Josh Jewett, senior vice president and CIO for Family Dollar, says the company has taken steps to ensure business partners don't compromise its security. "We hold third parties accountable not only contractually, but also operationally," he says. "They must demonstrate they meet the same security standards we have internally."
Family Dollar's partners are also subject to periodic scrutiny by the company or an independent auditor. If their practices jeopardize the company's data or business continuity, it has the contractual right to terminate the relationship.
Similarly, Lacera's Pu, who is also a certified IT auditor, borrows a tactic President Ronald Reagan used to enforce nuclear arms treaties with the former Soviet Union: Trust but verify. "Third parties are often required to put their security procedures on paper, but there is never the follow-up to verify. We check up on them," Pu says. "We ask vendors a lot of questions and we limit what they can access. When they come in, we make sure they are escorted." What's more, business partners aren't allowed to connect computers to Lacera's networks without using approved security measures, and they must abide by clear rules governing how data can be used.
If any data or applications are not relevant to a business need, partners don't get access to it. The data or application must be directly tied into whatever initiative-such as an event-the two sides are working on together, Pu says.
Bonfante feels much the same way about giving business partners access to his systems. Financial applications are locked down. Partners also can't access parts of the network where customer data is housed. Under those conditions, he feels pretty safe about sharing other parts of the network.
"There's always some concern, but we work with our partners to ensure things like encryption and password protection" are used, he says, adding that data flowing between USTA and its partners is encrypted. That way, it's indecipherable and therefore useless to a rogue outsider who tries to access it.
Pfeil says that to ensure secure business partnerships, companies need to get security personnel involved before business leaders choose who will provide third-party services. Security experts will eye potential partners' security controls more carefully than, say, the events and marketing people who identify and pursue these partners. Security practitioners are also more likely to insist that partners give each other a detailed tour of their security operations.
Like Jewett, Pfeil is a stickler for cut-and-dried contract terms. "Security must be in the language. How will authentication be handled? How will data be handled in motion and at rest? Which side is responsible for which controls? You must answer all these questions," he says.
Sign up for CIO Asia eNewsletters.