Corporate and public-sector organizations are working with more business partners than ever before -- and the number will continue to grow. Organizations have many needs to share data outside their boundaries, beyond the scope of IT control. Globalization has further complicated the issue. Outsourcing, offshoring, supply-chain management, workflow management, value chains and emerging markets: These each signal a warning to information security managers.
When you share customer data with a business partner, not only is your reputation at stake -- but there is a significant, measureable financial risk from direct cost, penalties, and from lost customers. And the cost of public relations damage control after a data leak is increasing.
If your organization is proactive and has a professional information security program -- with an effective strategy and good operational management -- you can still suffer if business partners do not follow the same strategy.
Securing data in an environment with perhaps hundreds, if not thousands of partners, requires a continuously-operating program to evaluate and manage business partner security.
Get to know them
To protect information in a partner relationship, you need to know the business partner. This sounds basic, but many times partners are chosen by the business units of the organization without any concern for security. Many young organizations, especially, focus on operations to the exclusion of other concerns. First, map the business processes that are involved in the third-party relationship:
Once the information is classified and its importance is defined, then it's time to conduct a data inventory. Where does the data exist, physically (which servers, databases, network segments, etc.) and logically (which business process, which data flow)? Who has access to the information, why, and where? Security convergence requires that we can't address digital data differently than data in other forms, so this must be kept in mind. It is not useful to secure a database if the same data is being shared over a phone or fax without proper authentication of the person at the other end. Whenever data is stored, processed, or transmitted it must be protected from the beginning of the transaction to the end. This end-to-end transactional security is the key concept of the modern information security environment.
Finally, there are other organizational questions about security of information for business partners. Are there subcontractors involved in the process? What provisions are in the contract for information protection?
How do they address security?
When you are conducting a site visit to evaluate the security program of a business partner, the survey begins before you arrive inside the building – look for issues with physical security. First, pay attention to your entry into the facility. Is the parking area segregated from the building? Is there a gate? Are you met outside the building or at the gate, and if so, how do you gain access? Are there visible security mechanisms in place, like CCTV? How is the entryway to the building guarded? As you assess the building itself, what threats does it face that are unique to its location -- such as fire, flood, natural disaster such as hurricanes or earthquakes, or perhaps even terrorism and war?
How are you authenticated at the entryway? Is it easy to enter or difficult? How do employees enter the building? Visitors? Contractors and support staff? How many employees have access to the building? Once you are inside the building, is there a clean desk policy? Are some areas of the building subject to more safeguards -- is the building designed to allow for security zones which differ in levels of protection? Are there additional levels of protection for the data processing environment -- safeguards from fire and flood, protection in case of power loss? Are the servers and network equipment physically segregated from the office area, so that only authorized people have access?
Structured for success
Once you have conducted a walk-through of the business partner's site, the next step is to sit down for an interview with the security manager of your partner company. Often, especially with smaller organizations, there is no formal security manager -- in this case, try to identify the operational manager within the organization who has overall responsibility for information security.
Policy is the foundation for a security program. Ask to review the information security policies that are published by your business partner. Remember that a policy that is “in draft status” or is not approved by management is not a functional policy. If there is no management support, the policy cannot be enforced. Effective policies are usually written to be in compliance with some international standard, such as ISO27000 or CobiT 4.1, and then customized to meet the partner's environment. Have the policies been measured against any industry standards? If the partner has adequate policies, then the next step is to evaluate the governance model -- are the roles and responsibilities defined to support the policy? Is security written into the job descriptions of appropriate employees? Is there appropriate security training for information security staff?
If it exists, review your business partner's incident response plan. Has an incident response team been identified and trained? Do they conduct exercises regularly to be prepared to respond to security incidents? How long ago was the last security incident, and how effectively was it managed? Because these security incidents might affect your own organization, you will need to develop a plan to connect your incident response team with the team from your business partner. Prompt communication may help stop small incidents before they become a large problem.
Outside of the security organization, has security been considered for all employees with access to critical data? Have background checks been conducted? Is there a security awareness program in place, and is it updated regularly? Information access should be granted on a need-to-know basis, against the principle of least privilege (in other words, employees are only granted access to the minimum amount of data required to do their jobs.)
Finally, review the business partner's compliance program. Effective compliance programs maintain a list of all applicable regulations, and the safeguards required by each. They cultivate a strong relationship between the information security program and the partner's General Council, so that they may be aware of legal requirements as they plan for security initiatives. If a current or potential business partner has paid careful attention to their compliance program, it is a good sign that they are approaching information security from a proactive posture instead of simply reacting to security incidents as they occur.
Do they have the resources?
Next, review the information processing controls implemented to protect data at the business partner site. You are trying to determine whether the proper controls are in place to meet the policy requirements. What technological protections are in place? Have they implemented security controls using firewalls, intrusion detection or prevention, anti-virus, anti-spam, content filtering, etc.? How is their IT environment managed and monitored? Is it a 24x7 operation, or is it only monitored during business hours? Is data encrypted in areas where it might be vulnerable? What types of transaction controls have been implemented to protect critical databases? How is your data being protected in the application environment? Have the applications been assessed for security vulnerabilities? You also must determine whether any of your organization's data will be used in a development or testing environment. Many times, companies will implement fewer safeguards in a development or testing environment than they do on the production network.
Finally, often the IT environment is secure, but there are glaring weaknesses in the business continuity and disaster recovery plan. Many companies pay careful attention to protecting their IT environment, and then they do not secure backups -- which can be a major vulnerability.
Use the data
In the end, the information that you collect on your business partner can be very useful during the contract process. You may need to require that your business partner meet certain security requirements before you sign a contract (or renew an existing contract). Business partner and outsourcing agreements should include standard security clauses, and key performance indicators should be reported in order to meet the terms of the contract. And remember -- the security information that you collect from your business partners should also be treated with confidentiality.
It's your responsibility to conduct the due diligence required to protect your data when working with other organizations. When a business partner, vendor, or contractor loses your data, it's your reputation -- and your finances -- that are at stake.
When you share customer data with a business partner, not only is your reputation at stake -- but there is a significant, measureable financial risk from direct cost, penalties, and from lost customers. And the cost of public relations damage control after a data leak is increasing.
If your organization is proactive and has a professional information security program -- with an effective strategy and good operational management -- you can still suffer if business partners do not follow the same strategy.
Securing data in an environment with perhaps hundreds, if not thousands of partners, requires a continuously-operating program to evaluate and manage business partner security.
Get to know them
To protect information in a partner relationship, you need to know the business partner. This sounds basic, but many times partners are chosen by the business units of the organization without any concern for security. Many young organizations, especially, focus on operations to the exclusion of other concerns. First, map the business processes that are involved in the third-party relationship:
- What activity is this business partner performing or supporting?
- Which part of your organization owns the relationship?
- Who are the business owners of the relationship?
- What does the partner provide (services, products, etc.)?
- Why is it needed by your company?
- What is the importance of the partnership?
- How often is your partner audited, and by whom?
- What certifications or accreditation do they possess?
Once the information is classified and its importance is defined, then it's time to conduct a data inventory. Where does the data exist, physically (which servers, databases, network segments, etc.) and logically (which business process, which data flow)? Who has access to the information, why, and where? Security convergence requires that we can't address digital data differently than data in other forms, so this must be kept in mind. It is not useful to secure a database if the same data is being shared over a phone or fax without proper authentication of the person at the other end. Whenever data is stored, processed, or transmitted it must be protected from the beginning of the transaction to the end. This end-to-end transactional security is the key concept of the modern information security environment.
Finally, there are other organizational questions about security of information for business partners. Are there subcontractors involved in the process? What provisions are in the contract for information protection?
How do they address security?
When you are conducting a site visit to evaluate the security program of a business partner, the survey begins before you arrive inside the building – look for issues with physical security. First, pay attention to your entry into the facility. Is the parking area segregated from the building? Is there a gate? Are you met outside the building or at the gate, and if so, how do you gain access? Are there visible security mechanisms in place, like CCTV? How is the entryway to the building guarded? As you assess the building itself, what threats does it face that are unique to its location -- such as fire, flood, natural disaster such as hurricanes or earthquakes, or perhaps even terrorism and war?
How are you authenticated at the entryway? Is it easy to enter or difficult? How do employees enter the building? Visitors? Contractors and support staff? How many employees have access to the building? Once you are inside the building, is there a clean desk policy? Are some areas of the building subject to more safeguards -- is the building designed to allow for security zones which differ in levels of protection? Are there additional levels of protection for the data processing environment -- safeguards from fire and flood, protection in case of power loss? Are the servers and network equipment physically segregated from the office area, so that only authorized people have access?
Structured for success
Once you have conducted a walk-through of the business partner's site, the next step is to sit down for an interview with the security manager of your partner company. Often, especially with smaller organizations, there is no formal security manager -- in this case, try to identify the operational manager within the organization who has overall responsibility for information security.
Policy is the foundation for a security program. Ask to review the information security policies that are published by your business partner. Remember that a policy that is “in draft status” or is not approved by management is not a functional policy. If there is no management support, the policy cannot be enforced. Effective policies are usually written to be in compliance with some international standard, such as ISO27000 or CobiT 4.1, and then customized to meet the partner's environment. Have the policies been measured against any industry standards? If the partner has adequate policies, then the next step is to evaluate the governance model -- are the roles and responsibilities defined to support the policy? Is security written into the job descriptions of appropriate employees? Is there appropriate security training for information security staff?
If it exists, review your business partner's incident response plan. Has an incident response team been identified and trained? Do they conduct exercises regularly to be prepared to respond to security incidents? How long ago was the last security incident, and how effectively was it managed? Because these security incidents might affect your own organization, you will need to develop a plan to connect your incident response team with the team from your business partner. Prompt communication may help stop small incidents before they become a large problem.
Outside of the security organization, has security been considered for all employees with access to critical data? Have background checks been conducted? Is there a security awareness program in place, and is it updated regularly? Information access should be granted on a need-to-know basis, against the principle of least privilege (in other words, employees are only granted access to the minimum amount of data required to do their jobs.)
Finally, review the business partner's compliance program. Effective compliance programs maintain a list of all applicable regulations, and the safeguards required by each. They cultivate a strong relationship between the information security program and the partner's General Council, so that they may be aware of legal requirements as they plan for security initiatives. If a current or potential business partner has paid careful attention to their compliance program, it is a good sign that they are approaching information security from a proactive posture instead of simply reacting to security incidents as they occur.
Do they have the resources?
Next, review the information processing controls implemented to protect data at the business partner site. You are trying to determine whether the proper controls are in place to meet the policy requirements. What technological protections are in place? Have they implemented security controls using firewalls, intrusion detection or prevention, anti-virus, anti-spam, content filtering, etc.? How is their IT environment managed and monitored? Is it a 24x7 operation, or is it only monitored during business hours? Is data encrypted in areas where it might be vulnerable? What types of transaction controls have been implemented to protect critical databases? How is your data being protected in the application environment? Have the applications been assessed for security vulnerabilities? You also must determine whether any of your organization's data will be used in a development or testing environment. Many times, companies will implement fewer safeguards in a development or testing environment than they do on the production network.
Finally, often the IT environment is secure, but there are glaring weaknesses in the business continuity and disaster recovery plan. Many companies pay careful attention to protecting their IT environment, and then they do not secure backups -- which can be a major vulnerability.
Use the data
In the end, the information that you collect on your business partner can be very useful during the contract process. You may need to require that your business partner meet certain security requirements before you sign a contract (or renew an existing contract). Business partner and outsourcing agreements should include standard security clauses, and key performance indicators should be reported in order to meet the terms of the contract. And remember -- the security information that you collect from your business partners should also be treated with confidentiality.
It's your responsibility to conduct the due diligence required to protect your data when working with other organizations. When a business partner, vendor, or contractor loses your data, it's your reputation -- and your finances -- that are at stake.
