Third-party security: Who can you trust?

Computerworld - The largest security breach in history—combined with a host of new privacy laws—is spurring companies to scrutinize third-party data processors like never before. Sound like a positive development? Not entirely. It has turned into a massive witch hunt for security holes, resulting in untold losses in productivity throughout corporate America. The fire drill comes at a time when companies struggling to stay in the black can hardly afford a diversion of resources that doesn't deliver an equivalent value.

Everyone who works in security saw the headlines last month: "Data processor hacked; 8 million credit card numbers exposed." The massive breach at Data Processors International (DPI) reverberated in boardrooms and cubicles across the country. Companies began asking the question that won't go away: Are we truly safe giving our data to our business partners?

The DPI breach comes on the heels of numerous new privacy laws requiring companies to hold their business partners accountable to their own security standards. European, Canadian and Australian privacy laws include this tenet, as do America's own privacy statutes for the financial services and health care industries. Companies that don't manage the risks of data held by their partners face increasing exposure to fines and lawsuits.

So how are corporations responding? In the pre-Internet days, companies were satisfied with receiving contractual indemnification from their business partners—meaning the partners would be responsible for any damages caused by security breaches that were their own fault. But third parties can't repair the damage to a client's brand following a security breach. Indemnification is no longer enough to establish third-party security.

As a result, firms whose reputations are at stake are now subjecting their data partners to a battery of tests aimed at ensuring that the partners can actually meet their security obligations. This due-diligence gauntlet can include an encyclopedic security survey, a comprehensive site audit and ongoing penetration testing. The results are extremely valuable for both sides—assurance for the client, and quality improvement for the supplier.

But this path to third-party security isn't cheap. A single security review can involve multiple people on both sides for up to a month. Several companies are now assigning full-time personnel whose only jobs are to conduct and respond to third-party security reviews. The labor impact is significant, because every company is re-creating its own security standards and propagating them through its supply chains. As many as a hundred different sets of corporate security standards are now traversing the cubicles of America.

	Jay Cline manages data privacy at Carlson Companies Inc., a Minneapolis-based group of businesses in the travel, hospitality and marketing industries. Contact him at privacy@computerworld.com..

Using the same lexicon and metrics, business partners could build boilerplate descriptions of their security practices for prospective clients. Weeks and months of effort per security review would shrink to hours on both sides. Widespread adoption of a common security terminology would also reduce the time and cost needed for external auditors to do their duties.

The good news is that this security terminology has already been developed. In the early 1990s, the security officers at several British multinationals created what has become an ISO standard for security, ISO/IEC 17799. Citibank, Sony and Unisys have been certified under the standard, and the governments of Hong Kong, Taiwan and Singapore are reportedly requiring companies to receive this certification before doing electronic business with them. The standard's vague definitions need much refinement, but they're a sufficient starting point for American businesses seeking to save overhead.

Our British friends have done good work, and we should follow their lead. The next time you engage a data partner, measure them against the 17799.

ISO 17799 Code of Practice for Information Security Management 1 2 Next » Recommend Digg Twitter ShareThis Email Print Send Feedback Reprints Additional Resources POLL RESULTS Leading IT Pros Weigh In on Top IT Issues Accelerate your knowledge of the IT world you inhabit by viewing the results of a series of polls taken by your IT peers. These polls of 100+ IT professionals each are available for full viewing. They cover key topics such as virtualization, processor performance, green IT, cloud computing and many others. Be a part of the buzz. WHITE PAPER For Best Results, Think Beyond the Box Technology is complex. Keeping it running productively shouldn't be. To that end, you want to minimize the number of solutions needed in-house to simplify operations, maintenance, and support. Kodak offers a best-practices model. One company provides support for both scanner and software, for fast problem resolution without vendor finger-pointing. Download now! WHITE PAPER Accelerating the Path to Demand Intelligence with a Demand Signal Repository Utilizing demand intelligence improves the precision of pricing, product assortments, channel/store placement, and promotion, which are all essential for sustainable revenue management performance. Learn more, download this free whitepaper today. White Papers & Webcasts Accelerate SSL Encrypted Applications The amount of SSL traffic is growing in the enterprise. Because it is encrypted, it cannot be properly controlled and accelerated. Blue Coat...   Data Protection and Disaster Recovery with iSCSI and VMware Data protection and disaster recovery are top of mind for any IT manager, and the challenges of complexity and cost remain as obstacles.... ESG Lab Field Audit Many companies have successfully implemented Riverbed WAN optimization solutions within their Cisco networks. This ESG Lab Field Audit document explores the success that...   Usability Is Everything Learn what sets Workday's HR and Payroll solutions apart from the competition.... Shape Your Apps Strategy to Reflect New SaaS Licensing and Pricing Trends Why are smart companies choosing software-as-a-service? Find out in the complimentary Forrester Research report...   The Value of Real SaaS at Workday Cost savings, speed to value, and innovation brought to the enterprise by Workday's software-as-a-service solutions for HR and Payroll.... Natural User Interface for Enterprise Applications Learn how a revolutionary user interface can make a complex enterprise application so intuitive even casual users can jump right in....   SaaS at Flextronics, Inc. Dave Smoley, CIO of Flextronics, discusses the real value of software-as-a-service and why he chose Workday for his HR solution.... A Truly Global HCM System Learn about a system built with advanced object-oriented technology that support multi-national requirements and costs less to implement, maintain and upgrade....   Why Compliance Pays This OnDemand webcast explores the relationship that firms with best compliance records have higher revenue, greater customer retention, lower financial losses from data... All White Papers | All Webcasts Computerworld Reports An Interactive eBook: Enterprise Security The Business Case for Server Virtualization Computerworld Technology Briefing: Intelligent Users Use Business Intelligence All Computerworld Reports Sign up to receive updates on the latest Security resources   White Papers Accelerate SSL Encrypted Applications Shape Your Apps Strategy to Reflect New SaaS Licensing and Pricing Trends A Truly Global HCM System Moving Beyond Monolithic - What's Next for Enterprise Application Architectures? MarketVibe: Communications and Collaboration Needs at Business Organizations The Value of Network and Application Visibility by Aberdeen The CIO's New Guide to Design of Global IT Infrastructure Five Steps to Successful IT Consolidation IBM Lotus Notes Performance Brief Centralized Data Backup and Your WAN ESG Lab Field Audit Natural User Interface for Enterprise Applications Craft a Strategy to Lower Your Total Cost of Ownership The Shortcut Guide to Managing Certificate Lifecycles Differentiating With Technical Support: JBoss Customer Support Study The JBoss SOA Assessment Tool: Spend Less, Do More 2007 Gartner Magic Quadrant Report Microsoft SharePoint Performance Brief ESG - Why SharePoint Needs Riverbed WAN Optimization Business Value of Performance IDC Whitepaper Sponsored Links HP StorageWorks products-control, consolidation and confidence. 64-page prescriptive guide to security, compliance, and IT operations. Looking to add Unix/Linux functionality to Windows? FREE guide to saving up to 95% on network hardware costs. Start saving today! Enhance your career with a Boston University online Master's in CIS Find IT jobs in the Healthcare industry on Dice.com Network Tools Made By Engineers for Engineers Live Webcast: Building a More Productive Organization  A User Perspective With the NEW KODAK i700 Series Scanners get full speed at 300dpi! ITwhitepapers.com - Access thousands of white papers on 300+ technical topics. Leverage Your Cisco infrastructure for Superior Application Performance Learn about the AMD Virtual Experience Introducing: Project Icebreaker Introducing the new HP ProLiant G6 server family Wait for the upturn, or get ready for it with Capgemini's Technovision study. Download it here. Instantly know your IT service state - anytime, anywhere @ AccelOps.net Try the best rules engine free! Decisions.FICO.com Learn How to Create a High Performance Workplace Thrill Dad this Fathers Day and save up to 66% plus 4 FREE Caramel Apple Tartlets from Omaha Steaks. ESET NOD32 with ThreatSense(R) - Get your free trial now! Join the conversation about the hottest IT trends with Computerworld on Twitter. Create business data you can believe in with data governance Not All QSAs Are Created Equal: What You Should Know Before You Buy The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability The AMD Virtual Experience Virtual Trade Show About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.