originally written by Chris Nickerson*
Edited by me.
1. Corporate Email access to contractors:
Not sure why in ANY situation a particular contractor working at the location would need this address. Their mail functions should work fin to facilitate all they need. If you are 1099'ing a contractor to "white label" as your company, you'd definitely want them to look and feel like a w-2 employee where email would be important and would grant access to it (albeit limited).
2. Internet access:
Should be on the corporate network or provided via a dedicated network. Well...assuming your accountability as high, it would be easier to grant separate or proxied access to the net. Even if a single point of failure or choke point (which would not be an issue, given that you have zero priority to availability) would lend the most functional ability to make suers accountable for their traffic and increase the overall confidentiality of the data if the right DLP/ Content Filtering controls were in place for egress and ingress.
3. Network access to corporate or a separate DMZ for Contractors:
This really depends on what the contractor is doing. I am a big fan of the "you get nothing until you can justify WHY you need it" policy. If they are supposed to be scanning or testing from the perspective of an internal user, then they should probably have access. If they are doing your taxes, on the other hand, tell them to use their 3g card to get on the net.
4. Directory accounts(AD accounts for contractors):
Again, It should be based on need. Most do not need an account. Sneakerware, email, USB - all using encryption - should be just fine to get what the contractor needs to get the job done. However, if they are supposed to audit many configurations, fix a server, or do other Administrative tasks, you will "probably need to give them access." My advice in this instance is to LOG EVERYTHING THEY DO!!!! And I mean EVERYTHING. Got it? Say it with me now...EVVVV - REEEE - THIIIING. Okay...I'll move on. everything
5. Methods of Ensuring accountability at the end of project cycle by the contractors:
Removable drive access, email, and web to ensure they abide by the NDA signed. I make my consultants save ALL work onto an encrypted USB drive. At the end of a project's delivery stage, the client can choose to either immediately destroy, or allow us to follow our 90-day client data destruction guidelines. In reality, all these questions come down to the level of sophistication, process, and methodology used by your contractors. They should ALL have data destruction, data privacy, data handling, reporting, 3-rd party user access control, project requirement, and NDA agreements/methodologies that are followed and are able to be audited by you (the customer). If they don't have these documents, and follow them on a regular basis, it's not a repeatable process and they will gladly "wing it" to get your business. I have MSA, DATA PRIVACY, and Master Service Agreements signed for all clients concerned with the all of the areas listed above.
*Information provided with express permission to publish on blogger.com by:
Chris Nickerson [CISSP,CISA,IAM,17799,CCNA,MCSE]
Founder and CEO
Lares Consulting
(C): (720) 217-3087
cnickerson@laresconsulting.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment