Compliance is tricky, and vendors are necessary. These two facts account for a lot of headaches in software development, especially in heavily regulated industries (e.g., healthcare and finance) that handle huge volumes of sensitive data as a matter of course.
Further compounding these issues is the fact that first parties are generally just as liable for third-party missteps as they are their own errors. Governmental bodies such as the OCC, government-regulated mandates such as the Dodd-Frank Act and industry standards such as PCI all hold first parties accountable when third parties make mistakes.
Navigating the minefield that is third-party security doesn't have to be a major concern. Here are a few tips for keeping compliance at the forefront when dealing with vendors.
Thorough research is obviously a key task to handle before third parties come into the picture. Unlike buying consumer projects, however, picking up both custom code and ready-made components takes a little more investigation than the average purchase.
The best advice here is to pay attention to the third party's reputation and get references that speak to your specific needs. Regulated industries often maintain repositories of proven vendors and off-the-shelf products. If yours has one, use it to find vendors who have performed similar tasks for other businesses in your field (and have good reviews, of course).
The more complex or sensitive the task, the more important early research is. While there's a time and a place for hiring newcomers, third-party security and compliance are serious business. As with regulatory rules on third parties, it's the first party's reputation that will take a hit if there's an attack or info is leaked.
If you've read the new PCI DSS vendor rules, then you already know the three biggest words in beginning relationships with third parties: document, document and document. How you go about that documentation can be helpful in curtailing potential issues from the start.
First, make a visual map of all the vendor's responsibilities where possible, paying specific attention to areas where their duties may touch on various regulations your industry has to deal with. If a vendor's component needs to interact with a database of sensitive client information, for instance, note it. Make sure your compliance experts are in on the chart, too. The goal here is to set expectations and let vendors know why what they're doing is critical and how it can impact both sides if something goes wrong.
By that same token, ensure vendors take proper measures to document their own steps: The larger a paper trail a vendor can create, the easier it is to explain and learn about potential issues come audit time.
Once your relationship with a vendor is "in motion," so to speak, it's important to ensure continued compliance. Aside from the constant need for documentation, there's the simple fact that vendors tend to perform better when they're under a watchful eye.
Practices such as automated code review are good proof of this concept at work, and they're strong vouchers for third-party security regulation services. By checking every bit of committed code against a given set of rules, you don't just get a stronger end product — you get proof of continued efforts towards proper compliance. Automated training and remediation, based on specific findings in those automated reviews, offer the same multifaceted benefits. Industry regulations differ, but it's always better to be able to show an auditor how you tried to coach away conceptual errors.
Third-party security service providers (who often keep their own lists of verified vendors, calling back to the "Validate" step) can also help if you wish to conduct a comprehensive audit of your supplier's compliance efforts. Effectively auditing a third party takes experience; beyond that, using first-party security personnel on third-party problems can quickly turn into a resource drain. When an audit's required, people who know what to look for — and how to look for it — are invaluable.
Years ago it was easy for first parties to shift blame on vendors in the event of compliance failure, but that's no longer the case. With new rules and a new understanding of how first- and third-party entities interact, regulatory bodies are growing ever smarter when it comes to managing those interactions, and passing the buck is a practice of the past.
In other words, it's worth getting a handle on a potential vendor's compliance capabilities before issues arise. Make sure to keep security in mind from the onset, and call in security or compliance experts if you need help. Problems in the development world rarely get cheaper with age, after all.
Photo Source: Flickr