What Can Parenting Teach Us About Data Security?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://econintersect.com/b2evolution/blog1.php/2015/04/19/what-can-parenting-teach-us-about-data-security

My older child often asks if he can play at his friend's Mac's house. If
his homework is completed, my wife and I will give him the green light, as
we are comfortable with where he is heading. This level of comfort comes
from our due diligence of getting to know Mac's parents and even the
different sitters who watch the children when Mac's parents might be
working late.

Things often get more challenging when he calls to tell us that he and Mac
want to go to another friend's house. And this might not be the last
request as our son might end up at yet another friend's house before
finding his way home for dinner. We might not be familiar with these other
environments beyond Mac's house so we often have to rely on other parents'
or sitters' judgment and due diligence when deciding whether or not it is
okay for our son to go. Regardless of under whose supervision he falls, we,
as his parents, are ultimately responsible for his well-being and want to
know where he is and who he is with.

As I think about my responsibility in protecting my children in their many
different environments, I realize that parenting is an excellent metaphor
for vendor risk management and data security. For financial institutions
(FI), it is highly likely that they are intimately familiar with their core
banking service providers. For merchants, the same can probably be said for
their merchant acquiring relationship.

However, what about the relationships these direct vendors have with other
third parties that could access your customers' valuable data? While it
probably isn't feasible for FIs and merchants to be intimately familiar
with the potentially hundreds of parties that have access to their
information, they should be familiar with the policies and procedures and
due diligence processes of their direct vendors as it relates to their
vendor management programs.

In today's ever-connected world, with literally thousands of third-party
solution providers, it is necessary for FIs and merchants to be familiar
with who all has access to their customers' data and with the different
places this data resides. Knowing this information, it is then important to
assess whether or not you are comfortable with the entity you are
entrusting with your customers' data. Just as I am responsible for ensuring
my children's safety no matter where or who they are with, financial
institutions and merchants are ultimately responsible for protecting their
customers' data. This difficult endeavor should not be taken lightly.
Beyond the financial risks of fraud losses associated with stolen or lost
data, businesses might also be subject to compliance-related fines. And you
are highly likely to take a negative hit to your reputation. What are you
doing to ensure various third-parties are protecting your sensitive data?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!