Computerworld - Like any other company, my current client does not work in a vacuum. The company -- a small insurance firm -- has many partners, clients, suppliers and regulators with whom it exchanges information on a regular basis. Much of that information is highly confidential.
So far, I've tackled internal e-mail security. Now I'm working on a tougher issue: How do you know that the information remains confidential when it reaches its destination? E-mail is not only easy to forward to the wrong person; it's also vulnerable to any security breaches in your partners' systems. If you send confidential business e-mail to a client and the client suffers a security breach, that company could expose your confidential data as well as its own. So you are very dependent on your trading partners' IT security to safeguard your information.
I looked into the possibility of using digital rights management (DRM) software, which can offer control over your documents once they're out of your system by restricting to whom a document can be sent, automatically deleting it and so on.
However, my client's security team doesn't believe DRM will work. So the obvious next step is to find some way to get assurance about the security of its trading partners' systems. If we know a partner's security is relatively good, we have some assurance that data will be protected appropriately. There are several ways to gain that assurance, but they all have drawbacks.
One is to rely on the International Standards Organization's ISO 17799 certification. This security management standard isn't bulletproof -- just because you're compliant doesn't mean you won't get hacked -- but if a partner was compliant with the standard, we would at least have a warm, fuzzy feeling that it was doing the right thing. The only drawback is that, as far as we can tell, none of our partners is compliant with ISO 17799.
Not one.
It's not that we're dealing with a particularly unsecure set of companies; it's more the case that ISO 17799 compliance takes time, effort and money. And once companies earn that compliance certification, they have little to show for their effort, so few companies bother.
A second option is to send in the auditors. For major trading partners, my client often sends a team of auditors to crawl all over their systems and make sure they're doing things right. The auditors normally cover a whole range of things in addition to security, and it gives my client more assurance than it can get any
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
