Home > Information Security Magazine > Columns > Ping
EMAIL THIS LICENSING & REPRINTS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Ping
by Michael S. Mimoso
Issue: May 2006
printer-friendly
licensing & reprints

If you want to do business with Home Depot, you've got to get past information risk manager Tony Spurlin's team of engineers. Using comprehensive evaluation processes and his homegrown assessment framework, his team examines potential partners' cor- porate security posture. Partners that haven't nailed down their security don't connect to Home Depot.

How rigorous is your certification process? We have to provide an on-site assessment for our partners if they want to connect to us or use our data in any way. A team of engineers travels on site, and [the partner] goes through an interview, which is standardized and based on an information security framework I developed. It's a top-down, drilled down look at their corporate security posture, policies, technology solutions, and management and monitoring of security policies. Then, there's a final gap analysis to determine if they are in compliance with Home Depot policies.

Do you run into resistance from partners? If there are issues, we recommend remediation, and they must remediate before anything goes into production. Most realize the value-add this provides. We report to them a good snapshot of their information security operation. They tell us it's just like a Big Four audit, and they learn a lot from it. It's done at no charge; it's part of doing business. We take managing our brand and customer data very seriously.

What security demands do you make of partners? We demand they have an established information security program and policies. From a technology standpoint, it's the usual cast of characters: a firewall set to privileged access, strong access controls, antivirus that's up to date and constantly monitored, intrusion detection, an established and repeatable patch management process, and a vulnerability management process. We also look at how well they build servers. They need to have a standardized reference model with security elements.

What is the return for Home Depot? The return is huge. We're an $83 billion company, so you can imagine the volume of business we do. The cost of sending staff on an assessment is less than 1/10th of a percent of that.

Was it an easy sell to upper management? It was not a tough sell; everybody jumped on board. We have a Wall of Shame in our office where we pin all the data-breach headlines as they happen. When an executive asks why we need to do this, we walk them by the wall.

Read the complete interview at searchsecurity.com/ismag





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts