Crims at vendors could crock kit says ENISA

Before you sign on the dotted line to acquire some kit or sign up a service provider, ask the vendor you're considering if any of their staff have criminal records.

That's just one of many, many, suggestions made by the European Union Agency for Network and Information Security (ENISA), in a new guide to Secure ICT Procurement in Electronic Communications and Security Guide for IT Procurement.

The latter document lists seven items to consider when procuring IT, the second of which is human resources security. The first item in that section of the guide is background checks, which the document suggests could come in handy to address “Unintentional or intentional alterations of products or systems performed by the vendor’s employees including faulty changes or upgrades, configuration errors, bad maintenance, insider attacks, etc.”

“When legally permitted and justified by a level of criticality of service provided, the vendor should do its due diligence to flag any criminal records in its employees’ background,” the document suggests. Doing so will “avoid any sinister and intentional alterations of products or systems.”

Plenty of folks with hacking convictions go straight later in life, often changing hats from black to white along the way. Those who've made such a transition probably won't appreciate ENISA's advice.

The guides are intended, in part, to help buyers when negotiating with vendor. ENISA's research suggests that many IT buyers feel vendors won't offer them security options they desire and that lack of market alternatives mean plenty of buyers settle for what they can get. By offering a comprehensive set of guidelines, the agency hopes buyers can wave them beneath vendors' noses and point to independently-concocted best practices.

The documents also offer advice on how to deal with suppliers whose spare parts supplies mysteriously dry up, suggestions on how to assess vendors' physical security and guidance on audit and monitoring practices. Some of the advice is anodyne: there's plenty of mentions about the need for service level agreements, termination points in contracts and handover of data acquired during outsourcing engagements that won't surprise anyone other than tyro lawyers.

At about 70 pages combined, the guides aren't terrifyingly long, or marvellously detailed. But they do look a more-than-useful starting point for those who don't currently build security considerations into their procurement processes.

With Sony providing us all with a reminder of how unpleasant things can become after a breach, the documents look worth at least a glance. ®