Delivering technology to a third party —whatever the scope (Business Processing Outsourcing, “the Cloud”, Software as a Service) or purpose (data analytics, call centers, debt collection, eDiscovery) — is big business. Technology services confer notable time-to-market, scalability and cost containment benefits, but entail significant security risks to both the service provider and contracting organization. These risks, and the attestation burden relating to them, present unique Information Security challenges:
- Understanding and managing information security and compliance requirements across potentially diverse client bases.
- Being able to provide proof (attestation) that your organization is secure and compliant, preferably without the burden of questionnaires/audits from each client
- Detecting and responding to incidents before they impact customers.
Diagnosis: BPO Pain Points
- Providing attestation regarding information security posture and/or compliance with the myriad of overlapping and ambiguous standards (e.g., HIPAA, FISMA, SOX, PCI) that a diverse client base’s information is subject to.
- Understanding existing and structuring future contractual obligations to minimize your security/compliance burden and align with your Information Security Management System.
- Managing third-party risk associated with the growing need to leverage additional service providers (e.g., colocation, public clouds, Security Operations Center) to achieve service delivery goals.
The Information Assurance “Prescription”
Addressing the unique challenges of third-party information security requires a unique and flexible approach. Without question, the single most challenging issue for business process outsourcers is third-party attestation
- Attestation (Proof) Simplified
Typical engagements include:
- Penetration Tests (Application/Network/Physical) to provide independent and objective proof of the net security posture. This is often an important form of “interim” attestation if the service provider is in the process of achieving a higher level of attestation (e.g., ISO27001, HITRUST).
- A cross-standard mapped ISO 27002 Gap Assessment – The benefit of leveraging 27002: A single assessment can be leveraged to provide evidence of compliance with dozens of standards/guidelines (e.g., HIPAA, PCI, FISMA, ISO 27001, NERC, HITRUST) that your customers may require.
- Risk Assessment (often leveraging Secure Data Flow Diagrams) to ensure that critical risks are well understood and appropriately controlled.
- Understanding/Reducing Contractual Burden
Understanding current and effectively structuring future contracts is critical to the process of developing an optimized Information Security Management System (ISMS); as these contracts largely define the risks the ISMS needs to address, the attestation it needs to produce, and the SLAs it is subject to.
- Third Party Contract Review – Third party contracts may contain explicit, implicit, and/or “chained” security requirements. Understanding and mapping existing contracts is critical to ensuring that the ISMS you develop fully addresses your requirements.
- Third Party Contract Development – Aligning new contracts with your ISMS and the SLA attestation you can easily produce.
- Managing Third Party Risk
Increasingly, third parties providing services are leveraging other third parties (e.g., colocation, Amazon EC2) as part of the solution they provide. Much as your clients need to manage the risk associated with the services you provide on their behalf, you need to manage the risk associated with the third parties you leverage.
Our Vendor Risk Management practice ensures:
- Third party security risks and compliance requirements are identified and communicated.
- Agreements evolve as business, technologies, and threats do.
- Monitoring mechanisms ensure third parties achieve your objectives.
- Security Incidents are identified, responded to, and learned from.
Why Partner with Pivot Point Security?
Pivot Point Security has the right combination of Information Security/Compliance domain expertise, technology industry knowledge and experience, and organizational character to help you define and execute on the best course of action so you can know you’re secure and prove you’re compliant.
- Domain expertise means we know the ins and outs of the wide array of regulations (e.g., HIPAA/HITECH, PCI, PII, FISMA) that a service provider with a broad client base is subject to. It also means that we are experts in the Security Frameworks (ISO 27001, HITRUST, ISO 27002, OWASP, NIST 800-66) that should form the basis of the Information Security Management System you architect as the basis of the attestation you provide to your customers.
- Technology sector experience means that we understand the pain of endless security questionnaires and third-party audits. More importantly, we know how to alleviate it.
- Organizational character means we have the competence to do the job well in a transparent and straightforward manner that you’ll appreciate.
Pivot Point Security is a great choice for your Information Security demand.
Representative Technology Clients
View more representative Technology Industry clients of Pivot Point Security
Technology Industry Issues
Don’t Neglect the Basics. Nothing absolves you of the responsibility and accountability for the security of the information residing with your employees, customers and/or vendors. The business’ name is what clients will remember after a data security breach — not the vendor!
It is wise for businesses to build, run and maintain their Information Security Management Systems in alignment with the necessary standards and certifications.
Manage Information Security
- Risk assessment
- Due diligence in selecting a third party
- Contract structuring and review
- Provide attestation to information security posture
- Application Penetration Tests
- Network Penetration Tests
- Physical Penetration Tests
- ISO 27001 Certification
- ISO 27002 Gap Assessments
- BIT Shared Assessments
- HITRUST Certification
- PCI Compliance
The list goes on!