The Channel logo


By | Simon Sharwood 11th December 2014 08:24

Crims at vendors could crock kit says ENISA

Secure procurement guide wants suppliers to disclose employees' colourful pasts

Before you sign on the dotted line to acquire some kit or sign up a service provider, ask the vendor you're considering if any of their staff have criminal records.

That's just one of many, many, suggestions made by the European Union Agency for Network and Information Security (ENISA), in a new guide to Secure ICT Procurement in Electronic Communications and Security Guide for IT Procurement.

The latter document lists seven items to consider when procuring IT, the second of which is human resources security. The first item in that section of the guide is background checks, which the document suggests could come in handy to address “Unintentional or intentional alterations of products or systems performed by the vendor’s employees including faulty changes or upgrades, configuration errors, bad maintenance, insider attacks, etc.”

“When legally permitted and justified by a level of criticality of service provided, the vendor should do its due diligence to flag any criminal records in its employees’ background,” the document suggests. Doing so will “avoid any sinister and intentional alterations of products or systems.”

Plenty of folks with hacking convictions go straight later in life, often changing hats from black to white along the way. Those who've made such a transition probably won't appreciate ENISA's advice.

The guides are intended, in part, to help buyers when negotiating with vendor. ENISA's research suggests that many IT buyers feel vendors won't offer them security options they desire and that lack of market alternatives mean plenty of buyers settle for what they can get. By offering a comprehensive set of guidelines, the agency hopes buyers can wave them beneath vendors' noses and point to independently-concocted best practices.

The documents also offer advice on how to deal with suppliers whose spare parts supplies mysteriously dry up, suggestions on how to assess vendors' physical security and guidance on audit and monitoring practices. Some of the advice is anodyne: there's plenty of mentions about the need for service level agreements, termination points in contracts and handover of data acquired during outsourcing engagements that won't surprise anyone other than tyro lawyers.

At about 70 pages combined, the guides aren't terrifyingly long, or marvellously detailed. But they do look a more-than-useful starting point for those who don't currently build security considerations into their procurement processes.

With Sony providing us all with a reminder of how unpleasant things can become after a breach, the documents look worth at least a glance. ®

comment icon Read 8 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


Suit-and-tie-wearing man tries to meditate, take deep breaths in faux yoga pose. Photo by Shutterstock
Emotional intelligence, not tech skills, is the way to woo suits
League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe