Welcome Guest. | Log In | Register | Membership Benefits


Topics:   Security Views : Compliance Tech Center

Partner Management: Assessing Compliance Capability And Willingness

The first step is to determine the partner's understanding of its responsibility and ability to comply

Dec 09, 2011 | 09:33 AM | 

By Richard E. Mackey, Jr.
Dark Reading

Regulations like HIPAA and state privacy regulations and contracts like PCI DSS require organizations to ensure that any partner or service provider with access to data covered under the regulation or contract complies with the data protection requirements. In my previous post, I discussed the need to assess and control the risk associated with these relationships. However, it is can be a challenge to assess an organization’s ability to protect the data.

In fact, there is an important aspect of compliance that many organizations miss: Does the vendor even understand its compliance requirements?

Before embarking on a detailed assessment of an organization’s compliance and security programs, all organizations considering consuming a service that would be involved in protecting regulated information should ask the vendor whether it recognizes its responsibilities.

It is often surprising to find that service providers that manage protected health information, personal identifying information, and payment card information have no idea what controls what they should have in place. Equally surprising is the fact that consumers of the service have the false impression that the vendor is completely aware of its protection “responsibilities” and has accepted them.

Organizations entrusted with protected information are responsible for the practices of their vendors. Normally, vendors are contractually responsible for protecting the information. In poorly managed relationships, however, the consuming organization doesn’t make the requirement clear and allows the vendor to either be ignorant of the presence of protected information or believe that detailed understanding of regulatory requirements isn’t important.

Service consumers should be aware of an important point: You cannot force a vendor to comply with a regulation it doesn’t understand or hasn’t acknowledged by contract. It is for this reason that data protection regulations require contracts between data owners and service providers. All entities need to understand their requirements.

Once this understanding is established, the service consumer can assess whether the compliance program and security controls will meet its requirements.

In my next post, I’ll describe different methods for assessing partner practices, and the pros and cons of each.

Richard Mackey is vice president of consulting at SystemExperts Corp.



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Compliance Reports

report How To Boost Security Via FFIEC Compliance
With just a smartphone, users can conduct nearly all their banking business at any time of the day or night. However, all this flexibility and convenience opens up new avenues for fraud and cybercrime. Guidelines laid out by the FFIEC several years ago predate many of the capabilities-and vulnerabilities-that are in place today. In this report, we examine the latest guidelines and provide advice on how you can extend the work done to comply with FFIEC guidelines to strengthen your organization's overall security posture and keep customers and their data safe.

report Keeping Compliance In Check
Configuration mistakes, access control gaffes, poor documentation--it doesn?t take much for a compliance audit to go all wrong. In this special retrospective of recent news coverage, Dark Reading takes a look at the costs, common missteps and best practices for compliance, as well as the day the Internet nearly went dark due to the threat of new regulations.

report FISMA Lifts All Compliance Boats
FISMA may not be on your radar now, but it likely will be at some point. Geared specifically toward the federal government and its affiliate agencies and third parties, FISMA is a very specific set of requirements aimed at establishing and maintaining at least a baseline level of computer and network security. FISMA requires unique categorization and classification of information assets, not to mention a boatload of documentation to prove compliance. But once your organization achieves FISMA compliance, it will likely be compliant with just about every security mandate out there.

Other reports from the Compliance Tech Center:

Related Content

Log Management in 2012 and Beyond
2012 brings interesting changes to the log management world. Now, more than ever, it is critical to understand the impact to your log infrastructure and the solutions that will better prepare you to manage your security posture.

SANS Log Management Survey Report
Organizations are increasingly dependent on log management to support core business functions, including cost management, service level and line-of-business application monitoring, as well as traditional IT- and security-focused activities.

Cut the Time and Effort of Troubleshooting and Reporting
Organizations generate millions of logs a day and struggle with centralized collection, storage and analysis of those logs. ArcSight Logger is a universal log management solution that unifies searching, reporting, alerting and analysis across any type of IT data. It consolidates silos of logs into a single indexed repository for fast detection and mitigation of operational issues.

Get Turnkey and Automated PCI Compliance
PCI compliance monitoring is seamless with the self-contained ArcSight PCI Logger solution for log collection, storage and analysis. No database administration expertise is required and a web-based interface simplifies deployment and ongoing management.

Swiss Bank Meets Compliance Requirements and Protects Customer Data
Due to long-term data retention requirements, Swiss bank EFG needed a cost-effective way to collect, secure and store audit-quality log data in an easily accessible log repository. ArcSight Logger helps EFG meet key requirements of Switzerland?s banking laws fast and cost-effectively.




Featured Webcasts
Featured Whitepapers
Featured Reports