Over the years, organisations have outsourced a wide range of services, generally because third parties can manage them more efficiently and cost-effectively than they can themselves. As a result, security and regulatory requirements have increased substantially.
For IT departments, securing information in the supply chain is one of the biggest challenges they face today. This is because supply chains are composed of various companies, all of which have their own set of security standards, and organisations struggle to communicate their requirements to all of these different parties.
One way to approach the problem is to assess the “risk appetite” of your organisation, according to Mark Pearce, Head of Information Security at the Post Office. In other words, the IT department needs to work out what the board is prepared to accept in terms of risk, and balance that with with the amount of innovation the business requires.
The next step is to stipulate a baseline that all suppliers have to adhere to. For many organisations this is ISO 27001, but others choose to stipulate their own baseline. The advantage of ISO 27001 is that is recognised by regulators, so the organisation can easily demonstrate compliance.
Pearce said that the Post Office is a highly outsourced organisation, so it categorises its suppliers, and associates a risk criteria to each category. He also ensures that the contract with each supplier includes the right to audit and assess that supplier.
“We need to look at what they're doing fundamentally in their security response in terms of what their efforts are. You can supply some of it through certification but we would also like the ability to assess at the low level as well,” he said, speaking at the Infosecurity Europe 2013 conference in London.
The Post office also classifies its data according to sensitivity, so only a supplier within a certain risk category will be able to handle a certain type of data. This applies whether they are transmitting, processing or storing the data.
Andrew Ralston, Director of Information Services and Security at Wolfson Microelectronics, said that the key is to get the security built into the contract at the start of the relationship.
However he added that the harsh commercial reality is that some really innovative companies are just too risky to work with on a contract basis. Twice in the last couple of years Wolfson has ended up buying the company in order get the technology while mitigating the risk, he said.
“We spend time with our suppliers talking about everything to do with security, which includes their business continuity and disaster recovery. So much of it is all about the up-front work,” he said.
Steven Babb, Head of Governance, Risk and Assurance at Betfair, said that depending on the range of suppliers that an organisation is working with, it can be very difficult to get the larger suppliers to adopt their standards. Similarly, smaller suppliers may not have the capacity and resources to comply.
It can be even harder when there are multiple levels to the supply chain, and information is getting shared up and down. Pearce said that it is essential to be absolutely clear about where data is being stored, and ensure that all contractual positions are maintained.
Alistair Wardell, Head of Client and Supply Chain Security at insurance firm Aon, said that organisations can mandate that suppliers have certain controls in place as part of the contract, and one of those controls can be that they themselves have a supplier risk management process.
“That's one of the things you want to see evidence of as part of your assessment or audit,” he said.
The cloud can potentially add another level of confusion, according to Wardell, because employees are increasingly buying these services without the IT department's knowledge, so IT is less able to secure data that is being transferred using those solutions.
Betfair is addressing this problem through technological measures and also through an acceptable use policy that stipulates what employees are and aren't allowed to do.
However, new data protection reforms as proposed by the European Commission, which will require data breach notification within 24 hours, are also likely to bring significant changes to supplier contracts.
“I think there's going to be a lot of activity once we know what the final version of the directive is going to be, and people are going to be looking at their supply chains trying to figure out how breach notification would work,” said Wardell.
Some organisations are now employing dedicated teams to ensure that their technical compliance is absolutely nailed, and to enable them to demonstrate to the regulators that they take the matter seriously. These teams can also conduct audits to check that suppliers are meeting the same level of compliance.
“In most instances I'd suggest that you need to take a very pragmatic approach rather than trying to force a supplier to do something. It's got to balance the risks that you're taking on against what are you actually bringing that supplier in to do,” said Babb.
Ralston added: “It's got to be understood that managing risk is important to the organisation. Sometimes people are so focused on getting their job done that they forget that, and it's important to make sure that you get in before any projects start, so you're seen as someone who will contribute and be useful.”
Finally, education and – where necessary – disciplinary action are the ways to ensure compliance internally within an organisation. Security chiefs need to keep a close eye on what their employees are doing and stay sensitive to their needs, but also punish them if they break the rules, according to Ralston.
“As a security function, we also have a responsibility for understanding why an individual is using these kind of tools, what are the business benefits that they are getting from this, and what can we do to provide them with a corporate solution that provides and drives and supports their innovation, while making sure what they're doing is actually secure,” he said.