DeepSec 2013 Talk: Risk Assessment For External Vendors
No man is an island. If this is true for every single one of us, then it is also true for companies. Modern enterprises have business to business (B2B) relations. They are at the centre of a network of suppliers and other vendors. Information flows between the players since they need to exchange data. What do you do if you deal with confidential or regulated data which mustn’t flow freely? How do you assess the risks? How do you determine what security measures work best? How do you deal with the situation of not enforcing security because every player runs its own policies? Luciano Ferrari has prepared a presentation for you and talks about his experience.
The first issue is physical proximity. Once you are linked with business entities several thousands of miles away (think halfway across the globe), then being on site for a risk assessment is not always an option. While globalisation may help you business-wise, it may create headaches for your information security needs. Considering the amount of data companies are transferring to the cloud and external vendors the regulations, especially in a globalised world, require proper management to be effective, compliant and efficient in order to protect the data and the companies reputation. This task is radically different from managing the information security needs of a company with next to none sensitive data exchanges with the outside world.
Non-technical issues will haunt you as well. There is always corporate culture. When facing security problems this culture is often a part of it. You need to be able to rely on cooperation – across boundaries – in order to secure your business processes (which are by themselves another non-technical issue as well).
During the course of his professional career Luciano Ferrari has developed a process that deals with global Risk Assessment and increases the trust in and the security of your data. Make sure to attend his talk, because proper risk assessment will help at any level. You don’t have to be a global player, getting this right a local level will be a big benefit to your organisation, too.