The following is a series of questions you should ask partners before you link your systems, whether through supply-chains, customer-relationship management, or as a member of an exchange. The sensitivity level of the data to be shared will dictate the appropriate depth of inquiry:
- Are the devices–servers, routers, and firewalls–your company will use to collaborate dedicated to our company, or are they also used with your other partners/customers? If shared, what have you done to ensure that those other parties can’t access our data?
- Does your company use a server farm or other third party to host its servers? What’s the name of the third party? What security and confidentiality obligations is the third party under? How long has the hosting provider been in business? Under what circumstances might your company change the third-party hosting provider?
These questions should also be posed to the hosting provider:
- Do you receive security-vulnerability advisories from organizations such as the Computer Emergency Response Team Coordination Center? If yes, which advisories do you receive and what actions are taken?
- Do you have an established computer-incident response program? If yes, may we have a copy? Does the program include notification and escalation procedures to ensure we are notified in the event of an intrusion?
- Has your IT environment undergone a penetration or vulnerability assessment performed by a recognized third party? If yes, may we have a copy? If not, would you be willing to undergo such tests?
- Will any element of your collaboration involve an outsourced service? If so, repeat the vulnerability-assessment questions.
- Has your company taken steps to create and maintain security awareness for data-processing employees and users of systems and networks?
- Has your organization conducted a formal risk analysis to identify information-security threats and quantify potential loss exposures?
- Do you have procedures in place to ensure documents containing sensitive information aren’t discarded in readable form and are shredded or burned?
- Do you have specific procedures for cleansing and/or destroying computer media to ensure confidential information is adequately protected?
by James Kalyvas
Optimize, December 2002, Issue 14