News Stay informed about the latest enterprise technology news and product updates.

Gartner: Vetting security of third-party partners in five steps

As the partner ecosystem expands, companies need to find a better way to vet security practices of third parties. Gartner offers some practical tips.

CHICAGO -- As IT departments expand their ecosystem of outside providers, can those same allies be trusted when it comes to security and privacy? In fact, vetting security programs of third parties to assess whether they are on par with the standards required of one's own organization is turning into a big job for many companies.

More on information security
Data protection trumps threat pursuit in SMBs' 2009 security spending

Database security: Who should have access?
"In the past year or so, I've been getting an escalating number of calls from clients … asking, 'What is a good way of doing this? We seem to be spending an awful lot of time doing this,'" said Gartner Inc. analyst Arabella Hallawell.

Hallawell, research vice president, information security and risk, at the Stamford, Conn.-based consultancy, offered advice for how to build a better and cheaper third-party security program at the Gartner Risk Management and Compliance Summit in Chicago last week.

A governance problem: Security comes after the fact

Third-party risk evaluation is time consuming, according to Gartner data. Most companies report spending more than 3,000 hours per year assessing the security controls of their suppliers, vendors and business partners.

Part of the reason for all those hours is that companies tend to treat all vendors equally. But probably the bigger factor is that vetting security tends to be done after the contract is signed.

The person or team in charge of security needs to be involved in third-party negotiations early on, Hallawell said. But, ironically, security is often perceived as a threat by the sourcing team. Better to leave security in the dark than risk stalling the contract or making the deal more expensive.

That strategy is shortsighted. Audit and regulatory mandates are shifting to the security team. Unless companies lay out stringent security requirements in their contracts and use them as key evaluation criteria, they could end up paying for security problems, big time, Hallawell said.

The following are five practical tips from Hallawell for vetting security programs of third-party partners:

1. Bake the costs of the partner risk assessment into the sourcing analysis. Then if more controls/tools are required, get more money from the business unit. Often, IT is asked to vet the security controls of third parties without any funds, and Gartner client data shows that evaluation can cost from 4% to 11% of the base cost of a deal. For example, cross-cultural training sessions to educate vendors and partners on the company's security policies and practices can cost $50,000 per session, according to respondents in the Gartner survey. Multiple trips to India for the security team? $150,000.

In addition to obvious costs, such as trips to the host country in the case of offshore providers, there may also be fees for international legal specialists, regulatory compliance, asset management and so on.

2. Develop a security and control strategy for each line of service. For application production and support, security concerns include privacy of sensitive data and cross-border access to live production data. For app development, the biggies include IP exposure, "backdoors" in code and the leakage of corporate domain knowledge. Availability, privacy and discovery practices are big issues in Software as a Service (SaaS) contracts.

A security representative should be involved in third-party negotiations early on, but security, ironically, is frequently perceived as a threat by the sourcing team.
Arabella Hallawell
analystGartner Inc.
3. Make sure your legal department develops a program that ensures a consistent approach to managing all SaaS/cloud contracts. Any company that considers pointing its email to the cloud needs to negotiate up front on the process, cost and duties of legal discovery and retention requirements. Companies should know up front how to handle requests for access to corporate messages from government agencies such as the FBI or the National Security Agency in the U.S. Companies with European operations and employees need to ascertain if hosting partners can meet the European privacy requirements. In general, privacy practices of SaaS/cloud providers are cloudy. Companies need to do their own due diligence.

4. Have your IT security team (or person) develop an evaluation program that ensures a consistent approach to all SaaS/cloud relationships. Security and integration issues abound in any hosting relationship. Something like directory integration, in particular, can lead to disputes because it can be handled in so many ways. A host can join the corporate Active Directory or create an "external resource forest" or host the entire directory. The roles and responsibilities required of each approach need to be spelled out before the contract is signed.

Some security requirements that should apply to all SaaS contracts? Companies need reassurance that a breach in one customer's environment will not pose a risk to them. They should request that Simple Mail Transfer Protocol email relays use Transport Layer Security when possible, for beefed-up over-the wire security.

5. Set a formal process for integrating security and privacy into your vendor management program. Tier your suppliers according to business risk and criticality of the relationship. Work with legal and procurement to ensure security language goes into every contract. Some companies even require security sign-off on every deal.

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.