Internal policies aren’t the only source of rules that must be followed when protecting information. Every time you initiate a relationship with another entity, there are potential risks on both sides that should be formally addressed.

Formalizing responsibility for security is especially important in outsourcing relationships with partners, clients or suppliers.

This is important for many reasons, including the following:

  1. Every organization has a different set of internal policies, so different safeguards will inevitably be used; some of which will not be compliant with the other partner’s internal policies
  2. Every organization has different infrastructure vulnerabilities; some may be known and others may not
  3. Every organization has different potential threat agents or scenarios that the other organization may not have considered in their own threat analyses
  4. Every organization has different commitments to its clients and other partners; some may be inadequate for protecting the a partner’s information without additional safeguards or procedures

In order to address these differences, both parties must have a common understanding of what information and business systems are important to all participants.  Many organizations simplify the process when dealing with multiple partners at arm’s length by creating dedicated network zones that isolate the core of their environment from their partners’ environments.  These zones usually include essential components and data that need to interact with other entities whose security safeguards are outside their control.

In addition to network environment considerations, you should have contractual controls that outline what each party is responsible for. Considerations for these contractual controls include areas such as:

  1. Types of information that each party considers sensitive to their business, clients and partners
  2. Types of individuals allowed to handle the other party’s sensitive information
  3. Types of interconnections allowed between the parties
  4. Types of equipment, applications and users allowed at each end of the interconnections
  5. Each partners’ internal policies can be referenced to simplify the content of the agreement; but there must be understanding of the partner policies in this case, not just lip service; hence,
  6. Training of partners’ staff on sensitivity of information and partner policies
  7. Types of processes in place to provide assurance that these governing contractual requirements are being respected throughout the duration of the partner agreement, including the ability to audit the partner’s facilities, if necessary
  8. Service level agreements between the parties that govern the availability of services, as well as human communication channels and response times

These are just a few of the considerations, at a high level, that should be put in place.  During the negotiation of these items, organizations gain a much better understanding of the partners’ expectations.

Sometimes you can get clues from an organization’s culture or historical performance on whether more formalization in an agreement is required or not. It’s worth noting how they handle their own information and how strict they are with physical or personnel security when you are visiting or exchanging information informally.
Presumably each organization is joining the relationship because it adds value to their business offering in some way.  But if risk is added by one party neglecting the other party’s interests, the partnership is not likely to be sustainable.  In other words if a partner is not ready to negotiate on these terms, you have to wonder how much value they are bringing to the relationship, versus the risk they are adding.