Ensure Proper Security with Third-Party Suppliers
POWERFUL INSIGHTS
Companies are relying more and more on outsourced service
organisations to manage or store corporate data and support business services such as IT, human resources, legal,
marketing and facilities. Although there is a strong business
case for outsourcing processes, one area that cannot be
outsourced is the risks associated with the loss of data,
corporate branding, breaches in confidentiality, and failure
to comply with legal and regulatory requirements. These
factors become increasingly important because of growing
enforcement of regulations as data is transferred across
jurisdictions and the ability to govern risk moves beyond
country and corporate boundaries.
Ensuring the protection of information assets within outsourced services requires a security assurance lifecycle
from tender to service closure. The Ponemon Institute
recently released figures showing that the percentage of
incidents where a third party was responsible for a data
breach increased from 21 percent in 2005 to 44 percent
in 2008. The problem is growing, commensurate with the
general move to outsource services.
Issue
Any outsourced process relies on the provider having a
clear understanding of the client’s requirements. However,
for many clients, security requirements have been produced
over many years with the assumption that the client would
have complete control over the people, processes and tools
used to perform the tasks. Generally, the vendor will be
providing a leveraged service, and the security controls
applied to that service are standard across all clients. The
key challenge is whether these generally applied controls
are appropriate for the level of risk clients are willing to
accept. The security controls may either be too regimented
(thereby increasing cost and impacting functionality) or not
tightly controlled enough to meet expected requirements.
Such differences in expectations and requirements can
be formalised for the lifetime of the service if the contract
between client and vendor is not clear in defining the precise
security controls. Poorly defined contracts can lead to sig-
nificant difficulties for both client and vendor, and ensure
that neither party achieves value from the service.
Challenges and Opportunities
For the client, the main challenges are to ensure that
corporate security requirements are adapted for use in
an outsourced environment, ensure vendors are aware
of requirements, check that vendors have implemented
required controls, and receive information about the
effectiveness of those controls. Opportunities exist for
clients because, if implemented well, a standardised set
of requirements and due diligence mechanisms can reduce
risk, improve the efficiency of processes, and allow vendors to deploy leveraged people, processes and tools.
Vendors can face significant difficulties in ensuring they
provide appropriate secure services to their clients. Security
controls should be deployed to support business objectives as detailed in organisational policies and standards.
However, in a leveraged environment, controls have to
support all policies and standards required by all clients,
while also providing the cost efficiencies to allow clients
to realise a more cost-effective service than could be
provided in-house. Vendors need to demonstrate what
security controls are in place and help clients assess the
risks posed by any gaps.
Our Point of View
Clear, unambiguous security requirements designed for
outsourced processes, combined with a standardised due
diligence and reporting system, enable both client and
vendor to achieve the required business and security
outcomes from outsourcing. Security requirements are
dynamic and are likely to change as legal and regulatory
rules are updated and new threats and vulnerabilities
emerge. As such, a governance framework for managing
third-party relationships needs to be maintained and
flexible enough to ensure risks are being managed appropriately over time.
PROVEN DELIVERY
How We Help Companies Succeed
Example
Protiviti provides a wide suite of outsourced security
process consulting services, covering all aspects of vendor management from engagement and service fulfilment
through to disengagement. We have successfully helped
our clients meet these challenges in three key areas:
Our client is a credit card provider that makes use of thirdparty suppliers globally to support numerous business
activities and services. Sensitive data and critical business
processes may be entrusted to third-party vendors. We have
performed a number of vendor management services for
this client, including:
• Defining and communicating security requirements –
Ensuring clients are able to articulate their security
requirements clearly to outsourced vendors.
• Providing ongoing third-party assurance – Delivering
a due diligence programme for third-party suppliers and
vendors to ensure client security requirements
and expectations are met.
• Third-party solution assurance – Acting as a trusted
independent bridge between vendors and clients to
ensure new solutions and services have client security
requirements included from the specification stage.
Benefits we have helped our clients to achieve include:
• Cost-effective and repeatable security assurance –
Our clients are able to verify to parties that outsourced
services comply with required security and privacy
standards such as PCI-DSS and ISO 27002.
• Reduced sourcing costs and added value – Our clients
are able to build standard external requirements documentation. This can greatly reduce costs of time and
people associated with negotiating security controls
with each individual vendor.
• Process improvement and efficiency – We use proven
process and risk methodologies. This ensures the
security management of outsourced services is as
efficient and effective as possible.
• Developed a documented and repeatable engagement
process within the sourcing department and security
group to ensure that new and existing third-party
suppliers are assessed in a consistent manner that is
aligned with the risk they pose to the organisation.
• Developed questionnaire for vendor due diligence
reviews that focuses on eight key areas of information
security risk: logical access, physical security, disaster
recovery, information security management, letter shop,
telemarketing, data protection and business practices.
• Jointly developed a risk matrix for scoring answers to questions commensurate with the client’s appetite for risk.
The client has realised a number of key benefits from
engaging us:
• Documented and repeatable process defined and
implemented.
• Vendor due diligence carried out globally in a consistent,
cost-effective and independent manner.
• Ability to supplement security team responsibilities and
enabling them to focus on other high-risk priorities.
• Reports produced were understood by senior management and technical teams alike.
Contacts
Jonathan Wyatt
+44.207.930.8808
jonathan.wyatt@protiviti.com
Ryan Rubin
+44.207.389.0436
ryan.rubin@protiviti.co.uk
About Protiviti
Protiviti (www.protiviti.com) is a global business consulting and internal audit firm composed of experts specializing in risk, advisory
and transaction services. The firm helps solve problems in finance and transactions, operations, technology, litigation, governance,
risk, and compliance. Protiviti’s highly trained, results-oriented professionals provide a unique perspective on a wide range of critical
business issues for clients in the Americas, Asia-Pacific, Europe and the Middle East.
Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half International Inc. (NYSE symbol: RHI).
Founded in 1948, Robert Half International is a member of the S&P 500 index.
© 2009 Protiviti Inc. An Equal Opportunity Employer. PRO-1009-107075
Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services.