From independent brokers and agents to auto body shops, Nationwide Insurance Companies works with thousands of business partners. As Nationwide's associate general counsel and chief privacy officer, Kirk Herath helps to make sure none of those third-party relationships open the Fortune 500 company up to more trouble than they are worth.
"Every person who you do business with that has your data is a potential point of failure," says Herath. "You can't create a world where you can actually do business and not have that risk looming. At the same time, you can't permit that risk to paralyze you."
Risks associated with a business partner relationship must be weighed with the potential payoff, he says. If the risk is huge, a company needs to figure out a way to reduce it – or walk away from the deal altogether.
"At the end of the day, it's a gut feeling: 'is this risk unmanageable?' If it is, then from my experience, we don't do it."
More than ever, businesses are intent on ensuring that the companies they work with – banks, service providers, marketing firms or software developers – are secure. Companies are scrutinizing their partners' security via questionnaires and assessments, requiring controls in contractual arrangements, and checking back regularly to make sure controls remain in place.
Liability concerns and regulatory compliance demands are making third-party security a hot topic, comments Michael Rasmussen, Forrester Research analyst. Gramm-Leach-Bliley, HIPAA, and California's Assembly Bill 1950 require companies to ensure there are "adequate and appropriate security controls to protect information" in business partner relationships, he says.
This year's rash of breaches at banks, data brokers and universities has also shone the spotlight on business partner security. In May, media giant Time Warner revealed that a long-time data-storage partner lost a batch of backup tapes containing the personal information of thousands of employees. In April, online broker Ameritrade reportedly suffered a similar breach when its shipping firm lost one of the company's backup tapes containing customer data.
Ken Pfeil, CSO at Capital IQ, a financial-information division of Standard & Poor's, says the heightened scrutiny of third-party security cuts both ways. He expects those who do business with his company to maintain a high level of security to protect the firm's data, but he also wants to assure partners that the inverse is also true. "We don't want to end up being the weak link in someone else's processes," he explains.
At Liberty Mutual Insurance, regulatory requirements that might require it to conduct periodic security assessments of its partners are evolving, and some regulations are driving those it does business with to assess Liberty Mutual's own security, says CISO Scott Blake. He believes the regulations are creating a de facto best practice.
"The fact of the matter is that, even if one isn't specifically regulated or required to do some of these things, because it's becoming a best practice and because there are potential liability issues, we're all going to have to explain to a jury why we didn't do it if something goes horribly wrong," says Blake. "No one wants to be in that position and that helps drive us to go beyond the regulations when our customers' interests are on the line."
With all the security breaches making the news these days, companies need to learn as much as possible about how their partners are protecting their data, says Jeff Moss, CEO of Black Hat and founder of the annual Defcon hacking convention. He recalled a case with a firm for which he was consulting that sent backup tapes daily to a storage provider. The company, which had plenty of internal security, never asked how many people at the storage company had access to their tapes.
"It turned out that almost any of the employees [at the storage firm] could get these tapes legitimately," says Moss.
Despite the risks, however, firms cannot avoid working with third parties, he says. "The opportunities are so great, you can't ignore it if you want to be in business. A lot of times the more information you share, the better the partner can operate – [but] it could also hurt you more."
So how do companies make sure the companies they work with are secure? A common first step is to have the partner fill out a questionnaire about its security procedures and infrastructure. It might ask about the partner's incident response plan or backup procedures, for example. Some companies call it a vendor survey or information security risk assessment tool, says Herath.
"At the end of the day, it tries to judge the risk of a third party and determine whether their environment is up to snuff and, if not, to provide a mechanism to provide feedback," he says.
For example, a company can use the third party's response to request improvements, which becomes an item to be negotiated in the contract, he explains.
Four years ago, Nationwide's questionnaire was a basic one-page survey. Today, it's a very specific, detailed 20-page document. Some businesses have huge surveys that resemble the New York City phone book, but Herath warns that firms using such a tool better be prepared to live up to what they are asking of others.
Liberty Mutual's Blake believes that the challenge comes in deciding what to ask and not getting too detailed. "You want to develop a generic questionnaire so you're not burning your entire staff time dealing with these things," he says. How quickly a company applies a critical patch is a good example of a generic question, he adds.
As well as questionnaires, companies should go a step further and conduct an on-site inspection, advises Mark Mellis, consultant at security services firm SystemExperts.
"You get a sense of how diligent people are when you visit their turf. It doesn't take a rocket scientist to see if the place is a pit," he says. Businesses must also inquire about subcontractors – they need to know whether the service provider sends data outside the U.S.
"I like to have my data in a place where the FBI has jurisdiction," adds Mellis.
He recommends that companies which do a lot of outsourcing should develop a standards document that details what they expect from third parties in terms of security. It might require third parties to have a security program similar to the kind outlined in ISO 17999. Or it could spell out how data will be exchanged – using XML and encryption, for example.
Planning ahead of time and specifying security needs before entering into a contract makes everyone happier, says Jack Danahy, CEO of security supplier Ounce Labs.
It also helps to explain trade-offs you are willing to make, such as a slower apps for a higher level of encryption.
"There needs to be this chain of trust with whoever has your data that permits you to in some ways control it," says Herath at Nationwide. "Clearly, I don't have control in a physical sense, but in a legal sense there are rules and boundaries around the data. If they step outside those boundaries, I have some recourse."
Key contract provisions should include establishing how third parties are able to use and disclose information, binding subcontractors to the same restrictions, reserving the right to audit their security, and defining what happens to data when the relationship comes to an end.
A contractual agreement to assess the partner's security is critical, otherwise a company could run into legal problems when conducting a port scan on a third party, says Steven Brower, an attorney specializing in IT-related business litigation. It helps to have technical staff involved in crafting the contract, he adds.
A company might also want to regularly assess a partner's security, depending on the level of risk in the relationship.
"Things change. What they have got today they could re-implement with a new technology that might dramatically change your risk profile," says Mellis, who recommends annual re-evaluations.
"In some cases, you might put a contract in place with a vendor and, quite frankly, never revisit it because the data is innocuous," says Herath.
"In other cases, the company that has access to all your data in order to help you with marketing – that's something that you probably will want to monitor continuously."