Online Partnering Questions

The following is a series of questions you should ask partners before you link your systems, whether through supply-chains, customer-relationship management, or as a member of an exchange. The sensitivity level of the data to be shared will dictate the appropriate depth of inquiry:

  • Are the devices–servers, routers, and firewalls–your company will use to collaborate dedicated to our company, or are they also used with your other partners/customers? If shared, what have you done to ensure that those other parties can’t access our data?
  • Does your company use a server farm or other third party to host its servers? What’s the name of the third party? What security and confidentiality obligations is the third party under? How long has the hosting provider been in business? Under what circumstances might your company change the third-party hosting provider?

These questions should also be posed to the hosting provider:

  • Do you receive security-vulnerability advisories from organizations such as the Computer Emergency Response Team Coordination Center? If yes, which advisories do you receive and what actions are taken?
  • Do you have an established computer-incident response program? If yes, may we have a copy? Does the program include notification and escalation procedures to ensure we are notified in the event of an intrusion?
  • Has your IT environment undergone a penetration or vulnerability assessment performed by a recognized third party? If yes, may we have a copy? If not, would you be willing to undergo such tests?
  • Will any element of your collaboration involve an outsourced service? If so, repeat the vulnerability-assessment questions.
  • Has your company taken steps to create and maintain security awareness for data-processing employees and users of systems and networks?
  • Has your organization conducted a formal risk analysis to identify information-security threats and quantify potential loss exposures?
  • Do you have procedures in place to ensure documents containing sensitive information aren’t discarded in readable form and are shredded or burned?
  • Do you have specific procedures for cleansing and/or destroying computer media to ensure confidential information is adequately protected?

Source:
Judicious Partnering
by James Kalyvas
Optimize, December 2002, Issue 14

Like this content? Why not share it?
Share on FacebookTweet about this on TwitterGoogle+Share on LinkedInBuffer this pagePin on PinterestShare on Redditshare on TumblrShare on StumbleUpon

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.