Indian Audit Comes With a Silver Lining

Indian Audit Comes With a Silver Lining

Mathias Thurman. Computerworld. Framingham: Oct 22, 2007. Vol. 41, Iss. 43; pg. 34, 1 pgs

Abstract (Summary)
As the author's company increases its partnerships with offshore providers, the need for security audits rises. More recently, the IT department has outsourced portions of their help desk, systems administration and application and development functions. One of the author's main concerns is that their partners comply with certain requirements before they can connect to their network. The author recently hired a consultant in the US to perform a three-day assessment. One of the author's requirements is that partners keep their systems current with anti-virus updates and patches. The author has found a cost-effective way to conduct partner assessments in India.

An assessment of a partner in India turns up some problems, but they're small, and the auditor's a keeper.

AS MY company increases its partnerships with offshore providers, the need for security audits rises. I've just conducted one whose results could have been better, but there's a silver lining.

For some time, our offshore partners have helped with source-code production and design documentation, as well as the manufacture of some of our products. More recently, the IT department has outsourced portions of our help desk, systems administration and application development functions.

One of my main concerns is that our partners comply with certain requirements before they can connect to our network. The policy mandates patches, virus protection, network segmentation and intellectual property protection. Such policies are necessary, but issuing them doesn't guarantee compliance. That's why audits are necessary.

I audit most of our partners once a year and high-risk partners every six months. It can get expensive, so I decided to follow my company's example this time and do some offshore outsourcing. I started with India.

I recently hired a consultant in the U.S. to perform a three-day assessment. He charged $8,000. A similar assignment in India using a local consultant would cost $1,000. The savings are obvious, even before travel costs are factored in. The question was whether the work would be of comparable quality.

I collected several résumés and conducted telephone interviews, finally settling on a consultant willing to travel all over India. He could perform not just the pending audit but those of our many Indian partners.

The assessment was of a partner with about 25 engineers doing design documentation. We haven't worked with this partner for very long and had yet to audit it. Since this partner is fairly small, an audit of its operations seemed like a low-risk way to evaluate the consultant's performance. He performed flawlessly, preparing a meaningful report.

As for the partner, its failings were the result of a catch-22. The partner's only permissible access is via a VPN tunnel to our corporate offices so the engineers can communicate with the design documentation server. The engineers check out design documents, work on them and then check them in when they're done. According to our policy, the partner can't back-connect to its own company network.

Here's the catch: One of my requirements is that partners keep their systems current with antivirus updates and patches. The security audit discovered that the 25 desktops hadn't been patched in almost a year. That sounds bad, but we've seen this problem before. Windows Update and Symantec antivirus definition updates require Internet access.

Our partner lacked an in-house means of updating the workstations, so we had to loosen the firewall rules and create some static routes to allow the desktops to connect to the Internet, but only to update Windows and the antivirus definitions.

There were a couple of other small configuration items, but for the most part, this partner was clean. No backdoor access to its corporate network, no suspicious applications, no indications of a compromised network, no unauthorized wireless access points, no insecure firewall or router configurations, and no indication of thumb drives or external hard drives. In addition, nondisclosure agreements and sufficient physical security controls were in place.


Other than the lack of patches and antivirus updates, this partner got a clean bill of health, but more important, I've found a cost-effective way to conduct partner assessments in India. Now I have to work on finding the same in Russia!