“What questions do I need to ask to make sure my vendor is protecting my information?”

I got asked that question last week from a new client working through the Protecting Information Program (PIP). Following the PIP process, he realized vendors were supporting key systems — raising questions he could not answer. He needed more assurance that he wasn’t taking on unnecessary risk – and was looking for guidance. It is a good question. The challenge, however, is to provide an equally good answer.

Traditionally, the answer to that question is focused on the vendor employees in terms of how many hold a security certification (my status as a CISSP Instructor has been valuable in the past). This is better than nothing, but all-too-common is the situation where the cobbler’s children wear no shoes (or the modern adaptation where the contractor’s spouse never has anything fixed around the house). 

Instead of relying on individuals holding certifications, some turn to checklists. Checklists are both good and dangerous (I feel another post coming on about my experiences with developing checklists). Checklists that are simple easy-to-understand and as easy to apply/answer are more effective. But what happens if the business asking the questions lacks the experience to gauge the answers?

We need a better solution.

I recently got an insider’s look at a better solution: The Security Trustmark, a new organizational-level certification being developed by CompTIA. Some limited information is available here: http://www.comptia.org/sections/trustmark/

From their website:

The CompTIA Security Trustmark is a vendor neutral accreditation around security business capabilities and processes that have been agreed upon by the IT industry to promote generally accepted security practices that will invoke the trust of end-users.

The objective of the CompTIA Security Trustmark accreditation is to develop a baseline standard of security practices around service and support business competencies for Solution Providers and Managed Services Providers (MSPs).

After participating in the workshop and spending a few weeks pondering this approach, I want to briefly introduce what I consider to be the benefits of this offering, share what I liked and explain where I see the challenges (tomorrow).

And then I want to learn – join me in the conversation about this whether by email (securitycatalyst – gmail), by twitter (http://twitter.com/catalyst), in the Security Catalyst Community Discussion Forums or by telephone. I want to learn about other models, efforts, and attempts. I want to understand if there are additional challenges for us to consider. I want to understand how this effort is (or becomes) useful to more people.

 

The Starting Point

Initially, this approach is geared toward small and mid-size vendors and VARS: companies that work within “the channel.” This approach:

• sets a standard for smaller companies to achieve, allowing them to demonstrate to their channel partners they pose less risk to work with
• allows vendors higher confidence across their entire channel
• creates distinction for VARs and Channel Vendors alike that results in competitive advantage

With the growing attention on breaches, privacy and compliance – rather than working to explain all of your measures, think of the power of explaining that you have attained the Trustmark – publicly verifiable and audited.

 

The Big Picture (as I see it today)

My passion for this, of course, is bigger. In the last few years, a growing challenge for those I work with is defining and explaining the minimum set of acceptable controls to protect information. Equally challenging for larger organizations is designing and employing third-party (vendor) review processes.

This results in a lot of re-creating the wheel. And it increases the cost of business for everyone involved. I have no argument with the need for due-diligence on vendors – but lament every year the lack of a “common application” approach that seems to work for university applicants.

Imagine being able to pre-validate vendors by virtue of having a Trustmark?

Provided the core elements of Trustmark are publicly available (transparent) and regularly maintained to represent the distilled good practices for managing people, information and risk, we collectively take a step forward.

• Businesses know what is expected of them – and will have the opportunity for the guidance and support to take the appropriate actions for their business. They can then earn the Trustmark designation and use that to differentiate themselves for contracts.
• Companies seeking to review vendors can greatly cut down on costs and timelines for vendors with a valid and audited Trustmark. It may not replace the current programs – but it certainly establishes a stronger base to start from and increases assurance while decreasing risk.

Done right, Trustmark is not another reinvention of the wheel. Rather, it provides a clear direction for businesses that distills the best of industry guidance. I envision this operating almost as an “overlay” – where several valid methods to meet the controls are deemed acceptable. This reduces complexity and more naturally meets the needs of those who seek the certification. For example, companies already compliant with HIPAA and PCI should be able to easily earn the Trustmark. At the same time, a company that need not meet any of those requirements is equally able to address and satisfy the controls necessary to get certified.

Over time, I envision this meeting the needs of car dealers, medical offices, bank branches – the very places we visit on a regular basis. I see this as the smartest way to distill the best of our industry and present guidance in simple terms to businesses that want to protect information, but focus on other areas (for example, making money).

Answering the Question

No question, I am excited about the potential Trustmark holds (both short-term and long-term). I see this as a real answer to valid and necessary questions about how vendors protect information — in a way that builds trust and allows everyone to focus on whatever they do best while meeting fiduciary duties.

As I was working on this article, I took an unexpected meeting with a company facing the same challenge: how to assess their vendors from an information-protection perspective. The marketplace is ready for standard guidance and a program that builds confidence; we have an opportunity to make a difference!

Tomorrow, I’ll continue this article by explaining the key challenges I see facing Trustmark, as well as some insights on how to avoid it. In the meantime – how do you answer the question when asked about assessing vendors? How do we avoid creating the wheel? How would this benefit your business?