Contracts and pen tests key to outsourcing deals

By on
Contracts and pen tests key to outsourcing deals

Contractual jargon also important.

Proper planning and preparation reduces risk in third party outsourcing according to experts speaking at RSA 2013.

Among the risk is that attackers do not focus efforts on any given industry.

"It doesn't matter what industry or sector you're in, it's going to hit you," Evantix chief information risk officer James Christiansen said. "It's really about being prepared."

RSA 2013

RSA 2013 coverage

Organisations not only have to deal with the theft sensitive data, but also the repercussions of an incident that could yield a tarnished a reputation and a hefty price tag, said David Chavez, partner-in-charge at San Francisco-based law firm AlvaradoSmith.

"The best contract in the world is not going to prepare you for the cost," Chavez said. "You need to make that internal assessment and know what kind of vendors you're bringing in."

Ensuring that providers are credit worthy and have the appropriate capabilities to secure data is essential, Chavez said.

According to Verizon's 2012 "Data Breach Investigations Report," 46 percent of the incidents studied were due to third-party provider breaches. David Sockol, CEO at consulting firm Emagined Security, said many of those breaches are due to organisations not putting enough time into the due diligence to ensure that a provider is qualified to safeguard data.

In addition to using the proper legal jargon in contractual agreements, Sockol added that asking the right questions in advance and performing penetration testing are other ways to properly assess third-parties.

"Try not to trust everyone out there," he said. "At the end of the day, we can't avoid using third parties, so we need to understand what we're walking into."

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?