Compliance in the cloud is one of the biggest obstacles that many organizations face, regardless of its size. Even though the cloud is no longer a new concept, and the benefits of leveraging shared infrastructure or services to achieve economies of scale are becoming more apparent, many organizations are still reluctant to fully engage in a cloud-first strategy. The cloud, for many, is still a black box. Questions such as “how do we know for certain that our data is secure” or “how do we prove to customers that we are secure” will continue to surface.
These foundational questions are vitally important and cannot be overlooked. Without the luxury of deep pockets, organizations must be nimble and business savvy in how they go about verifying that their suppliers are compliant, and how they can internally demonstrate compliance to their respective customers.
This is the first in a series of blog posts on how to maintain compliance in the cloud. Let’s start off by diving deeper into the supply chain...
#1 - Compliance is a Shared Responsibility
Your supply chain is the new weak link in your organization’s security program. In a highly interconnected technological ecosystem, the protection of data extends beyond your immediate boundaries to every single service provider and supplier that you do business with. Cyber criminals are becoming more innovative and exploiting vulnerabilities in your supply chain to gain entry into your corporate environment. A recent example would be the advanced and persistent phishing campaign against outsourcing giant Wipro, in an effort to target the company’s Fortune 500 customers.
Here are some tips to secure your supply chain from such cyber attacks:
Choose the right suppliers during the procurement cycle. Set clear expectations on what your security requirements are from the beginning, and assess suppliers against these parameters. Create a vendor management scorecard to assist with the evaluation.
Extend your security policies and practices to your suppliers. Ideally, include these terms and conditions as part of the contract negotiation phase.
Routinely vet the suppliers to ensure they continue to maintain strong security practices. The extent of the assessments should commensurate with the level of integration and access the suppliers will have to your systems and data (both corporate and customer).
For additional assurance, engage the services of an independent body to validate the suppliers against their contractual commitments.
Treat suppliers as an extension of your business and an integral part of your security culture. By maintaining open communication whereby you inform them of security developments within your company (and vice versa), you can collectively reduce the likelihood and impact of an attack from different channels.
In today’s hyper-connected world, it’s vital to remain vigilant. Organization parameters extend beyond just the firewall. Cybercriminals know that, and they will use this to their advantage…
This post was contributed by Theresa Azari, a Sky Northern Security Alliance Member and governance & compliance expert. To reach her, email firstname.lastname@example.org