Third-party security: Who can you trust?

Computerworld - The largest security breach in history—combined with a host of new privacy laws—is spurring companies to scrutinize third-party data processors like never before. Sound like a positive development? Not entirely. It has turned into a massive witch hunt for security holes, resulting in untold losses in productivity throughout corporate America. The fire drill comes at a time when companies struggling to stay in the black can hardly afford a diversion of resources that doesn't deliver an equivalent value.

Everyone who works in security saw the headlines last month: "Data processor hacked; 8 million credit card numbers exposed." The massive breach at Data Processors International (DPI) reverberated in boardrooms and cubicles across the country. Companies began asking the question that won't go away: Are we truly safe giving our data to our business partners?

The DPI breach comes on the heels of numerous new privacy laws requiring companies to hold their business partners accountable to their own security standards. European, Canadian and Australian privacy laws include this tenet, as do America's own privacy statutes for the financial services and health care industries. Companies that don't manage the risks of data held by their partners face increasing exposure to fines and lawsuits.

So how are corporations responding? In the pre-Internet days, companies were satisfied with receiving contractual indemnification from their business partners—meaning the partners would be responsible for any damages caused by security breaches that were their own fault. But third parties can't repair the damage to a client's brand following a security breach. Indemnification is no longer enough to establish third-party security.

As a result, firms whose reputations are at stake are now subjecting their data partners to a battery of tests aimed at ensuring that the partners can actually meet their security obligations. This due-diligence gauntlet can include an encyclopedic security survey, a comprehensive site audit and ongoing penetration testing. The results are extremely valuable for both sides—assurance for the client, and quality improvement for the supplier.

But this path to third-party security isn't cheap. A single security review can involve multiple people on both sides for up to a month. Several companies are now assigning full-time personnel whose only jobs are to conduct and respond to third-party security reviews. The labor impact is significant, because every company is re-creating its own security standards and propagating them through its supply chains. As many as a hundred different sets of corporate security standards are now traversing the cubicles of America.

	Jay Cline manages data privacy at Carlson Companies Inc., a Minneapolis-based group of businesses in the travel, hospitality and marketing industries. Contact him at privacy@computerworld.com..

Using the same lexicon and metrics, business partners could build boilerplate descriptions of their security practices for prospective clients. Weeks and months of effort per security review would shrink to hours on both sides. Widespread adoption of a common security terminology would also reduce the time and cost needed for external auditors to do their duties.

The good news is that this security terminology has already been developed. In the early 1990s, the security officers at several British multinationals created what has become an ISO standard for security, ISO/IEC 17799. Citibank, Sony and Unisys have been certified under the standard, and the governments of Hong Kong, Taiwan and Singapore are reportedly requiring companies to receive this certification before doing electronic business with them. The standard's vague definitions need much refinement, but they're a sufficient starting point for American businesses seeking to save overhead.

Our British friends have done good work, and we should follow their lead. The next time you engage a data partner, measure them against the 17799.

ISO 17799 Code of Practice for Information Security Management 1 2 Next » Recommend Digg Twitter ShareThis Email Print Send Feedback Reprints Jump to comments Privacy Additional Resources Xerox Win a color printer! By using solid ink technology only from Xerox, you could save up to 65% by printing color for the cost of black and white. Enter for a chance to WIN a PhaserTM 8860 network color printer! Microsoft Upgrade to Internet Explorer 8 today. Save time and mitigate security risk. Deploy it now. Sybase NEXT-GENERATION MOBILITY PLATFORMS In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions. Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase. White Papers & Webcasts  Informatica 9 Launch: Transform your Business. Transform your world. LIVE Nov 10, 2009 12:00 PM ET    Architecting Business Intelligence Applications for Change: The Open Solution LIVE Nov 12, 2009 02:00 PM ET   Forrester Consulting - Optimizing Users and Applications in a Mobile World Learn how to successfully deploy a WAN optimization solution that is specifically tuned for a mobile environment!   Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now Faster, Cheaper and Easier to Maintain Can you afford not to upgrade your servers to today's advanced, energy-efficient technologies?   Top to Bottom Performance Management Excellence at the City of Chicago View now. The State of PCI DSS Compliance at Organizations Today Download this resource today!   Effectively Implementing Datacenter Automation Effectively select and deploy the best datacenter automation solution today! IDC Research Report: The Business Value of Consolidating on Energy-Efficient Servers Download this Resource Now!   Aligning IT to Business: The Rising Importance of Application Delivery Networks Application Delivery Networking (ADN) will play a vital role in helping enterprises incorporate strategic technologies to achieve business initiatives. HP Technology Guide for Scalable Business Solutions Download This Resource Now!   Strategies for Driving Down IT Support Costs with Lite ITIL Practices View this now! All White Papers | All Webcasts Computerworld Reports 8 Questions To Ask About Your Intrusion-Security Solution Computerworld Technology Briefings IT Service Management Computerworld Briefing - Analytics: The Art and Science of Better All Computerworld Reports Sign up to receive updates on the latest Security resources   White Papers Forrester Consulting - Optimizing Users and Applications in a Mobile World The State of PCI DSS Compliance at Organizations Today HP Technology Guide for Scalable Business Solutions Technology Brief: Technologies in HP ProLiant G6 c-Class server blades with Intel Xeon processors How to Secure and Accelerate Your Oracle Applications Enterprise Application Delivery: No User Left Behind Infonetics: WAN Optimization Appliance Market Highlights 1 Q09 WAN Application Delivery for Executives Right-Sizing Your Power Infrastructure Why Email Must Operate 24/7 and How to Make This Happen Faster, Cheaper and Easier to Maintain IDC Research Report: The Business Value of Consolidating on Energy-Efficient Servers Clipper Group Report: HP Provides Enhanced Options for Data Center Introducing the HP ProLiant G6 servers Optimize Performance of Datacenter to Datacenter Traffic Practical Strategies to Accelerate Business Applications Across the WAN Accelerate SSL Encrypted Applications Top 5 WAN Optimization Myths Can Heuristic Technology Help Your Company Fight Viruses? Eradicate Spam & Gain 100% Asurance of Clean Mailboxes Sponsored Links Play NetApp's New Data Defense Game. How Do You Rank as an Innovation Leader? Download Recent Study. Play NetApp's New Data Defense Game. Extraordinary times demand Brocade Extraordinary Networks. No Payments for Up to 6 Months on Orders over $500. NetScaler VPX : Harness the Power of Virtualized Web App Delivery 64-page prescriptive guide to security, compliance, and IT operations. Streamline IT Costs. Boost Performance with WAN Optimization Enterprise Network & Server Monitoring Software. Cross over to Traverse... Keep your IT expertise up to date. Join the Intel Premier IT Professionals. Crystal Reports Server: More options. Not more money. Parallelism is not just for HPC. Create rich apps from desktop to device. Get the eval. Tolly Performance Report  "Citrix NetScaler with nCore Outperforms F5 BIG-IP" Save up to 61% plus Free Cheesecake Find IT jobs in the Healthcare industry on Dice.com With the NEW KODAK i700 Series Scanners get full speed at 300dpi! Not All QSAs Are Created Equal: What You Should Know Before You Buy The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability The AMD Virtual Experience Virtual Trade Show New DW Options and Price Points. View Teradata Platform Family Data Sheet. See how AT&T can help protect your network. 3 Innovations. 3 Free Downloads. Free trials of Windows 7, Windows Server 2008 R2 and Exchange Server 2010. Take the Netezza TwinFin TestDrive! Citrix NetScaler with nCore Outperforms F5 BIG-IP - Learn More New Analytical Platform Options. Download Data Sheet and More. Get more enterprise mobility value for up to 25% less. Unified Communications: Thoughts, Strategies and Predictions. Join the discussion. NYUs M.S. in Management and Systems. Offered Online and On-site. Increase UPS efficiency without sacrificing protection Crystal Reports Server: Single server access to reports & dashboards Create new opportunities. See business making progress now ESET NOD32 with ThreatSense(R) - Get your free trial now! Looking to add Unix/Linux functionality to Windows? Join the conversation about the hottest IT trends with Computerworld on Twitter. ITwhitepapers.com - Access thousands of white papers on 300+ technical topics. Leverage Your Cisco infrastructure for Superior Application Performance Learn about the AMD Virtual Experience Introducing: Project Icebreaker About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.