As IT security becomes ever more strategic for companies, concern is growing about how secure enterprise data is in the hands of third-party IT service providers. As a result, cybersecurity and data protection are now amongst the most challenging issues to be agreed on when negotiating contracts for outsourcing services. This is outlined by Rebecca Eisner, lawyer and partner at Mayer Brown in Chicago, in a statement to IT trade journal “CIO”. On the one hand, service providers are seeking to minimize their liability for fear of incurring enormous contractual penalties. But on the other, customers are equally concerned – in particular when service providers may not have the same incentives to safeguard customer data as their customers, and also because the negative impact of a security incident is always significantly more severe for the customer than it is for the service provider. At the same time, constantly evolving regulations make it extremely difficult for both of the parties to assess the risks. The situation is further complicated by an increasingly complex and geographically scattered IT landscape, Eisner goes on to say. In the days when company data was still stored at one or a few centrally located data centers, companies were able to do a decent job of securing the perimeters. But in this age of cloud storage and mobile end devices, the prospect of securing data has become rather more daunting. “The points of access and potential points of security failure multiply with this ever expanding ecosystem,” explains Eisner. “In addition, many of these systems are provided or managed by third party suppliers.” So CIOs would do well to pursue a risk management led approach when selecting, commissioning and supervising their IT service providers. Eisner lists 6 tips for companies to boost their data protection and IT security in their IT supplier relationships:
- Be aware which service providers are processing or have access to the company’s most important, sensitive or strictly regulated data, as well as data that the company considers its “crown jewels”.
- Work closely with the security, vendor management, and legal teams to identify which supplier relationships pose the greatest risks for the company, so that the enterprise can devote more attention and resources to these suppliers.
- Scrutinize existing IT supplier contracts in the light of your up-to-date and well-defined security and data protection requirements in order to identify and close any security gaps.
- Make sure that your vendor management, compliance or security management teams monitor the IT at high-risk service providers, and also ensure that vendor security assessment questionnaires are updated on an annual or bi-annual basis, including a review of audit reports, certifications and penetration tests. Also make sure that site visits and annual security reviews are conducted where appropriate.
- The standard contractual terms for security and data protection must regularly be reviewed with the legal team to ensure that they are up to date. In this regard, Eisner expressly refers to the new EU data protection directive (GDPR) which comes into force in 2018.
- Management, staff and supervisory board, if relevant, should be made aware of security and data protection risks, and steps which can be taken to mitigate risks need to be explained.
With Retarus as your information logistics service provider you are always on the safe side. Our own data centers distributed around the globe fulfill the most stringent requirements for data protection and security. Your data is exclusively processed in accordance with the applicable local regulations and data protection provisions. Retarus relies on a strict system of internal controls, which is continuously audited by a renowned business consultancy. If required, we also make it possible for your auditors to gain personal access to our data centers and allow them the necessary insight into relevant processes. Please feel free to get in touch with your local Retarus contact person directly for more details.