Your Other Compliance Problem: Third Party Vendors

  /     /     /  
Publicated : 22/11/2024   Category : security


Your Other Compliance Problem: Third Party Vendors


All your internal compliance initiatives may be for naught if third parties that touch your regulated data expose vulnerabilities.



Instituting a security-compliance program is hard enough for most enterprises. But when youre also dealing with a whole mess of business partners, vendors, and even customers who must touch and manipulate your critical data, ensuring compliance often becomes a total minefield. When third parties use your IT assets, their security controls become as important to the regulators as yours are.
A business is responsible and liable for all elements of their service offering, whether it is fulfilled internally or subcontracted to vendors, said Dr. Frank Gozzo, president and CEO of Noverant. So once an end client imposes certain IT security requirements, its critical to ensure the requirements are passed down to all vendors and business partners. At the end of the day, youre on the hook.
While your internal systems are certainly going to be the main focus of auditors looking for compliance gaffes, these days its not unheard of for them to also poke into your third-party connections across the
supply chain
, particularly if those theyre handling are very sensitive systems.
We are beginning to see both internal and external auditors pay far more attention to partners environments, said Robbie Higgins, VP of security and mobile services for GlassHouse Technologies. Specifically with the pervasiveness of IT outsourcing in addition to the new IT service offerings via virtualization and cloud-based offerings, more comprehensive reviews are being conducted.
As Higgins put it, in many cases when organizations outsource parts of IT, the vendor is most likely to take on the storage and management of data--so that vendor becomes a target for breaches as much as you do.
The challenge for many organizations has been to ensure that the service levels you want, in addition to the policies and procedures you need enforced, are in alignment with what the vendor says he or she will do, he says.
The difficulty there is getting third parties to answer important questions, said Dan Sherman, director of information security for Telos, particularly when theyre smaller business vendors without a background in security. Even basic questions like, Do you have an information security policy? or, Do you have an incident response plan? could be difficult, he said.
Read the rest of this article on
Dark Reading
.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Your Other Compliance Problem: Third Party Vendors