The first step in the due diligence process to establish whether to trust a third-party suppliers is knowing who they are, says Tracy Andrew, information security and compliance officer at legal firm Field Fisher Waterhouse.
This is essential, he said, because it enables an organisation to identify what access their suppliers have to internal data. They can also run a proper risk assessment exercise.
The risk assessment step involves looking at how suppliers access internal IT systems, what data is sent to suppliers, what they do with the data, and what non-disclosure or confidentiality agreements exist.
But drawing up a list of suppliers may be difficult, he warned as certain suppliers may not be easy to find, such as door-access control firms.
Only by identifying the information security risks can an organisation ensure that all the necessary controls are in place, said Andrew.
"Where third parties are processing data on your behalf, check that there are agreements and controls in place that will ensure that data is processed according to your wishes," he said.
It is also important to look at how suppliers screen their staff, what policies and procedures they have, and what accreditations they have such as ISO 9000 and ISO 27001.
"Suppliers who require appointments and photo ID to access their data centres give me a warm feeling, but suppliers who turn up to install software on site without warning do not," said Andrew.
Organisations should look for suppliers who do not raise any risk concerns and tap into the knowledge and experience of others in the same sector.
"Contact peers in other organisations and ask which suppliers they would choose for particular services based on their experience," said Andrew.
Suppliers should always agree to give customers the right to visit and audit their operations, he said, and this should be written into the contract.
Organisations should also involve the security team from the outset in the contract process
At Field Fisher Waterhouse, Andrew sits between the project team and the IT team to ensure all the risks are written up at the start.
"If security is involved early on it is more cost effective as requirements are built into the original agreement and there is no need for costly revisions later," he said.
Andrew will be joined by Andrew Rose of Forrester Research, David Young of RBS, James McKinlay of Manchester Airport Group to discuss the topic at Infosec Europe 2012, 24 – 26 April in London.
The panel will debate whether there can ever be such a thing as a trusted third party provider at 13h15 on Tuesday 24 April in the keynote theatre.