13 Aug 2007

3rd Party Security - The big question

As happens in the "Blogworld" I read a blurb in the Daily Incite which then linked to a good Blog entry by Andy It Guy which in turn linked to a really good PDF document by Rebecca Herold who has more letters after her name than in her name.

While we are so busy concentrating on our own security structures (You are, aren't you?) how do we make sure that our partners are protecting our data?

There are several places where this is important

  1. The obvious first one: you give your credit card information to someone. What they can and can't do with it is governed by a standard made by the credit card companies. It is called PCI compliance. It seems most companies don't abide by the rules but the fact is that the rules have been very well designed and slowly, hopefully, companies will abide by them. The nice thing is that PCI complience is worked out already. You don't have to worry. You should as a matter of principal make sure that a company is PCI compliant. I think it would be a good idea for the credit card guys (visa, mastercard, etc) to actually promote PCI compliance as a marketing tool for companies to diplay proudly on their websites and in their stores.
  2. You fill in a form, any form, anywhere, online or offline. This is your personal, private information and you should be aware exactly what happens with it. If you have to give the information across for some law such as the ones preventing money laundering, you don't want that form going to the company's marketing department. ("You are a treasured customer of ours, do you want to be the first to use our new services...?") You also don't want it put into a dustbin and used by anyone who finds it in the street. '
  3. You are trusted with someone's details and have to send them to a 3rd party. If something happens to the details - its you to blame.
Basically, wherever someone has some of your personal data, your company's confidential data or data that has been given to you by some entity that trusts you with it, you should be able to make demands on how they treat it. No security is 100% but you should be able to at least, without getting into all the details, know enough about how your data is treated to make an informed decision on whether or not you trust the person you are giving it to.

The PCI standard came out of a need to protect data but there should be a broader standard for all types of data allowing us to make spot decisions on who to trust and who not to trust with our data.

And, taking an observation from Andy but broadening it: the specification of how data is looked after should be more specific than a framework. A framework is fine for protecting your own data, but other people should be able to judge exactly how you treat their data.

But, on the other hand, you don't exactly want to go around to every company that you deal with (perhaps all over the world) investigating in minute detail exactly what methods they use to protect their network and data. You can't be expected to watch that none of their staff take their laptops home etc.

You shouldn't even be expected to take a look at their policies.

You should just want to be able to see a logo that says "we are secure up to the level 3 of the "3rd party information control standard (3pics)". This should be good enough for a bank but a video shop may be able to get away with level 2 and a doctor should have level 4.

By the way, I made up 3pics because, as far as I can see, there is no widely accepted standard with clearly defined levels that the man in the street can trust and be used to (except PCI and that is for credit card information only). But shouldn't there be? Wouldn't it be nice to be able to trust that a company you are about to deal with is going to treat your information the same way you do?

Rebecca's PDF document (linked to above) goes into great detail about how one can manage personal information that is given to 3rd parties but it is a lot of work and is fine for companies who have few partners but when there are many partners it would be nice to be able to just check their "3pics" compliance level and start dealing with them.


In case you argue that it is possible already using ISO, SOX etc, then read what Andy said in his article about how they are just frameworks and not generally accepted standards.

What we need is someone (who me? I'm too busy ;) to create a(n auditable) standard with a few levels that are easy to understand and implement. And for companies to use the standard and brag about their level of security.

I think part of my thinking comes from discovering this week (but not being rich enough to follow through with actually buying and reading) a book by Stephen Covey (Jnr) about how once trust is established, business can proceed quickly. It is up to us as the public to demand that companies show how they can be trusted with our private information. It is up to us Information Security specialists to make it easy for them to do it.

As happens in the "Blogworld" I read a blurb in the Daily Incite which then linked to a good Blog entry by Andy It Guy which in turn linked to a really good PDF document by Rebecca Herold who has more letters after her name than in her name.

While we are so busy concentrating on our own security structures (You are, aren't you?) how do we make sure that our partners are protecting our data?

There are several places where this is important

  1. The obvious first one: you give your credit card information to someone. What they can and can't do with it is governed by a standard made by the credit card companies. It is called PCI compliance. It seems most companies don't abide by the rules but the fact is that the rules have been very well designed and slowly, hopefully, companies will abide by them. The nice thing is that PCI complience is worked out already. You don't have to worry. You should as a matter of principal make sure that a company is PCI compliant. I think it would be a good idea for the credit card guys (visa, mastercard, etc) to actually promote PCI compliance as a marketing tool for companies to diplay proudly on their websites and in their stores.
  2. You fill in a form, any form, anywhere, online or offline. This is your personal, private information and you should be aware exactly what happens with it. If you have to give the information across for some law such as the ones preventing money laundering, you don't want that form going to the company's marketing department. ("You are a treasured customer of ours, do you want to be the first to use our new services...?") You also don't want it put into a dustbin and used by anyone who finds it in the street. '
  3. You are trusted with someone's details and have to send them to a 3rd party. If something happens to the details - its you to blame.
Basically, wherever someone has some of your personal data, your company's confidential data or data that has been given to you by some entity that trusts you with it, you should be able to make demands on how they treat it. No security is 100% but you should be able to at least, without getting into all the details, know enough about how your data is treated to make an informed decision on whether or not you trust the person you are giving it to.

The PCI standard came out of a need to protect data but there should be a broader standard for all types of data allowing us to make spot decisions on who to trust and who not to trust with our data.

And, taking an observation from Andy but broadening it: the specification of how data is looked after should be more specific than a framework. A framework is fine for protecting your own data, but other people should be able to judge exactly how you treat their data.

But, on the other hand, you don't exactly want to go around to every company that you deal with (perhaps all over the world) investigating in minute detail exactly what methods they use to protect their network and data. You can't be expected to watch that none of their staff take their laptops home etc.

You shouldn't even be expected to take a look at their policies.

You should just want to be able to see a logo that says "we are secure up to the level 3 of the "3rd party information control standard (3pics)". This should be good enough for a bank but a video shop may be able to get away with level 2 and a doctor should have level 4.

By the way, I made up 3pics because, as far as I can see, there is no widely accepted standard with clearly defined levels that the man in the street can trust and be used to (except PCI and that is for credit card information only). But shouldn't there be? Wouldn't it be nice to be able to trust that a company you are about to deal with is going to treat your information the same way you do?

Rebecca's PDF document (linked to above) goes into great detail about how one can manage personal information that is given to 3rd parties but it is a lot of work and is fine for companies who have few partners but when there are many partners it would be nice to be able to just check their "3pics" compliance level and start dealing with them.


In case you argue that it is possible already using ISO, SOX etc, then read what Andy said in his article about how they are just frameworks and not generally accepted standards.

What we need is someone (who me? I'm too busy ;) to create a(n auditable) standard with a few levels that are easy to understand and implement. And for companies to use the standard and brag about their level of security.

I think part of my thinking comes from discovering this week (but not being rich enough to follow through with actually buying and reading) a book by Stephen Covey (Jnr) about how once trust is established, business can proceed quickly. It is up to us as the public to demand that companies show how they can be trusted with our private information. It is up to us Information Security specialists to make it easy for them to do it.