Read NBlog, the NoticeBored blog
Click the banner for the site map of NoticeBored.com, the information security awareness service
Securing business relationships

   

John Donne quote

Securing business relationships

Managing Business Relationships Borders in cyberspaceManaging Business Relationships by David Ford, Lars-Erik Gadde, Håkan Håkansson and Ivan Snehota (~US$65 from Amazon).  The authors have a broad “web” view of many-to -many business relationships rather than the simpler one-to-one links normally considered. 

Contracts and negotiations are a special field of law and therefore most of the relevant texts are legal specialties.  However Borders in Cyberspace: Information Policy and the Global Information Infrastructure by Brian Kahin and Charles Nesson (~US$28 from Amazon) presents fresh insight and thorough analysis. 

 

Click me to buy me on AmazonBeating IT Risks by Ernie Jordan and Luke Silcock is a book aimed squarely at IT managers , addressing commercial, technology and information security risks (~US$85 from Amazon).  Chapter 7 covers IT service providers and vendors, in other words 3rd parties.  The book contains numerous examples and case studies to illustrate the importance of managing IT-related risks.

An example third party agreement from the University of Auckland incorporates security policy.

ISO/IEC 27002:2005, ISO/IEC TR 14516:2002 and the Information Security Forum’s Standard of Good Practice all have something worthwhile to say on the security aspects of third party relationships.

Hints on handling information security as part of relationship management.

Don’t export security is about the pitfalls of offshore outsourcing.  “I’d say fewer than 20 percent of my clients audit the security of their providers,” says Atul Vashistha, CEO of NeoIT, an offshore outsourcing consulting company. “They just accept the suppliers’ defined security plan and don’t check to see if they are living up to it.”  Some suppliers probably take advantage of this laxity.

University of Pittsburgh’s security guideline for third party computer access and use is useful.

Trusted Third Parties

Worth a good look Compliance with recognized information security standards such as ISO/IEC 27001 and 27002, particularly certified compliance, is one way for an organization to establish its trustworthiness on information security matters. 

If you are a merchant using a credit card processor to handle your credit card transactions, you place a lot of trust in the processor.  Too bad if it’s Heartland.

Information security is so important for some organizations that they insist on auditing third parties against their own security specifications.  VISA, Mastercard and others insist on independent audits against the Payment Card Industry (PCI) standards by accredited PCI auditors.  In the government and military arenas, similar processes exist for testing and auditing of third party organizations and their products against Common Criteria and similar security standards.

Independent audits are certainly one way to gain more trust in third parties’ information security arrangements.  India’s National Association of Software and Service Companies (NASSCOM) has promoted the idea of independent security audits of its people as a way to share the burden of raising trust in the Indian offshore IT outsourcing industry.

Trusted Third Parties (TTPs) are commonly involved with key issue and escrow in encryption schemes.

The risks of key recovery, key escrow, and trusted third party encryption was written at a time when the US Government was promoting Clipper and similar proposals for key escrow.  Governments through the ages have spied on their own and foreign organizations, whereas strong encryption is seriously restricting this ability.  There are implications for espionage, terrorism, organized crime ... and also for freedom of speech, privacy and human rights.

As escrow companies have become quite popular for large transactions on online auction sites, so too have escrow fraudsHere is another page of advice on avoiding the fraudsters and finding an escrow service you can actually trust.  Dubious escrow companies have even been involved in phishing scams, as if to emphasize that trustworthiness is an essential requirement for trusted third parties.

Related NoticeBored links collections

Internet security, confidentiality, integrity, compliance, physical security and general information security

NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk.  Please let us know about new or broken links.
NB homeLinks collection > Business relationships >

Copyright © 2010  IsecT Ltd.