Don't forget to review the security of third party vendors

A recurring theme of this blog is the importance of verifying the security of third party vendors. It was one of my top security topics for this year (see here) back in January where it was stated that you cannot outsource responsibility for security so make sure you know how well third party vendors are looking after your organisations assets.

More recently (see here) the point was repeated and the question was How far did you go in ascertaining the partners security prior to forming the relationship?

The need to do so has always appeared obvious and I’ve worked hard to develop processes making the assessment of third party vendors a matter of routine and a key performance indicator.

The FSA clearly feels the same way because it has stated a “major concern” that firms are not checking that outsourcing suppliers have the right IT security and policies in place for handling their customers’ details.

This is in response to the news that Barclaycard sent out the wrong account details to thousands of customers, an incident which has highlighted the importance of financial services firms checking the processes and procedures of companies to which they outsource back office functions (see here).

I frequently visit the premises of third party vendors that my organisation outsources to. It’s always a revelation – usually a positive one – and an opportunity for both sides to identify potential weaknesses not only in IT related processes but also manual data processing and physical security.

The view from here is to consider a third party vendor as a extension of your business and assess security accordingly.