Barely a week goes by without hearing about someone
being threatened with fines over some form of security incident
involving an outsourced operation or business partner, writes
James Nunn-Price.
Perhaps more worrying are reports of
security breaches being exposed much closer to home, not
related to a third party. How can an organisation expect a third
party to manage their operations securely and minimise fraud and
security
incidents if they can't control these matters themselves?
Extending the enterprise
There is no silver bullet. By making use of business partners
and third-party suppliers, you are, in effect, extending your own
operations. There is an inevitable risk of you giving them guidance
based on your own potentially limited understanding, practices and
capability. Often, through commercial negotiations, the
organisation and provider end up agreeing mutual minimum levels of
service, including security. This results in the third party aiming
for these minimums rather than trying to surpass them and so, on
occasions, not even achieving them. This is a hard cycle to
break.
There are three realities that are hard to reconcile:
1. What is being done in practice
2. What the service level agreement/contract says
3. Industry good practice
Supplier assurance and improvement
lifecycle
Establishing a robust supplier assurance and improvement
lifecycle can help ensure that, over time, the three realities
listed above become more aligned for new and existing third
parties. So where do you start?
The following pointers are worth considering:
There should be a senior relationship owner who has sight of,
and responsibility for, the end-to-end supplier lifecycle - from
the initial definition of requirements and request for proposals,
to transition, operation and beyond.
The security risks associated with the outsourced function
should be identified and captured so industry good practice and
initial target maturity levels can be set in commercial
agreements.
Relevant service delivery and oversight processes
(provider/operations), compliance checks (management) and audit
(independent) should be implemented as part of business.
Change should be managed effectively - including continuous
improvement within contractual agreements - so any deficiencies or
improvement areas identified by either party during the above
processes are acted on quickly in a trusted business
partnership.
Benchmarking
There are many places to go for ideas on how to set and measure
security benchmarks, targets and capability maturities for your own
and your third-party supplier's operations. BS7799, a code of
practice for
information security management, first published in 1995, now
integrated into the ISO27000 series, is a high-level starting
place. For further ideas on the underlying controls to manage
suppliers securely, frameworks such as
Cobit
and
Coso are helpful.
One thing is certain - as the threat of fraud and security
incidents in outsourced operations increases, doing nothing, or
even maintaining the status quo, is not an option.
James Nunn-Price is director of Deloitte security and
privacy services