Working with third-parties: Make security a priority

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/working-with-third-parties-make-security-a-priority/article/357460/

High-profile data breaches at Target and at three commercial banks in South
Korea were attributed to poor security at third-parties, highlighting the
risk from outsiders within the company network.

Contractors often help organisations to drive cost and productivity gains,
but their security – in light of recent data breaches – is a concern.

Third-party security was a hot topic of conversation at a recent conference
in London, where a group of experts admitted that responsibility on data
breaches is a grey area, especially as many of these control large
quantities of data without actually being the data controller.

Thom Langford, director of global security office at Sapient, said that
this is particularly problematic in the cloud: “You don't even know where
the data is half the time, it could be replicated somewhere else.”

Langford, and Vicki Gavin – compliance director and head of business
continuity and information security at The Economist Group, urged companies
to manage contractors and check their security, embed security as part of
the service-level agreements (SLA) and continually assess security
credibility by doing on-site visits and even doing questionnaires. Checking
their incident response plans should also be mandatory, said Gavin at the
time.

The Economist carries out similar assessments with third-party partners.
Gavin said that the publisher often does ‘joint exercising' on IT security
risks to help them understand what's required and “where the gaps are”.

Speaking to SC Magazine UK, Langford urged companies to mitigate against
these risks with ‘good housekeeping', such as knowing where data lives and
ensuring third-parties are contractually obliged to safeguard data.

“I am not sure anyone could name the company that lost Target's data,” he
said.

Langford believes that there is a shared responsibility on data breaches.
“Third parties need to demand as little data as possible to get the job
done.”

Dr Guy Bunker, SVP of products at Clearswift, believes that third-parties
should be made to adopt two-factor authentication when holding sensitive
data.

“2FA should be for all people who have access to large quantities of PII
(Personally identifiable information) – it can be applied to the apps to
increase audit ability. There is a need to have better log tracking /
analytics as well - watch for reports with 1000+ names in.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!