Over 22,000 different organisations hold ISO 27001 compliance certificates worldwide, many being providers of cloud services.
If you regularly entrust digital information to technology providers and related services companies, then ISO 27001 can help. ISO 27001 won’t eliminate all risk of information breach, but it is a basic part of the management of risk, addressing integrity, confidentiality and availability of information. Ensuring a vendor has ISO 27001 certification should be a starting point for any environment into which you are entrusting critical information.
So what types of sensitive information are relevant here? One very topical type is communications metadata. If you have a vendor providing Expense Management (EM) services that include telecoms, as many public agencies do in OECD countries, then your communications metadata is going to your EM vendor. But it’s probably not coming from you; more commonly, your authorization is allowing your telecoms carrier to provide your metadata directly to the EM vendor. It is not uncommon for public agencies to not even see their own metadata, creating the situation where the vendor may actually have more of the sensitive information than the client organization itself.
For Expense Management for public agencies then, information security is more important than ever. Making sure you choose an EM provider that is ISO 27001 certified is an obvious starting point, and in many jurisdictions is mandated by government policy.
Smartbill® is one such provider. Smartbill® manages over half a million communications services for governments and enterprises, all under ISO 27001 and trusted by high-security agencies.
You may not want to stop your information from travelling, but you do want to make sure it’s going to a safe place. ISO 27001 is part of this, requiring a system and processes for the safe handling and security of information within an organization.
How are you safeguarding your agency’s communications metadata?