Answer yes if your organisation completes a risk assessment for each identified network connection between your network and any third party network.
What is the control?
Any significant change to your environment should be subject to an assessment to determine its impact. Few changes are potentially as significant as those connecting the networks of third-parties.
Therefore, any addition or change of connectivity to a third-party network should undergo a risk assessment as part of the approval process.
Why should I have it?
A risk assessment on a third-party network helps provide assurance around the risks involved in connecting that network to one’s own internal network.
When connecting a third-party network, that network potentially has access to parts or the entirety of your systems, meaning that you may be exposed to malicious activity from their network, or that a breach of their network could spread into yours.
It’s therefore crucial to assess the third-party network’s state, security controls, and what internal systems or network segments they will be accessing and how, in order to minimise the level of exposure from the third-party and to ensure that the necessary controls are in place to handle the potential risks brought on by the new connection.
Your change process should dictate an approval process for any new connection (or any change in an existing connection) made to your internal network. This approval process should include a security assessment for the full scope of the network that is being allowed connectivity. It should also be assured that as much compartmentalisation and segmentation is in use on one’s own internal network to limit what systems and data gets exposed.
The change process should also inform other processes and actions such as the reconfiguration of firewall and intrusion detection systems to allow only the expected traffic from the third-party network.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email firstname.lastname@example.org. Contributors will be recognised on our contributors page.
Please do not submit your answer on the knowledge base.