Magazine article Security Management

Assessments Target Third Parties: When Evaluating Their Data Security Programs, Companies Must Consider the Safety of Outsourced Information

Magazine article Security Management

Assessments Target Third Parties: When Evaluating Their Data Security Programs, Companies Must Consider the Safety of Outsourced Information

Article excerpt

WHEN IT COMES TO assessing the security of their data, companies typically look for their weakest link. And increasingly, they're concerned that it lies with third party business partners.

Firms have increasingly entrusted their data to third parties in recent years both to save costs and to benefit from resources they do not have in-house.

To mitigate their exposure, companies need an "overarching protective strategy" relating to third parties, says Forrester Research senior analyst Khalid Kark,

His first recommendation is that companies choose outsourcing firms with similar security controls to their own. One benefit is that it will help organizations, both initially and on an ongoing basis, to better gauge the strength of their partner's security program, he says. Before any deal, third parties should have a thorough outside assessment examining all aspects of security industry technical, procedural, and physical issues.

[ILLUSTRATION OMITTED]

Next, Kark recommends agreeing in the contract to share liability if certain standards aren't met and maintained. He also counsels companies to include a clause in the contract that will allow them to perform a security audit on their partner with 24 hours' notice. "A lot of companies are not using that provision, but they have the right to do so."

His fourth recommendation concerns data access. "It seems like a no-brainer, but there could be times when their system is down and you might not be able to access data in the time frame you want." Companies need to be certain the appropriate redundancies and backup will help guarantee availability. Kark also recommends that organizations seek out partners who have internationally recognized security certifications, such as ISO 27001.

While advocating similar steps to those mentioned, Ernst & Young partner lose Granado emphasizes the importance of placing breach notification requirements in a contract. He also advises clients to look for third parties with a dedicated security team, "not just an IT person who has it as a side duty." Ernst & Young is conducting about 60 to 70 percent more third-party assessments compared to 18 months ago, he notes. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.