The notion of assuring partner security is nothing new. From suppliers to managed service providers to credit card transaction companies to outsourced application developers, third parties introduce risk to customer information, intellectual property and, ultimately, your company's good name.
That risk has grown exponentially as corporations leverage Web technology to build fast, efficient business relationships with more and more partners. The cost and complexity of extending internal security policies to numerous partners, plus the burden of complying with multiple overlapping government regulations and industry requirements is proving increasingly onerous.
"It's a logistical and resource-intensive effort to conduct," said Gartner analyst Kelly Kavanagh, commenting on recently announced changes to Verizon Business' Partner Security Program (PSP). "Some companies have upwards of 200-300 assessments they go through every year with partners, and the ability to take some resources out of that is pretty welcome one."
Verizon's PSP is part of its growing portfolio of infrastructure, data and governance, risk and compliance (GRC) security services, built in large part on its 2007 acquisition of Cybertrust. Major carriers like Verizon, AT&T and BT, which purchased Counterpane Internet Security in 2006.
The service is a Web-based platform for automated partner compliance, built around questionnaires. Corporations use the questionnaires and supporting documentation to determine partner security posture relating to corporate policy, contractual obligations and SLAs. It can also be used to monitor internal compliance among distributed business units, or for screening potential partners as part of the RFP process.
The platform includes three types of dashboards: One for the customer, another for partners and a third tailored to auditors.
"Companies are using really expensive professional services. They need a way to cost-effectively and efficiently validate that partners are adhering to policies," said Cindy Bellefeuille, Verizon Business director of security product management. "PSP enables them to collect information to a central location and disburse back to various parties, such as auditors, who have interest in it."
Verizon supplies stock questionnaires tied to standards like ISO 27002 and specific regulations, such as HIPAA, SOX and GLBA. Customized questionnaires can be designed to meet specific corporate requirements. Verizon's supporting consulting and professional services include help in developing content for those questionnaires.
The timing of last week's announcement is clearly around the new PCI-DSS requirement for a detailed self-assessment questionnaire, which is now included in the platform.
Another key improvement in this release is the use of supporting documentation. Partners can now attach required validation documents—audit reports, signed attestations of compliance, etc.—to specific questions. In previous versions, documents could only be attached to the overall questionnaires. It's more efficient and enables organizations to monitor granular validation based on the criticality of the partner relationship.
"Different levels of assurance are required for different partners," said Gartner's Kavanagh. "In some cases a firm may want to see an auditor's attestation that your security controls are adequate to protect you. In other cases you might want to see results of an external scan, or, in some cases, fill out questionnaire and we'll believe your answers."
Kavanagh cites security's "trust but verify" adage. The "trust part" can be an attached assertion from an internal auditor, scanning service or security consultant; or, it can be an explanation of controls for a specific requirement. What he calls the "show me" part, which might be required for critical data or business function, might include an external validation or putting feet on the ground in on-site reviewing of processes, documentation and controls.
The new release also allows executives to monitor status across categories, so it can establish status and progress not only by partner, but across partners for particular security categories or requirements, such as strong encryption for credit card data, for example.
On the roadmap going forward, Verizon's Bellefeuille looks to layer in more mechanisms for validation of controls, including information from onsite audits, and tighter integration with other security tools (PSP now includes on-demand vulnerability assessments) and services, such as Verizon's own log management service, for example.
While he recognizes the value of services like PSP, Kavanagh believes companies can also save resources spent on redundant assessments through industry-specific standards, such as the financial services sectors' BITS Framework for Managing Technology Risk for IT Service Provider Relationships, and BITS IT Service Provider Expectations Matrix.
"We have to ask too many people about their security posture," he said. "We can accept the fact that somebody else attested to their security posture because we've all agreed these criteria are the ones we'll use to make that determination."