The most probable thing you & your vendor never discussed

Posted: March 22nd, 2013 | Author: | 2 Comments »
Oops!

Security of Information. Information Security.

Oops!

Oops!

It is not surprising that during all outsourcing discussions which happen, couple of things are always discussed because those are considered to be the key elements of success – communication, pricing, work hours, deliverable, timeline, holidays, culture and others in decreasing order of priority. Each of these play a vital role in the process. And you feel the emphatic ‘Yeshh!’ feeling when you have weighed in all of them. There is another factor which needs to be factored in as well – Information Security.

I know you must be silently feeling happy and clenching your fists with that Yeshh! feeling if you had touched upon this topic in your discussions. And you must be. After all,  Information Security Services continue to grow– dramatically yet quietly.  It is not just about your data being securely used by the IT Services vendor you employed, it is also about your customers refusing to use your software product if it does not assure them of data security. Think of the financial reminder app you are planning to create for your target market. If the app does not usher faith from the data security signatures, not too many takers would even be saving their account numbers within. This might be a lame example but what I am trying to hint at is – Unless your app keeps my data secure, I ain’t gonna buy it for Free! Period.

The Guardian, UK recently reported that half of the Clearswift survey respondents were concerned that social media channels could pose significant risks to their IT security.  In addition, the UK government has identified information security as a key priority for the current year – 2013.

Information security does not just mean data breach or unidentified and fraudulent access to your confidential and proprietary data. Accidental data loss is perceived to be the biggest information security globally.  In the event of a data leak, the greatest worry is about reputational damage to the organisation (31%), followed by financial consequences (20%), with policy or compliance issues coming in third (18%) as per the survey.

John Oltsik, a Principal Analyst, NetworkWorld recently shared his estimate that about 0.60 to 0.70 cents of every security dollar is spent on either endpoint or network security.  While vendors scramble to establish positions or defend customer bases, users benefit from a much-needed wave of information security innovation and architectural integration.

Yup, there are lots of reasons like this why organizations are consuming more and more security services worldwide.

Solutions?

So what should businesses do when it comes to implementing information security strategies? What should they do when they are dealing with outsourcing partners?

It is clear that information security lapse can be harmful if not disastrous to the reputation of the company and possible financial losses as well. Hence promoting training and awareness within the organisation is clearly one way of dealing with it.

And the next step would be to adhere to a set of globally bench marked policies which help you avoid the risks because of information security. An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of ISO 27001. The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

The next step would be to hire a software vendor who is ISO 27001 certified. And if your vendor does not have a Infrastructure Security Management System certification from ISO, you will mostly get evasive answers to your queries on information security. Go ahead and ask your vendor the following questions as suggested by Bill Mathews, Hurricane Labs.

  • What secure development lifecycle (SDL) do you use?
  • What type of regression testing do you employ with bug fixes?
  • What type of security training do you provide to your developers?
  • What sort of logs will this application generate?
  • How will the application handle authentication?
  • How will the web application handle credit card payments?
  • Has an application you’ve written ever been “hacked” or breached?
  • Can you tell me 5 good reasons why this application will never be hacked?

By this time, you would realize that you can not risk your product and your data with someone who is not ISMS certified. Go ahead and talk to someone who is ISO 27001:2005 certified.

What do you think?  Do you agree Information security should be cared for?

Author – Subhendu Pattnaik


Posted in Security | Tagged , , , , , , , ,
  • Sudhir

    Yeah, data security is a very inevitable in today’s fast dynamic information systems. In fact many vendors do have information security system to handle various hazardous phishing. But here be one point is missing “Scalability in the application”. Generally clients deliver their products to common person without thinking whether application have the ability to accommodate the load. This attribute is very imperative while discussing with the client. It can be seen as an implicit feature of the application along with DATA SECURITY.

    Anyways it was a fine article.
    Thanks,
    Sudhir

  • Yogita

    Very informative post. Thanks Subhendu.

    Handling client’s intellectual property, code and applications is a responsible task, especially when we are in different demographic zones. ISMS ensures policies are implemented w.r.t infrastructure, data handling, access controls, external contractors etc. Engaging a ISMS certified vendor for your outsourced projects eliminates the risks of Information theft and misuse.

iso 9001 QA25 Nasscom Red Herring zinnov STPI iso 27001

copyright (c) Mindfire Solutions 2007-2013. Login