Over the past few years I have done well over a hundred business partner security program reviews for organizations who wanted to ensure that the organizations to whom they were entrusting their sensitive data, or other business processing, had appropriate security and privacy policies, practices, training and were generally trustworthy.
By now most organizations realize that performing information security program reviews or audits of their business partners is a good idea if the partners have been entrusted with sensitive data or access to networks and systems. But performing business partner reviews is more than just a good idea.
• It is a requirement of multiple laws and regulations
• It is typically necessary to demonstrate due diligence
• It may be necessary to comply with contractual requirements
• It can be necessary to comply with your own posted privacy and security policies, depending on how they are worded
I wrote about this in detail for my August CSI Alert column, “You Will Be Judged By the Company You Keep.”
Within the article I discuss the many laws that address the need for performing business partner reviews, along with at least 14 actions you should take for business partner security program reviews.
If you are trying to determine whether or not you should do business partner security program reviews I invite you to read my article and let me know what you think.
Tags: awareness and training, business partner security review, Information Security, IT compliance, personally identifiable information, PII, policies and procedures, privacy, risk management