An old security adage goes something like this: Youre only as secure as your weakest link.
This came to mind recently as I was interviewed by InsuranceNewsNet.com for an article on evaluating client data security in the wake of the Wells Fargo breach. While the importance of companies having their own data security and privacy policies and procedures cannot be overstated, its also critical to systematically evaluate all third-party vendors and partners to ensure they have the same commitment to protecting data.
Below are five primary types of assessments. Companies should perform one or more, depending on the type of vendor, to evaluate the information security practices of the companies they contract and share information with.
1. Risk assessment. This requirement of multiple regulations and industry standards identifies the networks, systems and applications security risks, in addition to operations and associated physical risks. It covers all information security domains, including administrative controls, such as data security training and ongoing awareness reminders.
2. Privacy impact assessment. This assessment is specific to identifying risks to personal data and potential harms to the associated individuals. It is increasingly becoming an expected activity within an information security and privacy program. It is also a requirement within a growing number of U.S. regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the U.S. E-Government Act, Security and Exchange Commission (SEC) regulations and the Fair Credit Reporting Act (FCRA), as well as regulations in other countries, like the EU General Data Protection Regulation (GDPR) becoming enforceable on May 25, 2018.
3. Compliance audit. Although this audit is a recommended practice for all types of organizations, it is especially relevant within the financial vertical. A compliance audit checks the data security and privacy legal requirements for data, networks, systems and applications security settings and controls, along with the associated administrative and physical controls. It can be performed by internal auditors or by contracted third parties.
4. Penetration test. The more complex an organization becomes in its use of technology to support business activities, the more need there is to perform penetration tests to identify the holes hackers can get through. These tests are sometimes included within overall risk assessments, but not always. This is a test that tries to break through existing controls to get into a network or system.
5. Vulnerability assessment. Identifying the vulnerabilities within an organizations information management processes and systems is the goal of this type of assessment. It checks for such things as the current version of systems and applications in use, patching practices and insider risks related to workers. Like penetration tests, this is sometimes included within overall risk assessments, but not always. This is a test that examines existing controls to see if there are vulnerabilities.
Privacy and security consultancy firms, like SIMBUS360 Brand partners, can help with all of the assessments mentioned above, and more, to ensure the companies you partner with arent your weakest link.