I started a new thread as I dont think it would have fit well in the Internet Security thread. (if it should be merged, just do it)

I manage a colocation facility as part of my many duties. I get a ton of requests from clients asking for a list of all of our staff that have access to the data center. Basically they are asking for individual names of people with a key to the center. I feel that it violates privacy concerns and am not comfortable sharing the identities of my staff with no understanding as to how this list is to be used, ie. are they going to do background checks, etc. I have nothing to hide, and am confident in the integrity of my staff. Ultimately if something criminal were to occur the business entity would be on the hook, and any investigation would include warrants for the necessary info at that time. So why do they want a list?

A lot of these requests are followed with a request about SAS70 audit certification. I have done a bunch of investigation and see no tangible value in it as our customers will obviously not fund the $75k/yr to maintain the audit.

Is anyone out there involved with data center security, policies, controls, etc?

 

Don't give them a list of employees. You should have some security policy that details what groups in your org have access.

 

^^Agreed.

Giving out a list of of employee names that have access would actually BE a violation of security procedures, at my former employer, and is subject to immediate termination.

You should have a well defined security procedure that you can hand them. If they are still not happy, then get the specifics and see if you can make changes that will fit their needs. Handing over employee information to an outside entity, unless it is law enforcement with a warrant in hand, is never something that should be done.

 

I do deals both selling and buying IT services. As a customer, I'm not happy with boilerplate obligations about security of the center unless you're IBM, as you don't have the assets to stand behind a big snafu. Your choice is to get an independent 3rd party review (SAS70 is a passable but poor choice - ISO900x is better), or let me review. Frankly, I don't know how you can be comfortable making your boilerplate promises if you don't have some verification that your processes are good and that they're followed.

 

Regardless of the direct relevance to the data center operations, there clearly seems to be the potential for basic employment law concerns. I would first and foremost run the names issue through your company's general counsel.

 

JLat,

Does your company do any due diligence on your employees. I am not talking about a $4.99 Internet background, but an actual Due Diligence background? Sometimes being able to provide your clients with the assurance that each team member has passed a rigorous, in depth background is enough to assure them in this regard. If you or your legal representative are interested, PM me. We do this type of background for many regulated industries both domestically and internationally.

Also, what kind of vulnerability assessments are you having performed on your physical/network security? This should almost always outsourced, and to a rotation of firms so as not to allow institutional knowledge to impede the accuracy/voracity of the analysis. It's no full ISO 900x audit, but having the blessing/advice of a CISSP can also go a long way as a minimum standard.

 

We are ISO900x as soon as the application is financial they say ISO is no good and want SAS or the future SSAE
We let them do this, but then we end up with the unreasonable requests like the one that started this thread, and the risks with sharing too much info.
We do verify our processes. We just don't pay an expensive auditor to watch us while we do it.

Standards like SAS and ISO only verify that you do what you say, they do not assure quality. For example, if you make cement lifejackets and are ISO certified the certification only means you will make the exact same cement lifejacket every time. It says nothing as to the suitability of your lifejacket to actually save lives.

I guess I am a little jaded because having been through ISO. Those types of audits involve a whole lot of fees to auditors/analysts/consultants and none of them ever tell you what you should be doing - they don't improve your process, they don't even test them - they just audit them. And you still hold the risk - they come with no warranty. It truly only becomes an expensive piece of paper with only value to other auditors.

 

Done... General counsel agrees that no one gets a list until they define exactly what is to be done with the list, and what they do to ensure the privacy of the list.

Edit. In any case we need to inform in writing to those on the list if we intend to share their identities.

 

I completely agree, but it is a factor of risk tolerance.

If you consistently have the external audit done and you meet specs every time, when you have a breach and are then sued by a client you can hold up your audit trail and say there was nothing more you could do.

If on the other hand, you simply maintain an outward marketing posture of "We have never had a breach due to our great security" instead of audits, you are washed up when you do actually have a breach for the first time.

It's certainly something your legal department and risk management and compliance people and techs should sit around a table and address.

 

The only thing worse than not having a plan is having one and not following it.

 

Yes. Most of our staff is reliability certified at a federal government level (including myself). Not all though - ie. our facilities guy who maintains and operates the power/hvac system is not reliability certified.

This does bring up a question. What if you have a staff member with a red flag (ie. say a DUI or possession charge) but he is a trustworthy individual. Do I need to kick him/her out?

Many assessments are done at a network level. 3 different vendors complete pen-tests on our systems. Additionally we do our own internal tests and reports using commercially available tools. This happens every month. (This is done for PCI compliance).

 

As far as the red flag scenario is concerned, many organizations develop acceptable deviation standards. Is a DUI relevant? Probably not, unless the person works as a driver. Generally speaking, only trust related offenses (and drug offenses) are relevant for facilities like yours, so theft, embezzlement, confidence schemes, bankruptcy (subject to circumstances but it places on in a higher risk category) and violent offenses. A trespassing charge from college when he broke into a hot tub with a girl is generally irrelevant, as are things like most traffic offenses.

It sounds like you have a fairly comprehensive assessment program. I might suggest a formal documentation of ALL of the processes you employ to self asses being produced by your legal department for distribution to your clients in lieu of them needing employee personal information. You background to a high level, you pen test, you use a network monitor device (we like Qualys). You are doing all the right things. Maybe it's just a matter of blanket demonstrating this to your clients in written form.

 

Good info all... Thanks.