Encryption
Experts and practitioners say companies should require their partners to use encryption for any sensitive information - customer data, marketing strategy, labour relations and unreleased financials - transmitted over the Internet. The Federal Reserve is constantly dealing with financial information, so Wade requires anything transmitted between the Fed and its financial and banking partners to be properly secured.
At JP Morgan Treasury Services in New York City, Joe Calaceto, who heads up security as vice president and technical director, requires varying levels of encryption of customer information such as account numbers and beneficiary names and addresses.
Gaffney says Staples requires its B2B partners to encrypt all Internet transmissions, but he doesn't require encryption for transmissions sent over private networks. "That would be overkill, since one of the reasons we're paying a premium for a private connection is for its security," he says.
Response Plans
DeMaio says the response plan is where to expect resistance from partners. Most companies focus on perimeter defence because it's sexy, but once they think nobody can get in, detailed response plans seem like overkill. That is a mistake, and you shouldn't let your partners get away with it, says DeMaio. "Too many organisations will simply fade and say: Â'OK, you don't have to do it.'" DeMaio adds that partners should provide a detailed description of their attack response plan - and it should be designed around specific systems, not generic boilerplate from books and manuals.
Also, demand that partners notify you of security incidents within the hour. Charles Le Grand, director of technology practices at the Institute of Internal Auditors, adds that you should ask to see your partners' criteria for notifying authorities and how they're monitoring for vulnerabilities. For example, if they operate in an NT environment, urge them to keep up with NT BugTrack, he says.
Segmented Architectures
Some security analysts advocate "segmenting" enterprise architectures into smaller networks, all behind separate firewalls. That way, if one part of the network is compromised, the rest remains safe. Defence contractor Lockheed-Martin does that - and looks for it in its partners too, says A. Padgett Peterson, Lockheed's senior security analyst.
Background Checks
If it's standard practice in your own organisation to conduct background checks on employees with access to sensitive data, it's reasonable to request the same for partners' employees who also have access. Wade declined to say whether he requires background checks of the Fed's partners, but he's required it while working at other companies. By having business representatives, not just IT people, involved in the negotiations, you're more likely to get your partner to agree to background checks. "It's difficult for many IT people to appreciate the risks involved in the relationship being established," he says.
Compliance Audits
Experts and practitioners agree the best way to validate compliance is through periodic audits, either by your own auditors or an independent third-party security company, as Visa requires. Typically the party requesting the audit will foot the bill.
The most security-conscious organisations require their partners to submit to penetration testing on a regular or random basis. But Le Grand says that is an extreme measure, because there is potential to bring a partner's system down. "If you run a denial-of-service attack just to see how they recover, the recovery will be expensive," he says. "So you'd better not do this haphazardly and without agreeing on your right to do this."
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.