As the day progresses more and more Epsilon clients are notifying their customers that their details have been compromised, I got to thinking about what information is readily given to third parties for many different purposes. The outsourcing of certain specialist tasks is nothing new. What I've found in the past though is that information is often handed over without really thinking through any of the consequences should the information be compromised. So here are some of the things Ibelieve you should be doing when handing over client information to third parties. as per usual feel free to add your own experiences and suggestions.
Before handing over any information over you may want to ask the following:
What is the minimum amount of information that is needed in order to perform the tasks requested? - We often find that people are handing over substantial amounts of data when all that is really required is an email address and a first name. This will of course depend on what the third party is doing for you, but having a think about what they really need is a good starting point. Then it can be risk assessed and a decision taken.
How are you protecting my information? - Likely you will get a warm fuzzy answer and you will have to sift through it to find out what the real answer is. What you want to look for are things like operational security processes. How are they going to notice if there was a breach? Do they utlise IDS/IPS. Do they have firewalls (and yes sometimes you will get the answer of no we don't need a firewall
Do you have the right to audit? - The answer to this will often give an indication as to what the real answer is to the previous question. If the answer is no, well ...
Do they have an incident response process?
What steps will be taken in the event of a breach and when will you be notified? - i.e. how long will they sit on the compromise before they will let you know that it is gone?
What happens if the breach is at a subcontractor of the organisation? - Many companies subcontract processes to others.
Who will carry any additional costs? - In some jurisdictions there is a notification requirement. In some cases this may need to take the form of snail mail, those stamps can be expensive, who will pay for that.
You may need to communicate any special security requirements you have for your information. You will need to communicate these clearly to the provider so they can meet your expectations.
Collect the answers and have it put into the contract/agreement, that way nobody can forget who would do what and when.
That's my quick start list before handing information over.
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.