How to Minimize E-Commerce Risk

Top infosecurity pros offer 5 strategies for protecting corporate networks even as you link more closely with your business partners

Like Ryan, Health Net's Haydostian has developed requirements for business partners based on federal mandates. The company typically asks whether its partners comply with the Health Insurance Portability and Accountability Act (HIPAA) and guidelines from ISO, the National Security Agency and NIST. When necessary, Haydostian refers partners to the standards with which they must comply. He asks questions, such as whether the company has an information security officer and published security standards that are enforced. "You may be linking up to anybody, and you have to ask what security level they have," he says.

4. Ask for Audits

For added security, some companies are turning to auditing their business partners more often. However, this approach is more dicey. Bigger companies often have the upper hand when it comes to demanding audits and view them as a necessary part of doing business. Yet the audited parties sometimes view the audit as, at best, a necessary evil. For good reasons, they don't want the headache of allowing a bunch of outsiders to nose around their network. Some businessessuch as banks and big insurance companiesreject audits because they allow unwanted access by potential competitors in this ever-merging environment. Washington Mutual's Cullinane, for one, refuses audits outright. "We don't feel that's something we want to share with the world for competitive reasons," he says. The bank, however, does comply with federal rules that mandate certain breaches be reported.

To sidestep audits, some companies with clout contractually require business partners to retain a certain security leveland then still treat them as "nontrusted partners" by installing a firewall and limiting access, says Andy Toner, a partner at PricewaterhouseCoopers. Health Net's Haydostian has a documented plan for auditing partners. First, he asks if the partner has conducted penetration tests for both the internal and external networks. If any high risks are identified, he asks when the problems will be corrected and when the next test is scheduled. Aside from a HIPAA business agreement, the company requires that partners sign a document allowing Health Net to conduct unannounced site visits to audit their facilities. They also sign confidentiality agreements.

Others are more open to letting their business partners audit them, even viewing the process as helpful. Molex's Ryan says he agrees to audits because he understands the company's vulnerabilities at any given time and is always working to fix them. He claims he'd be let down if partners auditing Molex didn't alert him to these problems. That would mean they weren't doing a good job auditing on their end.