3rd Party Providers. Remember when the big car companies in Detroit went through their quality measures and certifications, then began requiring all their 1st tier vendors to undergo the same quality certifications? This later trickled down to the multiple tiers of vendors that supported the 1st tier vendors. It was (is) called QS 9000.
Well, basically the same thing has happened in information security. PCI states it, HIPAA states it, ISO states it. Not only does the end client organization need to adhere to these quality standards for information security, but any partners, 3rd parties, that may access, hold, transfer, or otherwise impact the security of sensitive data need to take measures to safeguard that data.
So many times you read about breaches that occurred that resulted from a 3rd party that mis-handled data, or accessed systems to provide support, but didn’t restore the system to a pre-established level of security before departing, leaving something open for the bad guys to find.
It’s always a good idea to throroughly review the contracts you have in place with your 3rd party providers to ensure appropriate levels of control are in place to safeguard your data. Independent audits of the providers are also commonplace, so it’s a good idea to include a right-to-audit clause in your contracts with those partners.
Sr. Account Executive