Requirements and Expectations<
A Documented Security Policy
Security experts say every company should demand to see its B2B partners' written security policy. Lee Holcomb, CIO of NASA, says that is something he's strict about because he uses online connections to post competition opportunities and pay aerospace vendors and contractors. He expects policies to include firewall maintenance and patch-service provisions and to provide for vulnerability assessment and intrusion detection, as well as a training program for systems administrators who would have access to sensitive information. "We're dealing with astronauts or pilots in space," says Holcomb. "Security and safety are synonymous."
The Federal Reserve typically asks for a written description of a partner's security organisation, including its rules and responsibilities and where the security function reports. "If security is buried in the technical bowels of an organisation, it's probably not having significant influence on senior management," Wade says.
The policy should also identify individuals managing the partner's security program, adds Harry DeMaio, a director in Deloitte & Touche's enterprise risk practice in New York City.
Secure Application Development Practices In most B2B relationships, partners grant limited authority to pass into each other's systems and access critical information. If your partner is using proprietary applications that touch your system, security must be built into that application. Your partner must show you how security is incorporated into its application design, development and deployment plans, says DeMaio. Look for access and authorisation controls built into applications, path isolation to ensure that the app's user goes only where he's allowed to go, and logging and reconciliation to provide a record of where any user has been - matching up with what he's done. "Make sure the application doesn't turn off or ignore other security controls, like encryption, associated with the [B2B] system," adds DeMaio.
Access Control and User Authentication
Lax access controls within your partner's systems will give you a big headache. Ray Bedard, a partner in PricewaterhouseCoopers' supply chain practice in the US, tells of a company he worked with that failed to terminate a departing employee's access to its B2B applications. Before the employee left, he went into the system and ordered a bunch of goods from an online partner. The goods arrived and nobody could figure out what they were doing there. It took several hundred man-hours for the parties to resolve the mess.
To avoid that sort of tampering, companies should require partners to maintain strong, active password programs. Measures should include requirements to change passwords frequently, monitoring and logging of password usage, tools to detect easily guessed passwords and a central authority to set access policies. Wade adds that you should forbid your partner to set up departmental passwords if the partner accesses your systems through its network. "This is always a sticking point in negotiations," he says. "The partner always wants to use some easier form" of password protection.
For sensitive information, companies should require higher-level access and authorisation tools. Ramana Palepu, CTO of the Worldwide Retail Exchange, says his members require public-key infrastructure authentication technology, and will expect digital signatures for financial settlement and payment services the exchange may offer in the future. But for less sensitive transactions, such as purchase orders, auctions and item tracking, strong password and user-name controls suffice.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.