You should revisit your agreements with the business partner and ensure that the legal documents reflect the acceptable practices of how you work with trading partners. But to be clear, you need to make an example of this business partner; not doing a simple background check is unacceptable.
As an information security professional, many business deals create significant risk to your own organization. You connect systems to partners that have insufficient controls and protections. But, ultimately, business will win out, and if you make too much noise, you run the risk of being perceived as Chicken Little and endangering your credibility.
As part of your overarching security program, I recommend communicating with the legal team and discussing the things you think are important to look at when doing diligence on an acquisition or other business deal. It's critical to do this before the deal is underway. If you do this early, then you are proactive. If you do this later, then you are in the way of a deal getting done. Which do you think will be better perceived in the executive suite?
Ultimately, the role of the security staff is to present the risks. Business people need to make the decisions as to whether the risks are justified when weighed against the reward of doing the deal.
For more information:
Dig Deeper on Data security strategies and governance
Related Q&A from Mike Rothman
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ... Continue Reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.