Barely a week goes by without hearing about someone being threatened with fines over some form of security incident involving an outsourced operation or business partner, writes James Nunn-Price.
Perhaps more worrying are reports of security breaches being exposed much closer to home, not related to a third party. How can an organisation expect a third party to manage their operations securely and minimise fraud and security incidents if they can't control these matters themselves?
Extending the enterprise
There is no silver bullet. By making use of business partners and third-party suppliers, you are, in effect, extending your own operations. There is an inevitable risk of you giving them guidance based on your own potentially limited understanding, practices and capability. Often, through commercial negotiations, the organisation and provider end up agreeing mutual minimum levels of service, including security. This results in the third party aiming for these minimums rather than trying to surpass them and so, on occasions, not even achieving them. This is a hard cycle to break.
There are three realities that are hard to reconcile:
1. What is being done in practice
2. What the service level agreement/contract says
3. Industry good practice
Supplier assurance and improvement lifecycle
Establishing a robust supplier assurance and improvement lifecycle can help ensure that, over time, the three realities listed above become more aligned for new and existing third parties. So where do you start?
The following pointers are worth considering:
There should be a senior relationship owner who has sight of, and responsibility for, the end-to-end supplier lifecycle - from the initial definition of requirements and request for proposals, to transition, operation and beyond.
The security risks associated with the outsourced function should be identified and captured so industry good practice and initial target maturity levels can be set in commercial agreements.
Relevant service delivery and oversight processes (provider/operations), compliance checks (management) and audit (independent) should be implemented as part of business.
Change should be managed effectively - including continuous improvement within contractual agreements - so any deficiencies or improvement areas identified by either party during the above processes are acted on quickly in a trusted business partnership.
There are many places to go for ideas on how to set and measure security benchmarks, targets and capability maturities for your own and your third-party supplier's operations. BS7799, a code of practice for information security management, first published in 1995, now integrated into the ISO27000 series, is a high-level starting place. For further ideas on the underlying controls to manage suppliers securely, frameworks such as Cobit and Coso are helpful.
One thing is certain - as the threat of fraud and security incidents in outsourced operations increases, doing nothing, or even maintaining the status quo, is not an option.
James Nunn-Price is director of Deloitte security and privacy services