04

Making a secure decision

To gain a comprehensive understanding of a potential partner’s approach to system and information security, government needs to look beyond certification or regulatory compliance

04

Making a secure decision

To gain a comprehensive understanding of a potential partner’s approach to system and information security, government needs to look beyond certification or regulatory compliance

(Time to read: 1.5 mins)

As well as rating organizations on their depth and breadth of capabilities and their capacity to engage in a partnership approach that reflects oversight requirements, the selection process needs to reflect modern risks and be able to assess potential partners’ mitigation strategies.

The first and biggest risk is system and information security. Ensuring compliance with regulations such as GDPR, HIPAA, HI TRUST or that the organization has ISO 27001 certification is a good first step. However, proof of compliance, even if backed by a risk assessment questionnaire, is not proof that an organization has what it takes to be a trusted partner, especially when it comes to handling something as sensitive as government data.

Proof of compliance, even if backed by a risk assessment questionnaire, is not proof that an organization has what it takes to be a trusted partner.

Every potential partner is a potential attack vector, and every reciprocal commercial relationship runs the risk of increasing your attack surface. Therefore, any assessment process should include speaking with a selection of any potential partner’s existing clients to get a fuller picture of security performance.

In this respect, it should also be best practice to consult with security ratings firms that can provide an independent validation of any organization’s real-world security posture. This will provide context as most agencies can rank organizations both within their specific industry sector and against the wider business landscape.

Checklist

Verify that each potential partner has the right certification and complies with regulations.

Seek confidential references from existing clients to better assess security performance and risk management strategies.

Consider using a security ratings firm for an independent and grounded assessment of each organization’s society posture.

To learn more about selecting the right delivery partner in an age of rising cyber threats, read our whitepaper: Securing your customer experience.

Read the whitepaper

Next page >>

Recognizing risk

Next page >>

Recognizing risk

Best practice guide From misconceptions to mastery