Compliance in the Digital Era: Watch Out for the Third Party

Friday, February 24, 2012

Neira Jones


By 2015, there will be more than more than 15 billion interconnected devices on the planet, twice the world population. In that period, the total amount of global Internet traffic will quadruple. (Cisco(R) Visual Networking Index (VNI) Forecast (2010-2015), June 2011).

It is estimated that every year in the UK, identity fraud costs more than £2.7 billion and affects over 1.8 million people (National Fraud Authority, October 2010). Every year, we share more of ourselves online...

Life is complicated enough...

This digital world has brought new means for businesses to reach out to customers and our lives are undeniably multi-channel: phone, web, chat, SMS, email, social media, PDAs, smart phones, voice technology applications, proactive outreach, surveys, etc...

In the current economic climate, technology has also enabled organisations to think of whole new ways of organising themselves whilst trying to strike a fine balance between cost and value. The perceived key benefits for organisation considering such moves are:

  • Reduction of capital costs
  • Increased agility by divesting infrastructure and application management to concentrate on core competencies.
  • opportunity to re-architect older applications and infrastructure to meet or exceed modern security requirements.

Evidently, this has increased the popularity of cloud computing and all manners of outsourced or managed services models. This in turn has led to an increased distribution of our information assets to third parties. Ultimately, we place our information and our faith in the security measures taken by those managing it on our behalf.

Losing control gracefully...

The key deciding factors for outsourcing services or migration to the cloud are not new. They should mostly centre on data custody, control, security, privacy, jurisdiction, and portability for data & code.

Essentially, organisations will have to perform the balancing act of losing control gracefully whilst maintaining accountability when the operational responsibility of handling and securing their information assets lie with one or more third parties. As regulators increase their focus on data privacy (see my previous post on EU data protection laws), organisations will be forced to increase their discipline when entering into contractual agreements.

Tip of the day: When considering a move of information assets outside of your own environment, transparency and disclosure are key, so make sure that you ask the third party:

·  to disclose their security controls;

·  to disclose how these controls are implemented in your specific case;

·  to prove their compliance to any standard/framework relevant to your business;

·  to agree to liability clauses in your contract. (If they don’t, you should consider a move at the earliest opportunity and may have to consider insurance or other type of provision in the meantime).

It is crucial that businesses understand which controls are needed to maintain the security of their information assets and it is therefore crucial that suppliers are assessed against the business regulatory and compliance framework.

As an example, lists of hundreds of PCI DSS compliant service providers can be found on the following publicly available sites (and it’s not just about payment pages, you’ll also find compliant web hosts, shopping carts, etc.): Visa Europe, Visa Inc., MasterCard. A good place to start methinks...

II would also like to recommend the excellent research work by the Cloud Security Alliance, notably the Security Guidance for Critical Areas of Focus in Cloud Computing.

At the end of the day, it’s all about risk management: if one of your third party providers gets breached, it’s your brand that will be in the news, not theirs...

Until next time...

Cross-posted from neirajones

Possibly Related Articles:
Cloud Security General PCI DSS Enterprise Security Security Awareness Breaches
PCI DSS Compliance Enterprise Security Cloud Computing Outsourcing Managed Services Controls Liability Policies and Procedures Service Level Agreement Neira Jones
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.