Walking the Walk
Home Depot evaluates potential partners' security; those that don't pass muster, don't do business with the retailer. by Michael S. Mimoso
Not every Home Depot specialist on an outcall is on his way to a kitchen renovation or hardwood floor installation. If they work for information risk manager Tony Spurlin, they're on their way to one of the corners of this country to assess the security of a potential partner.
Home Depot is walking the walk many enterprises only talk about; it's proactive about only doing business with partners whose security posture is upright.
"We feel a lot better about having our data processed by our vendors," Spurlin says of the assessment process, which is based on his homegrown Information Security Framework. "Over the years, we've found a significant amount of vulnerabilities that would have been in place if we had not done onsite assessments."
The onsite assessments are required of application service providers, vendors, marketing analysis firms, outsourcing partners and other third parties that want access to Home Depot data or systems. Engineers spend up to two days at the partner's location conducting interviews and evaluating the partner's technology and how it is managed in accordance with the partner's policies.
"If there are issues, we recommend remediation, and they must remediate before anything goes into production," Spurlin says. "We literally connect to their internal networks and perform assessments using custom-built tools and tools bought off the shelf to verify they manage deployments as stated, and if they meet our standards."
Partners requesting access to private, sensitive data are re-evaluated annually; others are evaluated once.
Spurlin says some partners are initially uncomfortable with the prospect of Home Depot poking about their security in order to determine patch levels, the currency of antivirus and IDS signatures and the thoroughness of their vulnerability assessment processes. Some offer SAS 70 audits as an alternative, for example, but that's not enough to soothe Home Depot.
"When we talk to them about the value-add they're getting here--a free snapshot of their security environment--we have not had one say no," Spurlin says. "Most of the big auditing firms charge $25,000 a day. This is part of our due diligence."
Once onsite, engineers conduct interviews on the technology and management controls that maintain the partner's security. Next is the testing phase, where the systems and applications that will be used to conduct business with Home Depot are audited. The partner gets a report with remediation recommendations, and a timeline for fixes (usually 30-45 days).
"We're looking for policies that map to ours, and that the partner can maintain and sustain it during their relationship with Home Depot," Spurlin says.
He expects close to 100 onsite evaluations; the process has been in place for four years, Spurlin says, with the latest tweaks around application security.
"We've stepped up our application-layer testing and increased our questionnaire points around the area of integrating security in the development lifecycle," he says.
"The return for Home Depot is huge. We're an $83 billion company. The cost of sending staff on an assessment is less than one-tenth of a percent of that," Spurlin says. "At the end of the day, the Home Depot brand is the most important thing we protect."
Michael S. Mimoso is Editor of Information Security. Send comments on this article email@example.com.