The CISO Must Be Involved with International Third Party Service Vendors
Even companies without physical operations or any customers overseas must still recognize that they are working in a global business environment. Many organizations that exclusively operate in the US still rely on overseas manufacturing, customer service and payment processing partners in locations like India, the Philippines, and China. While a business may not have its own customers and employees in those locations, the company must still take careful measure of the security posture of its partners.
It is the CISO’s responsibility to identify the risks associated with international outsourcing and set policies for working with these companies. As business becomes increasingly global, here are a few things to keep in mind:
- Use data classification standards to determine which types of data are appropriate to share with third parties.
- Require an independent security assessment of all third party vendors regardless of location.
- Require security awareness training of third party employees.
- Carefully evaluate the risks of sharing data with companies in nations with high instances of cybercrime and state-sponsored espionage.
- Ensure they are able to meet US regulatory and compliance requirements to safeguard customer data.
- Make certain their employees are vetted to a standard that meets your company’s expectations to limit data loss to malicious employees.
- Consider their track record and length of service with other companies as a gauge of their reputation for secure, positive business relationships.