Security Risk in Vendor Audit Conducted on Service Provider

The risk of noncompliance with terms and conditions of license agreements is not the only risk Service Providers face during vendor audit. Software Asset Managers require deep knowledge of potential security risks when customer data is exposed to software vendor or to an auditor. In this article I would like to share details about potential risks and best practices for avoiding these risks. It is critical to ensure that people involved in external vendor audit are aware about these risks.

Outsourcing contract signed between Service Provider and customer may restrict the access to data owned and used by customer to people located in specific country. Even the outsourcing contract can be subject to this restriction. License agreements signed between Service Provider and software vendor are typically global, so are the software asset management teams. Best practice in this case is to engage security expert located in the country who will mask the data prior it is handed over to audit team.

Information exposure can lead to obtaining facts or data to which non authorized party should not have access. Outsourcing contracts become more and more strict when it comes to data owned and used by customer. Fines for breach of cyber security and data privacy laws can be devastating. Service Providers should consider assigning security expert to evaluate each outsourcing contract and document the restrictions. For customers in scope of external vendor audit security expert shall mask the data prior it is handed over to audit team.

The scripts and tools used by software vendors to discover the use of software can cause failures in an IT infrastructure and consume valuable technical resources. Best practice is to negotiate with software vendor the use of alternative data sources. Additional risk arising from use of these scripts and tools is exposure of information which software vendor does not have a need for and is not authorized to see. This can lead to breach of data privacy laws and/or give the competitive advantage to software vendor. In case there is no alternative data source which can be used, data must be cleaned from information, which vendor is not authorized to see, and data masking shall be used where required. Subject to data masking are typically customer names, including acronyms. Server names, cluster names, domain names and usernames.

Service Providers are often bound to Service Provider License Agreements terms. Service Provider License Agreements terms usually apply in multi-tenant environment – environment hosting more than one external customer. It is often the case, that only part of the environment is licensed under Service Provider License Agreement terms. This will typically be the infrastructure supporting the customer with Service Provider owned tools (monitoring, security, inventory, provisioning…). In case the environment is partially licensed by Service Provider and partially by the customer, it is critical to secure architectural documentation which clearly describes the environment. This documentation will help Service Provider to negotiate the scope of audit with software vendor.

External Audit Response Team must be limited to the individuals that are qualified in audit response. At minimum, the team must consist of experts in following areas: vendor relationship management, legal, software asset management and security. In Service Provider environment support from technicians and customer representatives may be required. In case External Audit Response Team is not in place there is a high probability that technicians will be contacted by software vendor directly with request to run their tools and scripts. In such case technicians may provide the data directly to vendor without any validation which results in high security risk.

People often believe there is no room for negotiation in external audit. Experienced members of External Audit Response Team can negotiate timelines and agree on alternative data sources.