For many companies the decision to outsource processes or to partner with other organizations, makes sense on both the corporate strategy and the financial front. Partnering with a Managed Security Service Provider (MSSP) may allow many companies to focus on their core strengths and concentrate on innovations that will make them more competitive. It may also offer significant cost savings in terms of the number of employees that must be retained in order to facilitate data security for the organization. Outsourcing business processes
may also allow companies to return to their core strengths.
Similarly, partnering with other companies may present an opportunity to provide customers with new or enhanced services. Yet it is important to remember as these opportunities are investigated that as companies partner to maximize business opportunities, they must also partner for data security.
As consumers and regulators become more and more aware of data security issues it is increasingly important for companies to perceive security not just as a competitive advantage but as a criterion for partnering. Today’s business environment is radically different from that of a generation ago. For the most part, the days of flat organizations in which data resided in mainframes and only very specific individuals within the organization could access that information are gone. Today’s typical business has a variety of touch-points in which individuals that are not “captive” employees, but must share data with a variety of outside sources such as
outsourcing providers, contractors, or even business partners.
Companies should be aware that each of these touch-points represents an area of vulnerability and the risk of data leakage at these points must be managed.
Realistically speaking, conducting business in this environment without sharing data outside the organization has become somewhat difficult. Between consultants, accountants, regulatory agencies, outsourcing providers, business partners, and vendors, managing relationships with an eye towards security has become increasingly difficult. Yet, in the event that a business partner suffers a data breach which results in the exposure of their partners’ data, all
organizations are affected, and not just the one that lost the data.
The ripple effect of an outsourcing provider losing data results in brand damage for all the companies for whom the outsourcer provides services.
With that in mind, there are steps that can be taken before developing the partnership or arrangement that can help organizations practically assess the risk that is associated with sharing that data.
Perhaps the most important step in partnering for data security is understanding the data in your own organization. What types of data do you have and why? Is it classified as Personally Identifiable Information (PII) or Non-Public Personal Information (NPI) by any of the over three dozen state data breach notification laws? How does the data flow through your organization? What obligations to protect the data exist from both the legal standpoint as well as from public expectation? How much damage will your brand suffer if this data is compromised? All of these questions can help an organization design a risk-based information security program. These same questions can help an organization create partnerships that will maintain adequate levels of data security. Understanding your obligation to the data in your care allows you to better negotiate with your business partner as to the standard of care they should take with that same data.
Once the data security obligations are understood internally, it is equally important to understand the data security practices of the potential partner. As negotiations progress, companies should ensure that the discussions surrounding security continue apace. Often, security is parceled out into a section of the contract and once agreement is reached there, the security discussion ends. It is important, though, to understand if and how each aspect of the relationship can affect the respective security postures of each company. While it is possible to share burden for securing data, and to outsource the security function in some cases, the original custodian of the data is still responsible for it. It is often said that you can outsource the process but not the liability. In order to gain a better understanding of the potential partner’s security
posture, there are a number of questions that can be asked.
Remember, though that there are not necessarily right or wrong
answers: the decision to move forward with the partnership depends largely on your organization’s risk management strategy and how much risk they are willing to accept in order to achieve business efficiencies or innovations.
One way to determine the security posture of a potential partner is to ask them what assessments, if any, they have undergone in the last year. If the data to be shared is cardholder data, then at a minimum the potential partner should have successfully completed a PCI assessment. Depending upon the business model, primary industry, and the geographic location of the potential partner, they may have been through a variety of security assessments including an ISO 17799 or SAS-70 assessment, among others. While these do provide an indication of the partner’s security posture it is important that their risk management strategy provides some level of comfort to your organization. In other words, do you feel as though the data will be afforded at least the same level of protection as it would have if it remained in the care of your organization? If the sharing of data is critical to the success of the partnership, and the potential partner has not undergone a recent assessment, it may be prudent to request that the partner undertake such a step before cementing any relationship.
Another indication of the partner’s position with respect to security is the IT governance framework that they have implemented. If the company takes a “silo-ed” or stratified approach to compliance and security it is possible that they may have some unidentified gaps in their security program. For example, if a company has completed a PCI project and a GLBA project separately, it is possible that they have doubled their efforts in some areas, while overlooking potential vulnerabilities in others. If, on the other hand, the company adheres to a specific IT governance framework, such as the ISO 17799 or ITIL, this tends to be indicative of a more holistic and inclusive approach to security. In all cases, you should feel comfortable that your partner approaches security as a process, rather than a project.
The specific applications of the data must also be negotiated. This is often overlooked, but can have a serious impact on the security of data. It is important to understand exactly how the partner is going to use the data and whether the data will be shared externally. For example, some outsourcing providers further outsource to a third party. You should know whether the data you share with a partner will be shared with another entity outside of your partner’s immediate control. A breach earlier this year that disclosed the records of Florida state employees brought to light that the onshore outsourcing provider contracted by the state had further outsourced that data overseas. The state of Florida was still liable for the incident, even though they were unaware of the third-party. In other cases, some companies will use “real” data to test applications and process, which may introduce significant threat to that data. When a business relationship involves sharing data, very clear lines should be drawn concerning the limits of the partner’s ability to use the data.
Once the lines have been clearly drawn regarding the protections and uses of the data, it is equally important to understand how your partner is going to ensure business continuity and how they will handle incident response. What are their back-up procedures? Do they have a hot-site (i.e. a fully replicated site that can be up and running almost immediately)? Understanding their disaster recovery plans can have a significant impact on a decision to partner.
Similarly, understanding the communication strategy and plan for responding to a compromise are equally important. How will the partner contain the breach and what is their plan for notifying law enforcement, affected individuals, and if necessary, media?
Security, as well as compliance, must be as important to the partnering discussion as any other terms or conditions. Sharing the responsibility for data security is equally important as revenue sharing and deserves to be discussed with the same vigor. In today’s competitive environment partnering is often necessary to gain an advantage over the competition. Unfortunately making hasty decisions that do not include an assessment of the prospective partners’
security posture can quickly erode any advantage that can be gained.
Security can no longer be relegated to the domain of those in IT, but should be an integral part of the larger business discussions. 
|
