Assessments target third parties: when evaluating their data security programs, companies must consider the safety of outsourced information.
Firms have increasingly entrusted their data to third parties in recent years both to save costs and to benefit from resources they do not have in-house.
To mitigate their exposure, companies need an "overarching protective strategy" relating to third parties, says Forrester Research senior analyst Khalid Kark,
His first recommendation is that companies choose outsourcing firms with similar security controls to their own. One benefit is that it will help organizations, both initially and on an ongoing basis, to better gauge the strength of their partner's security program, he says. Before any deal, third parties should have a thorough outside assessment examining all aspects of security industry technical, procedural, and physical issues.
Next, Kark recommends agreeing in the contract to share liability if certain standards aren't met and maintained. He also counsels companies to include a clause in the contract that will allow them to perform a security audit on their partner with 24 hours' notice. "A lot of companies are not using that provision, but they have the right to do so."
His fourth recommendation concerns data access. "It seems like a no-brainer, but there could be times when their system is down and you might not be able to access data in the time frame you want." Companies need to be certain the appropriate redundancies and backup will help guarantee availability. Kark also recommends that organizations seek out partners who have internationally recognized security certifications, such as ISO 27001.
While advocating similar steps to those mentioned, Ernst & Young partner lose Granado emphasizes the importance of placing breach notification requirements in a contract. He also advises clients to look for third parties with a dedicated security team, "not just an IT person who has it as a side duty." Ernst & Young is conducting about 60 to 70 percent more third-party assessments compared to 18 months ago, he notes.
For IBM Internet Security Systems, which conducts comprehensive assessments, exams typically begin with a request from a company or third party for a customized assessment plan, or checklist. IBM then presents a proposal to both par ties, who come to a final agreement.
For third parties, a principal concern about such tests is maintaining the confidentiality of other clients' data, says Rick Belisle, a regional services manager. They also want to guard against network, server, and other interruptions. To allay such concerns, IBM signs confidentiality agreements and generally conducts tests during nonbusiness hours.
The depth of the assessments typically depends on the information at stake. "If it's just a name and address, [tests] will require less work than when companies are holding things like a Social Security number and credit card information," says Belisle.
Third party security assessments tend to be less about technological security and more about the company's policies, he says. "It's not in a proven technology where your vulnerabilities typically lie. It's how you handle vulnerabilities."
A large part of many tests concerns authorization or identity management, "ensuring that the right people have access to the right data," adds Belisle. This testing frequently involves logging in as an administrator from one company and then trying to access data from another one. "We run a variety of different tests against the application, database, and overall system security controls to see if we can leverage them to get something else," he says.
Tests also typically examine how encrypted data is managed while in transit and at rest. Assessments also test physical security at both involved companies, examining such things as door locks, cam eras, and access control, he says.
Behind the Numbers Security's Slice of the IT Pie Security 5% Disaster Recovery 7% The average enterprise is spending 5 percent of the IT budget on security in 2007. This rises to 12 percent if disaster recovery spending is included, Source: Gartner Inc. Note: Table made from pie chart.