Within an organisation it is the senior management that take responsibility for the actions of the company, this is no more so than with information security and 3rd parties. Although risk can be transferred to a 3rd party the responsibility stays with the senior management to ensure the 3rd party safeguards the information.
An example of what can go wrong is the ICO fining of Scottish Borders Council over a breach of the data protection act. http://www.theregister.co.uk/2012/09/14/recycle_bin_data_breach/
In the article it says "This is a classic case of an organisation taking its eye off the ball when it came to outsourcing," Ken Macdonald, the ICO's assistant commissioner for Scotland, said in a statement. "When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place."
The damming part of the above was the lack of a contract in place to control the digitising and then destruction of records, the report goes on to say "Scottish Borders Council failed to choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and take reasonable steps to ensure compliance with those measures," the watchdog said in its civil monetary penalty notice. "Such security measures might have provided for the secure disposal of the files after scanning and stipulated that the data processor would either return the documents to the data controller in person, or securely destroy them, providing the data controller with a certificate of destruction."
This shows the legal risk when outsourcing work to a 3rd party, there is a great blog entry about 3rd parties and contracts http://blog.itsecurityexpert.co.uk/2011/03/playcom-breach-dont-trust-your-third.html
In the blog it says "Sharing personal or other sensitive information with third parties carries a risk to which the business is responsible, and as such needs to be adequately controlled. Before sharing such information with any third parties, the business is suppose to fully assess their third parties service providers, to ensure they are capable of protecting the information to the same level as their own business as well as to legal requirements. "
It also discusses the role of the contract "To ensure third parties continue to obverse the level of information security desired, the business must hold them to account in a business contract, with stiff penalties for breaching the contract. This should include the right to onsite audit the third party; these measures provide incentive to the third party to keep information security ship-shape. Don’t forget to pass on any breach costs within the contract as well, as personal data breach legal fines in the UK can reach up to £500K, while industry regulatory fines can even be higher, without contractual coverage you can’t pass on those fines to a third party. While talking about contracts, it is good to add a clause which compels the third party to report any security incidents involving the business data, furthermore add the right to conduct an onsite forensics investigation at the third party site should a data breach occur. "
He finishes the this good bit of advice "If you can’t get a third party to sign up to such clauses in a contract, it is a clear indication the third party’s information security isn’t up to scratch, as the third party business mustn’t have any confidence in their own information security."
The role of the information security officer would be to do a risk assessment of using a 3rd party and to ensure in the contracts information security has been covered adequately to reduce the risk to the organisation to an acceptable level, by including information security and doing a risk assessment the organisation is show due care and diligence
No comments:
Post a Comment