Maintaining a third-party security policy for DPA compliance

Prevent data breaches and possible brand damage by vetting and checking up on third parties' security processes.

While outsourcing services to third parties can save organisations both time and money, it's important to remember...

you cannot outsource your legal responsibilities. Any data that is handled or processed on your behalf by contracted third parties remains your responsibility.

The recent attack against Epsilon ... shows third-party security controls are an area of security that needs to be taken seriously in order to avoid damages to a business’ reputation.

Clause 6.2 of ISO 27001 Annex A covers this area, requiring that controls be in place “to maintain the security of the organization's information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.” Likewise, if you use another organisation to process personal information for you, there are safeguarding measures laid down in the DPA that you must follow. Thus, it's essential to consider outsourcing security issues before signing on the dotted line, and to have a third-party security policy in place to maintain DPA compliance.

The recent attack against marketing company Epsilon, which compromised details of Marks & Spencer’s online customers, shows third-party security controls are an area of security that needs to be taken seriously in order to avoid damages to a business’ reputation. In a case of compromised personal information, you could be deluged with claims for compensation under the Data Protection Act (DPA) from clients who suffer damage as a result.

Your first task is to identify any risks related to external parties processing data on your behalf (ISO 27001 control A.6.2.1). All identified risks must be mitigated before any data is given to the third party. This can be done by addressing all relevant security requirements in your agreements with third parties – ISO 27001 control A.6.2.3.

A commonly outsourced data process is payroll processing. This obviously involves personal information such as date of birth, national insurance number and bank account details. Any company offering payroll services must be able to provide guarantees about the security of their processing of such sensitive data.

You must also have a written contract that defines what you allow the third party to do with your information. At a minimum, it should clearly state how the provider is allowed to use the data. It must require them to have in place security measures that are the equivalent of those you would need if you were doing the job yourself. Importantly, you must also take reasonable steps to check they are taking those security measures; just signing a contract is not enough.

Visit the provider’s offices and assess the level and effectiveness of the physical security controls in place. Are visitors required to sign in and wear an ID badge, for example? Be concerned if they're not or are allowed to wander around the offices unaccompanied.

Also review the third party's data handling and employment policies; you’re looking for evidence they take reasonable steps at the recruitment stage to check the identity and reliability of their staff and that they are trained in data handling procedures. With the growing use of spear phishing and social engineering by attackers, it’s important the third party is providing ongoing security awareness training to keep their employees up to date with the latest attacks. This should be backed up by employment contracts covering what staff can and cannot do with the personal information they handle.

Ask to see is the provider’s data destruction policy to ensure you are comfortable with their processes for destroying your data when it is no longer required or when storage media and backup tapes are retired. Also ensure the process is carried out correctly. If the third party, in turn, uses a third party, ensure the company is a member of NAID (the National Association for Information Destruction) and provides certificates of destruction as legal proof that it has successfully destroyed your information. This advice goes for any data destruction company you may employ. If you sign over your sensitive information to be destroyed by a third party, you will want proof it has been destroyed, as you won’t be able to witness and verify the destruction has been completely successful.

Employees of a third-party contractor are less likely to recognise and understand the significance of certain types of information particular to your organisation, so these need to be highlighted in your contract. If your security policy states certain classifications of data can only be accessed by users with a particular level of security clearance, this must be enforced for all users, even those from third parties. An easy way to test how rigorously a third party enforces data handling policies is to try phoning or sending an email requesting data, and see if they follow agreed-upon procedures to verify are entitled to make the request; they could be committing a criminal offence if they deliberately give out personal information without your agreed form of consent!

To ensure your third-party service providers continue to deliver the appropriate level of information security and service delivery, ISO 27001 clause 10.2 covers third-party service delivery management. Control A.10.2.2 requires the services, reports and records provided by the third party should be regularly monitored and reviewed, and audits should be carried out regularly as well, while A.10.2.3 requires any changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, are reviewed. You should also put in place business continuity plans so you can safely recover your data should the other company be hit by a disaster or suddenly face closure. Ask to see the third party's contingency plans, too.

These may seem onerous undertakings, but the service industry is constantly undergoing change, either through business mergers or the introduction of new technologies. Therefore, it is good practice to re-evaluate agreements with third parties to ensure they cover any new risks and that a new owner is aware of your particular security requirements.  

Contracts should of course ensure your intellectual property rights are protected and your data will only be processed using correctly licensed systems. The close connectivity and exchange of data between organisations provides cost savings and efficiencies, but it has to be done in a secure and controlled manner.

About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.Cobb serves as’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of’s Security School lessons.

Read more on Regulatory compliance and standard requirements