Security isn't just a scheduled event or a box on a checklist — and increasingly, neither is security compliance.
Sure, countless people reading this article have pulled the "prepare for audit" shuffle, in which entire departments run around like proverbial headless chickens to ready themselves for that dreaded moment when the auditor walks through the door. And that stress makes sense: Keeping up with all those rules, which often seem like they were crafted by people who've never spent a day in development, can be a nightmare.
But not all rules are arbitrary — some regulatory bodies put them in place for important reasons. Enter the PCI DSS. Now in its third iteration, this well known, widely followed set of security standards has finally turned its gaze to the secure handling of third-party service providers (TPSPs). The standards' most recent addendum contains useful advice regardless of whether you're a first-party buyer or a third-party vendor. Here's a look at how the rules apply to security compliance, and why doing the audit shuffle is not a good work-around.
PCI 3.0 isn't alone in emphasizing this rule. Most security standards that address the need for heightened security with TPSPs (e.g., the standards recently set forth by the OCC) make this the meat and potatoes of their message, regardless of the industry they cover. And for good reason: When you're responsible for an end product, you're responsible for all the bad stuff that can happen when security isn't given due respect.
This is the single logical thread that ties the rest of PCI DSS's addendum together. Whatever your industry, keeping it in mind all year (and not just as you prepare for audit season) will make your products more secure for everyone, and that's a benefit that stands on its own merits.
What's "it" in the context of TPSP security? Everything you can think of, assuming it's related to the vendor's duties. The more security details you can provide to third parties during the agreement-writing process, the easier delegating responsibilities becomes. In turn, documenting expectations up front ensures less "whodunit" and more "I've got it" when security issues do arise.
While much of the PCI DSS's advice applies to credit card processing companies, companies in other industries can still take away several concepts. The first is the periodic review of expectations: At a minimum of once a year (or whenever the service agreement changes), both customer and client should sit down to make sure they're still on the same page in terms of compliance and overall security responsibility. Next, map the specific functions your third party covers to the specific regulations those functions touch or fall under. Think of it as attack-surface analysis or threat modeling in which you consider the rules your third party will be subject to and how they might be broken, unwittingly or otherwise.
Finally, the addendum recommends bringing in additional third parties to help you craft documents and set expectations. An expert may find pain points or unexpected areas where third parties brush against rules, giving both groups a better understanding of the tasks they will undertake.
In the end, documenting this information is good for the year-round security a company needs in order to produce an airtight product. It provides peace of mind for your compliance and/or security officers, gives clear-cut duties to your third parties and shows your initial interest in keeping things as secure as possible in the event of an audit, security breach or other event that ends in interaction with a regulatory body.
This goes hand in hand with getting everything in writing: Effectively composing your expectations and knowing exactly what functions your TPSPs will perform comes down to knowing what the third party is capable of. That means taking whatever steps you can to acquire knowledge about those providers, from both outside sources and the providers themselves.
It's important to note due diligence covers a company's entire history with a TPSP, not just the pre-agreement research phase. This heralds back to the main point that compliance is an all-the-time concern. The document suggests buyers craft agreements promising transparency from vendors throughout their relationship, and clearly outlining sanctions that could occur if they fail to provide necessary documentation. Other tips include seeking expert and/or industry sources, consulting with and contributing to repositories of recommended service providers, and checking any vendor's audit trail to confirm it aligns with the tasks it'll perform.
Sometimes the smallest steps are also the most helpful. Communicating effectively doesn't just mean keeping lines open and making points of contact widely known (though those are recommended as part of an overall communication plan). To truly achieve security compliance with your third parties, communication must be actively encouraged — and sometimes mandated.
The "mandated" part should arise when a TPSP's changes could impact its patrons or duties, as well as any data it's able to handle. For instance, changes in key personnel (think those responsible for intracompany communications and the project itself) should automatically trigger a chat, as should any shift in "processes, procedures and methodologies" that could change the way a vendor performs its tasks. As with expectations and responsibilities, the document says an agreement's general communications structure should also be discussed at least once each year.
While these rules may look like extra work up front, they're really little more than common sense taken to a cautious degree — and as anyone who works in security compliance can tell you, the more caution you exercise when it comes to security matters, the better.
Besides, isn't it about time to stop stressing over audits once a year? Wouldn't it be nice to have things taken care of as a matter of course? In some ways, cramming to prepare for audits is an example of following the letter of the law, not the spirit: Companies are supposed to take these actions to keep themselves, their customers and their clients safe, not to appease an auditor.
Think about the way your company approaches auditing and security compliance, and don't be afraid to ask an expert for help getting into shape. It's not just a good way to do business — it's a secure way to do business. And considering everything you stand to lose in the event of a breach, the idea of treating security like a full-time task probably sounds just fine.
Photo Source: Flickr