Tips for Getting Familiar with Your Security Products Provider
Asking these questions will help you vet your security products vendor.
During the past five years, explosive demand for mobile devices and network/Internet-connected cyber-physical systems (CPS) has caused a paradigm shift from traditional design, installation and support methodologies. Physical security manufacturers have lagged in their level of technical proficiency in cyber-hardened devices to develop secure IP-based solutions to meet market demand. Many have jumped into the water (often without a life vest) to maintain competitiveness and relevance in the market. Previous systems that were maintained autonomously from the network were isolated and only required minimal computing resources.
The lack of technical proficiency has led to major breaches and cybersecurity incidents, causing unintended consequences by introducing vulnerable security gaps that open hospital, school and university end users to a swath of unintended cyber risks, many of which are unobservable without significant knowledge of certain tools and processes. Manufacturers that have committed to being cyber aware have undertaken significant investment through training, product technical reviews, product development and system engineering to bring legacy products into mainstream focus. These manufacturers deserve applause (and your business) for their efforts as they establish themselves as leaders in an ever-changing industry.
Achieving system/software security assurance (S/SSA) from a product perspective is the process of ensuring that systems and software are designed to operate at a level of security that is consistent with the potential harm that could result from the loss, inaccuracy, alteration, unavailability or misuse of the data and resources that it uses, controls and protects.
The 10 steps that follow provide guidance on how to understand and vet manufacturer products for cyber assurance, and resiliency for products required to be “cyber hardened” or “cyber secure.”
1. Has the manufacturer implemented a cybersecurity system security plan (SSP) for IT components in the product documentation?
Manufacturers with cyber-secure solutions will provide explicit information of the boundaries, subsystems, hardware, software, firmware and network connection rules demonstrating how the system is determined to be “cyber secure” when deployed in a specific system environment.
Emerging best practices in providing requirements and techniques for hardening or securing their products should include a system security plan. The SSP defines many of the security controls that are present in the system and includes data encryption, data loss protection, key management, data classification, user roles and responsibilities, authentication, mobile security, etc.
The SSP also describes the information flows, ports, protocols and services, and how system capabilities will be protected from attack.
2. Is the supplier’s solution developed around a system development lifecycle (SDLC) approach?
Manufacturers should have detailed technical documentation to support a systems development and lifecycle approach. This SDLC process includes security requirements, design, build, testing and deployment strategies.
Configuration management, risk assessment and vulnerability/flaw remediation, patch management, and ongoing system monitoring and auditing capabilities of the solution should be addressed in the SDLC.
One factor that is often overlooked in the SDLC is ongoing cybersecurity training requirements. Ongoing training in cybersecurity development and awareness should be provided to manufacturers’ development teams as well as systems integrators.
Add Another Layer of Protection to your Campus
If you’re responsible for protecting a campus — whether at a hospital, K-12 school, college or university — then Campus Safety magazine is a must-read, and it’s free! As the only publication devoted to those public safety, security and emergency management personnel, issues cover all aspects of safety measures, including access control, video surveillance, mass notification, and security staff practices.
Take advantage of a free subscription to Campus Safety today, and add its practical insights, product updates and know-how to your toolkit. Subscribe today!
Campus Safety Heroes
Campus Safety honors those who keep their hospital, school or university campus safer.See our latest Heroes, nominees and content.
Recommended For You
Do you have a Threat Assessment Checklist? If not, you’ll want to download this FREE Active Shooter Checklist now!
Improving emergency preparedness on your campus is an evolving process involving both personnel and equipment. Learn from other school and college officials preparedness and who reveal what they look for in an emergency alert system.