IT Compliance and Controls

Converging Business, Information, and Controls

IT Compliance and Controls header image 2

Data Security and Privacy in a Downturn with 3rd Party Providers

February 27th, 2009 · 1 Comment

Recently I contributed to a CIO Magazine and Network World piece on what is the impact to – Security and Privacy – in a downturn.  Specifically, what happens to all that sensitive data that was once locked behind doors and large security systems when the lights go out and the auction gavel hits the block?  Please see the article here at Network World for a nice article, and a timely post at LogBlog entitled “Is your data protected if the company closes its doors?“.

Given those articles as the backdrop – there are two major concerns for executives and businesses that rely on third party firms (which is approximately 99% of the world).

The first is the ability to deliver services without the incumbent service provider

  • When setting up third party service providers consideration must be placed on the exact details of how the data flows will occur.  This should be defined in the contract.
  • A common, and costly mistake by companies, is to not establish mechanisms to extract their business from a specific service provider.  This is caused by customizing your business to fit their processes, and thereby creating only one vendor that can service your firm.  Businesses must regularly review how these third party processors are integrated and establish a Back-Out Plan.  Similar in principle to a Disaster Recovery Plan (DRP), our BOP provides the organization with a full record of all business data and a workable repository that can be connected to a different vendor.  A consumer example – Ability to export your Google Contacts to your Exchange Server and vice versa, the easier it is the more likely you are to experiment and keep long term costs low.

The second is concern relating to the data and proprietary (patented?) processes and technology that may vanish when the business partner disappears.

  • The amount of information passed through a vendor varies, but inevitably sensitive information will be processed or transmitted.  The business owners should – in a contract, establish the ability to quarantine their data to specific systems, and may even consider “buying” these pieces of hardware to insure against losses in the future.
  • An alternate approach is to limit the data prudently to eliminate the possibility of company information being exposed.  This can be achieved by placing some processing in house and then passing along data to the vendor in a less sensitive manner.  A consumer example is highlighted on the Kindle2 and the 3rd party conversion process, and what if any data is being passed and processed.  (A single example of numerous services that slice through the daily business process that is seldom considered or understood, and only when problems (Breached / Hacked Organizations) make the news do we consider the full ramifications, let alone if the business itself vanishes.

As is obvious, there are many approaches for businesses to leverage the BPO market while protecting the integrity of the business operations.

Best Regards,

James DeLuccia IV

**Speaking at RSA 2009 on the Payment Card Industry, April 22nd 2009**

Tags: Uncategorized

1 response so far ↓

Leave a Comment