With increase in globalisation, organisations are teaming up and entering into partnerships in order to meet their information technology requirements.

Organisations are taking advantage of technical skills of other companies in a bid to ensure their environments are being managed effectively and efficiently so that they can concentrate on their core business.

In other situations organisations outsource their technology functions to a third party service provider so that it can focus on its key business, as such there has been a leap in the number of organisations offering outsourcing services.

It is to be noted that in both situations, organisations need to ensure that the information security practices of new partners and outsource service providers are consistent with industry standard security practice.

When entering into partnerships or outsourcing any aspect of its information system functions, organisations need to ensure that they carry out information security assessments of partners and third parties to measure the extent to which they implement information security, either as a precursor to enter business and also to identify any weaknesses which may cause problems from a technical, financial or legal point of view.

Once these assessments have been carried out, the organisation can then decide whether to go into partnership or indeed utilise the services of the outsource service provider.

For organisations that have already entered into partnerships or outsourced aspects of their IS functions, they are still able to carry out security assessments of partners and outsource service providers. They can do this by renegotiating contract terms and stipulating the need for appropriate security measures for the benefit of all.

It is also to be noted that organisations can also renegotiate contract terms on the basis of information security. These terms can include contractual agreements and clauses relating to maintaining industry based information security practices

It is important that organisations stipulate and identify industry standard security practices of partners, third parties and outsource service providers. This is due to the fact that numerous legislations are now making it a mandatory requirement for organisations to adopt appropriate security/ technical measures and controls on systems used in the processing of personal information or financial reporting systems. European Law such as the Data Protection Directive and Electronic

Privacy and Communications Directive stipulate that appropriate technical measures be adopted to safeguard personal information.

The Data Protection Directive also states that personal information should not be transferred outside of the European Economic Area if the country to where it is being transferred does not have legislation safeguarding the rights and freedoms of data subjects in relation to the processing of personal information.

In the United States , one can see legislation such as the Gramm-Leach-Bliley Act and the HIPPA Act stipulating mandatory minimum requirements for security. The offshoot of these legislations is that in the event that there is an information security breach, organisations can show that they implemented appropriate security, thus negating unnecessary backlash in the form of share price reduction, and loss of customer confidence.

Zylt Consulting are adequately positioned to assist organisations in identifying minimum security requirements of partners and outsourced service providers.

We are also able to advise on clauses for information security contract agreements.

Our assessment consists of measuring legislative and technical requirements in conjunction with the organisations security practice. We then conduct an analysis and feedback to our client advising them on areas which comply and others which need to be improved upon.