Companies are increasingly budgeting for employee cyber security training and awareness with an emphasis on detecting and responding to social engineering and spear phishing attacks. As businesses mitigate against new threats, there is always the question of whether or not their trading partners are adequately protected. Some concerns include: a) is there an information security culture at the partner firm?; b) If personal identifiable information (“PII”) is shared, does the partner adhere to applicable privacy laws/regulations?; and c) does the partner have an information security program to protect soft assets?
There are obstacles in assessing a trading partner’s information security program, which range from views on acceptable security standards, to issues surrounding disclosure of confidential IT infrastructure information. Nevertheless, at a minimum confirm the following are in place: Policies and procedures to monitor and detect attacks/intrusions; Recurring third-party vulnerability assessments and penetration testing; Employee background checks; Business continuity and disaster recovery plans; Data classification and an Acceptable use policy.
For assistance on assessing the information security profile of your partner, contact e-forensics at our website or call (305) 667-4603.