How To
How to Minimize E-Commerce Risk
Top infosecurity pros offer 5 strategies for protecting corporate networks even as you link more closely with your business partners
By Kim Girard
Some companies treat partner audits on a case-by-case basis. Paul Sheahan, an information security manager at an online retail business, typically comes to an agreement with a partner about whether his company can remotely audit from time to time. Nothing is mandated. But if the partner agrees, Sheahan's company uses different types of vulnerability and port scanners to audit the partner network. "They have to agree beforehand," Sheahan says. "We can't just scan them without permission. We can usually come to some sort of agreement."
Sheahan, like many CSOs, is struggling to create uniformity when doing business with 25 partners. "Everyone knows a process should have been in place," he says. But "it always fell through the cracks."
5. Offer Education
Aside from training their own employees, should CSOs be responsible for training their partners too? "We do this to a certain degree," says Rick Ensenbach, director of information security at Conseco Finance. "People on the other end are competent. We don't do anything complicated." The company offers its partners user handbooks and guides that explain its processes. Conseco, like all financial institutions, makes partners sign a high-level contract that mandates they protect customer information according to federal and state regulations. To make sure that Conseco's own systems are secure, Ensenbach works with the company's technology staff, which uses tools such as BindView, Nessus and Snort to do technical audits within its divisions. He's planning to hire consultants to conduct an independent annual security audit that meets the requirements for banks included in the Gramm-Leach-Bliley Act. Ensenbach says the company would not share audit information with any other company without first making sure a nondisclosure agreement or some type of confidentiality contract is in place.
"I see this practice continuing and probably increasing because people like myself don't have the time or resources to audit business partners," he wrote in an e-mail. "There comes a point where you have to put trust in your partners."
And that brings us full circle. Just as security guru Bruce Schneier says, e-commerce remains an act of faith
(This story was originally published in CSO under the headline "Hall Monitors.")
Other stories by Kim Girard
CSO
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- WagerWorks Takes Fraudsters Out of the Game Using iovation
- Implementing Best Practices for Web 2.0 Security
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
