Thursday, December 23, 2010

Can service provider take you down?

And I don't mean just your ISP but all the providers of services to you.

Just a couple of weeks ago, Walgreen and McDonald's both revealed that data breaches at partner marketing firms had exposed customer information. I got one of those letters from the mailmen myself last Friday. 

All signs point to "spear phising" attacks against email marketing firms that has been going on for a few months. This brings up a new situation that CSO's would unlikely have foreseen. 

3rd party email marketing firm are usually chosen and contracted by the Marketing Department. I doubt IT and Security Officers would be involved in the selection process. But when a data breach such as this occurs, CSO is now charged with the clean up.

The medical industry has a process whereby service providers have to undergo security and compliance training. While there is no certification process for these 3rd party providers, they do need to conform to certain standards.

Can a corporation hold its suppliers to these security standards? Does your agreement hold any clauses regarding information leakage. This need to go beyond just NDA's. You should take this into account at your next security procedure review.

No comments:

Post a Comment