Security Policy Considerations with Third-Parties – CompTIA Security+ SY0-401: 2.2


The process of planning and implementing security policies can provide some significant security advantages in the future. In this video, you’ll learn about third-party security policies and what can happen when third-party security policies are not properly followed.

<< Previous Video: Data Backups with Third-PartiesNext: Third-Party Security Compliance >>


One way to protect data between third-parties is to have well-defined security policies. If you simply leave it up to an individual to do what they think is right, you may be missing some very important aspects of how to keep your data private and secure. That’s because you need to protect this information between the third parties, your partners, your vendors, and even your customers. This information needs to be protected so that people aren’t able to modify the information. You want to be sure the data does not get out and become disclosed to others. You want to be sure that the data is not erased or destroyed. And all of these are going to surround the plants you have in place from the very beginning regarding your security policies.

Although the implementation of the security policies is often done with technology you have to go all the way back to the beginning where there can be some contractual obligations between both parties. That way everyone knows what’s expected, and what they should be doing to protect the data.

We can also think of these security policies as a living document. It’s something that is constantly needing to be updated because the data is constantly changing, and our business requirements are constantly changing. It’s very often that the security policies that you implement at the beginning of a project are constantly changing throughout the life of that entire project.

Although we don’t know a lot of the specifics associated with the security policies that were in place during Target’s data breach in November of 2013, we can still look back at what we do know and see how important it was to have security policies. What we do know about this credit card breach is that malware was installed onto point-of-sale terminals that were located within the Target stores. And when people scanned their credit cards, that credit card information was then provided back to the bad guys.

Let’s see if we can backtrack over how this malware was distributed to help understand how security policies might have helped us. This Target breach was believed to have originated with a vendor of Target this vendor was infected with a PDF attachment that was sent through email. And a security policy was either in place or was not followed at this particular vendor to have anti-virus and anti-malware software running on their workstations. And ultimately, the Target vendors workstations were first infected.

The Target Corporation had a vendor network that they installed so that vendors could remotely connect into Target and provide billing information back to the Target Corporation. The bad guys took advantage of this connection and jumped from the vendor network and found the connection into the Target Corporate network. Obviously, if there were security policies in place that prevented that type of connection between the vendor network and the corporate network, there may have been an opportunity to prevent this particular breach from occurring.

There was also no segmentation between the corporate network and the networks that were at the stores. So once the bad guys gained access to the corporate network, they were then very easily able to hop to the point-of-sale terminals that were at the stores themselves. With this type of access to the point-of-sale terminals, the bad guys were able to deploy their software and then wait to collect over 40 million credit card numbers from the Target network.

It’s this initial creation of security policies and the appropriate implementation of security policies that can help protect data as it’s shared between third-parties. If you’d like to read more about this Target data breach, you might want to reference the krebsonsecurity.com website and learn all that we found about not only the breach itself, but reconstructed how that breach ultimately occurred.