CIOReview | | 9 DECEMBER - JANUARYBy investing in third-party security, organisations can identify weaknesses, mitigate risks, and partner in successsecurity. Infrastructure as a Service (IaaS) provides the most freedom, such as resources to deploy operating systems and software, and customers may be responsible for its patching, network security, and even host infrastructure security, in addition to software, access, and data security. All of this comes with cost, necessitates expertise, and shifts risk.Contractual Obligations and AccountabilityEstablishing clear contractual obligations, that match your regulatory obligations, is another critical aspect when dealing with third parties. Contracts should explicitly outline security expectations, data retention, sharing, include breach notification requirements, define roles and responsibilities, and specify which party is responsible for different security measures. Consider incorporating clauses that mandate vulnerability assessments, penetration testing, and periodic security audits to provide assurance over the design and operating effectiveness of their controls, and consider the right to audit. To ensure accountability, consider the inclusion of recovery of loss in the event of a security incident. Regularly review and update contracts to align with evolving security standards and industry best practices.Ensure Regulatory ComplianceDigital transformation may seek to outsource aspects of technology capabilities, but businesses cannot entirely delegate regulatory responsibility. They must ensure vendors adhere to equivalent standards to meet regulation, or face the potential for legal consequences, hefty fines, or reputational damage. Governments in the Asia Pacific region have enacted stringent data protection laws and regulations, with Australia leading the charge. 2019 was defined by the commencement of the Australian Prudential Regulatory Authority's Standard, CPS 234, for Information Security. 2022 was marked by compelling amendments to Australia's Security of Critical Infrastructure Act. Set the expectation that third parties support required compliance to frameworks, as regulatory bodies will expect this of you.Ongoing Monitoring and Risk AssessmentIt is essential to establish an ongoing monitoring program, which includes adherence to agreed-upon security controls, compliance with regulations, and periodic reassessments to evaluate changes in the vendor's security posture, or changes in the external environment that shift risk. These assessments should also take into consideration recent attacks and incidents within the industry. Have regular service level agreement discussions, and it may be suitable to drill down into the design of specific security controls that provide concern during these meetings. Incident Response Planning and TestingPreparing for the worst, and hoping for the best, is the common school of thought when considering security incident response. This necessitates collaboration with vendors to develop a joint response plan that offers utility and flexibility. Plans should outline roles, responsibilities, and communication channels during an incident. Regularly test and update the plans to ensure their effectiveness. Conduct joint incident response drills to assess coordination, and incorporate lessons learned. By proactively planning and testing, it can minimize the impact of security incidents and expedite recovery efforts.Don't Forget Fourth PartiesPerforming due diligence also involves understanding fourth parties. Discover if the data is being shared with them, or if the services considered depend on their resilience. Remember, the strength of the third-party security chain is only as strong as its weakest link. Look for vendors aligned to established security frameworks, holding certifications, and that take a proactive approach to IT risk management. ConclusionDigital transformation calls for organisations to recognise their security posture extends beyond internal systems. Third-party security plays a crucial role in protecting data, ensuring regulatory compliance, and enhancing overall business resilience. By investing in third-party security, organisations can identify weaknesses, mitigate risks, and partner in success. Remember, proactive security measures will not only protect your organisation but also enhance customer trust and reinforce your reputation in the market.
< Page 8 | Page 10 >