Blog Home Page Next article:

Organizational Requirements

About the Anatomy of a Cybersecurity Program Series

In this blog series, I will be walking you through many of the specific controls that fall into the domains mentioned above. My goal is to give you some insight into the issues, and potential remedies we encounter daily while performing these assessments. Please utilize the suggestions to improve the posture of your own organization. No solution, remediation or mitigating countermeasure is one-size-fits-all;  however, I will do my best to provide information from a generic enough standpoint that you should be able to at least find value in the knowledge even if it is not relevant to your environment.

Updated: 23 January, 2019

Organizational Requirements

There have been a number of recent news articles/stories that have shined some light on this often over looked section of ‘Cyber Security Strategies/Plans’. All Enterprise Security Risk Assessments look for it and most regulatory bodies address it with a few sentence or short paragraphs. Even HIPAA does it with one sentence “The Organizational Requirements section of the HIPAA Final Security Rule addresses the contracts/agreements an organization must have in place with partners with whom PHI/ePHI is shared with.”.  The NIST Cybersecurity Frame Work (NIST-CSF) addresses these organizational requirements throughout all phases from “Identify” (who do I need and  nature of these agreements) to “Recover” (reporting requirements, who communicates, when and what to 3rd part stakeholders).

Sets Minimum Level of Security Countermeasures

The bottom line is, you need to have Vendor Contracts and/or MOU (Memorandums of Understanding) in place and executed. These written agreements spell out what your vendors and business partners are required to do in order to protect the data you entrust to them. It sets the minimum level of security countermeasures they are required to use protecting your network and data from unauthorized access.

Legally Binding Cybersecurity Document

In our HIPAA example above, that one sentence requires the generation of a Business Associate Agreement (BAA) that covers 10 sub-parts of the HIPAA Security Rule; addressing all local and state reporting requirements as well as anything else the legal department feels is necessary. This is a legally binding document between both parties; it should be available to an auditor upon request and reviewed regularly (annually to every 18 months).

  • How important is this?
  • Is it just a box to check off?
  • Why does it need to be available to everyone “upon request”?
  • Who do I need one with?

My First Remote Shell Thru a Vendor – 25K Records, Worth over $500K

During my very first Penetration Test, I got my very first Remote Shell (Victory!!) into the VLAN segment that just happened to be where the all business-critical servers were segmented; this system was vendor owned and managed. The organization did not have administrative access, could not patch the system and contractually the vendor was not required to let them have access to the OS, only a WEB API. Making matters worse, this system contained over 25,000 records containing PII, the database was not backed up and had an accounts receivable value of nearly $500K. That was several years ago, but it was also the same point of entry as one of my more recent engagements.

Not Just a Legal Document

The purpose of requiring that these agreements are ‘available upon request’ is not to make it easier for the auditor making the request. The intent is to make sure the document, with the contractual obligations, is available to everyone responsible for implementing and enforcing the contract. This is not just a legal document to be stored in ‘Contracting’ or ‘Logistics’, only seeing the day of light during a renewal/review period. It tells those implementing and enforcing the Vendor Contracts/BAAs/MOAs what should be done by whom and to what standard. In addition to any mandated regulatory language, make sure the Vendor Contracts/BAAs/MOAs contain provisions for the following:

  • Incident definition
  • Incident reporting
  • Patching interval/exceptions
  • Security scan interval
  • Minimum encryption levels (both in transit and at rest)
  • Risk acceptance notifications
  • Password length, complexity and change frequency
  • Minimum baseline profile

Consider Types and Levels of Cybersecurity Insurance Required

Another area you might want to consider, in light of the frequency and prevalence of hacking incidents, is Cybersecurity Insurance. Specifically determine your requirements for minimum amounts of 1st and 3rd party coverage areas and limits. Get with a reputable commercial agent to determine what policy types and limits best fit your organization.

Who Do I Need to Include?

With whom should you execute these contracts? The answer is anyone that may have physical or electronic access to your sensitive data. The following is a quick list of outsourced vendors often overlooked, forgotten or dismissed as not important:

  • Co-locations and ISPs
  • Cloud Storage and hosted services
  • SAAS providers
  • Document Disposal/Shredding Companies
  • Outsources Printers/Vendors
  • Product/Parts Deliver Services
  • Janitorial Services
  • Security Guards
  • Facility Contractors (HVAC, Alarm/Fire, etc.)

Discuss Organizational Requirements NOW!

Go through your compliance matrix today!  The time to discuss or review Organizational Requirements is NOW! Not after a compromise/breach or once the vendor relationship becomes so ingrained in your business processes that it can’t easily be replaced. Work with your legal department. Make sure the language in any of your Vendor Contracts/BAAs/MOAs is clear, detailed and enforceable within yours and your vendor’s jurisdictions.


Happy Hunting!!