Suppliers and data security – is your information safe?

Add to: Digg Add to: Del.icio.us Add to: Facebook Add to: Furl Add to: Google Add to: Live Spaces Add to: MySpace Add to: StumbleUpon Add to: Twitter
Thursday January 16, 2014 at 10:00am
Many organisations today rely heavily on outsourced functions to enable them to supply services or to make sure they run efficiently. Small businesses will often outsource their payroll systems for example; they might use a mailing house or marketing agency to send out newsletters and direct mail. Larger organisations will often outsource data processing functions or software development. There is nothing really new in this practice. But as organisations outsource more critical business processes, what consideration is given to assuring the physical security and information management compliance of the provider being used?

Are your suppliers secure?
From my experience most organisations seeking for example to outsource development of software or manipulation of data, will generally focus upon: a) price of supply and b) service delivery performance. Often a credit check is performed on the company in question in order to demonstrate solvency, but how many do a risk assessment on security?

If data is being outsourced, has a fundamental risk assessment been performed on the ‘asset value’ and the risks associated with its transfer to a third party? Sadly, often not. Principle Seven of the Data Protection Act 1998 requires that ‘Organisational and technical security measures’ must be adopted to safeguard data.

So what have I seen to-date? I have visited one software re-seller where outsourced activity was transferred to a micro business – where physical security was non-existent. Doors were wide open to car parks, staff un-vetted, poor password management deployed etc.

Another business I visited some three years ago in the ‘Silicon-Roundabout’ area of London, had such poor security that I wandered in off the street and had got to the boardroom before anyone queried who I was! Yet I was there to conduct a supplier audit.

How do you check the security of your suppliers?

ISO27001: 2013 the International Standard for Information Security advocates careful assessment of all new suppliers. A structured process should be adopted - possibly with determination via a risk assessment – as to the potential threat that such a relationship might entail if entered into without care.

An audit should be undertaken using a structured checklist of questions requiring evidence. There is much to select within Annex A of ISO27001: 2013 to assist in this process. It is essential that people performing these audits are suitably qualified and competent. If you’re using your own staff they may need additional training.

Organisations should determine a structured evaluation and acceptance criteria for new suppliers, possibly with senior management approval once all risks have been carefully reviewed, assessed and mitigated where possible. In addition a programme of on-going review and careful monitoring should be adopted.

Not only are there the potential problems with the information commissioner if your business fails to comply with data protection requirements for any data you hold and share, but there are the potential disruptions to consider of using a supplier who could ‘lose’ or misuse your data.

The first step is to recognise that there are risks involved in any data sharing activity – which means any supplier to whom your provide customer, prospect, indeed any personal information. Having recognised the risk ISO 27001 and an information security audit are great tools for assessing the level of risk and putting measures in place to minimise it.

Marcus Allen
Parker Management Consultants

Comments on this post:

There aren't any comments for this post yet. Why not be the first to comment?

Share your experiences:

Your Name  
(to appear with your comment)
Email Address  
(will not be published)
Comments:  
Human Validation Check  
In the box below, please type the characters that you see in the picture. This helps us to ensure a real person (and not a crafty computer!) is submitting this form.

Enter the code shown to the left:

Parker Management Consultants, 1st floor, Dominion Court, 43, Station Road, Solihull, B91 3RT Contact us here