Protecting partner processes

Businesses constantly struggle with the question of whether to create, host and manage a business function internally, or trust a third party to do the heavy lifting. With increasing frequency, a financial analysis argues for outsourcing. But with more than 217 million records compromised, customers, the government and media are bringing increased scrutiny on data protection.

In turn, financial enterprises must be vigilant data guardians, in particular when outsourcing business functions and evaluating the security of partner processes.

Luckily, being a vigilant guardian doesn't necessarily require significant monetary investment. Instead, here are five tips for adopting a protective mindset that helps offset outsourcing risk:

1. Be stingy
   Sure, there are times when the easiest thing to do is to turn over a flat-file or database extract containing every customer name and associated data element; your potential business partner might even encourage it. But that is not being a good guardian. Instead, make partners provide a relevant justification for each data element. Ask why they would need a particular data element, what will be done with it and whether a business goal could be accomplished without it. Be sure to follow up with project staff to ensure the production feed contains only those elements agreed upon. Partners can't lose or mismanage what you don't give them.
2. Put it in writing
   Use contracts, statements of work, technical interface agreements and service agreements as a means of rigorously and clearly outlining your expectations with respect to data protection. The business partner should have no doubt regarding the company's expectations for data protection and should be sufficiently motivated to provide such protection. Provide appropriate policy documentation, boilerplate and/or circumstance-driven language, and contact lists. Demand the right to audit/review partner security processes annually or on an as-needed basis (personally or through a mutually agreed-upon third party).
3. Be transparent
   Customers should receive clear notice if their data is being sent to a third party. This can be in the terms and conditions, privacy policy, mailing inserts and so on. Data protection is a means of customer service and respect. An extension of that respect is to ensure that customers have an accurate picture of how that data is used. Another benefit of this is on "the other side" of a breach. If a third-party breach occurs that impacts the primary company's customers, the primary company had better have stated that such data may be transmitted to third parties.
4. Back up your actions with technical controls
   Here's where the monetary investment comes in. As with all things security, a layered defense is the best offense. Consider technologies such as data leak prevention (DLP) tools, Web application firewalls, XML security gateways and other traditional secure data-transfer controls in order to detect and prevent the inappropriate movement of sensitive data.
5. Rinse and repeat
   Once all that is done, start again. Contracts run their term, project goals and business paradigms shift. There will always be a need to re-evaluate the company's position with business partners. Evaluate and re-evaluate the security posture and capabilities of your business partners by invoking the security review clauses in your contracts. Understand the current company, regulatory and societal risk tolerances and adjust accordingly. Learn for both success and failure.

About the author:
Perry Carpenter has spent nearly a decade working in IT and information security. Currently serving as the information security manager for a large wireless carrier, he has expertise in identity management, application security and data encryption and privacy. Earlier in his career he specialized in application development and Active Directory implementations. He maintains a security resource Web site at SecurityRenaissance.com.