the changing business models, partnerships, outsourcing and mergers. We've discussed this a little bit and certainly how you know any time you take on a partnership with another organization, you have a different organization that doesn't necessarily go through your processes. They have their own approach. They have their own corporate environment,
they may be bringing something new could be a benefit to your organization. But any time you have two disparate pieces coming together, there's always gonna be that friction. There's always gonna be that learning curve. So partnership acquiring other companies can always present issues
You know, sometimes I I asked people, if I say that ive outsourced, does that eliminate my risk with any given situation
and the answers? Of course not.
As a matter fact. Sometimes outsourcing will increase my risk
because what happens is now I'm turning something over to an unknown entity. Some entity that's not under my direct control, my direct supervision, you know, think about this maybe from a perspective of health care, and we know how important it is to protect patient information in the healthcare industry. So let's say that I'm a small medical provider
and you know, we have. We see 100 clients a week,
50 clients, which doesn't really matter. But we don't have the capabilities in house with our technology and with our staff to process our medical forms in such a way that we're compliant with Pippa. We just don't have the capabilities. Right now we're growing, but we're not there yet.
So I decide to outsource the processing of these medical forms to ABC company, and that's their specially. They process medical forms. They guarantee compliance with Pippa. So I outsource the processing those forms to ABC.
Does that mean that I'm off the hook? I can wash my hands and say, Thank goodness that's taken care off,
Of course not, as as a medical provider and I'm the medical provider. It is still my requirement that the medical information that I obtain
the patient information that I have that I collect, that I process that must be protected under HIPAA. So just the fact that I found another company to do the processing for me in no way reduces really eliminates my risk. I am still every bit as responsible and accountable for the protection of that patient information
as I was if I hadn't outsourced,
so why outsource? Well, they may clearly have better capabilities than I do, but I have to make sure I have a very well written contract.
As part of that contract I want include what we call the right toe audit, meaning that I can show up and I could make them show me their records and show me proof that they meet the requirements
that I've specified my contract
and essentially, that's what I have to do. I have a contract. It's well written. It's audited. This company's monitored because ultimately, if they fail to meet HIPPA compliance requirements, I'm liable
now because of the high tech act. If you're familiar with that of 20,000 of 2010 they have liability as well. But that's that's neither here nor there for me. It doesn't get me off the hook just because of outsourced. So when we do outsource, particularly in the realm of security, we have to know
that we still have to meet those requirements.
Now we're just responsible for making sure somebody else does that for us.
And if you want to talk about outsourcing, the ultimate in outsourcing is the cloud
and I think many of us have heard of the cloud is the ultimate solution. And the cloud is what's gonna make all of networking and all of security easy, and everything's gonna be perfect. All you're doing with the cloud is you're outsourcing. Thes service is to an Internet provider, someone that you access through the Internet.
So you know Okay, I have to store forms to be in compliance with, uh, you know, it may be I personally identifiable information that has to be stored. So the fact that I'm storing it at a server on the Internet as opposed to a server locally does that change my obligations or my requirements? Of course not.
So when we're taking these cloud providers, whether we're using them for platforms or software development or infrastructure, we'll talk about the cloud later. But what we have to keep in mind is all we're doing is taking the stuff that used to be in our physical security,
under our control, in our ownership in our supervision,
and we're storing it at someone else's shop, so to speak. And yes, we can access them across the Internet, but we keep in mind. So we store our patient information on a cloud storage provider. Well, what other information is that cloud storage provider story,
right? What other companies is he leasing that space, too? You know that virtual space on his server? What if my information is stored on the same server, that someone is storing their data and that that company that's also using that server commits a crime? What happens if the FBI comes in and sees is that hard drive
It's also the hard drive that stores my company's information.
What happens if there's a security breach at that Cloud service provider? I think we all followed or we all heard of I cloud storage. Celebrity images being hacked, personal celebrity images being hacked and made available on the Web.
Just because it's stored in the cloud in no way makes it more secure. In some ways, it makes it less secure. It's more widely available and easily available. It can be targeted. So the bottom line is outsourcing may be a very good solution. If I don't have the skill set or the resource is to provide, the service is I need sure
but The point I want to make is you need to monitor
the company to them. You outsource, you need to audit. You need to have a well defined, well written contract.
You need to make sure that you do your due diligence ahead of time and make sure find out what their liability is. If your dad is compromised,
what is their backup policy? You know what? What is their availability and fault? Tolerance? What did they do in the realm of disaster recovery, business continuity. All of those elements for that provider now become your problem if you're using the cloud for storage or infrastructure or whatever and again, we'll talk about cloud
storage and those ideas a little bit more. But I just want you to know what you're doing with that
when you're outsourcing can help you. It could be a very valid solution, but it can also introduce a lot more risk to your environment, maybe than initially anticipated.
so how do we know we audit, you know, howto I know what risk events are materialising. What their effect is with their impact is are we following policy or they following policy is policy being effective. The answer to all that is we audit. And when we talk about auditing, we look at the process is
we look to see if they're effective. We look to see if they're being followed. We look for issues with compliance. Are we in compliance or not?
So we audit and we review those findings. We have expectations for compliance.
Management has to be on board because what happens if a unit is out of compliance or a vendor is out of compliance? What do we do about those? And audits can be very broad and very narrow. You know, we can talk about audits from, you know, maybe you're a payment card industry member. Maybe you take Visa. So
P c I. D. S s, which is something we'll talk about. That's the
payment card industry data security standard and their self regulated. But they're very stringent set of requirements. You have to meet to take Visa or MasterCard or any of the other credit cards that are out there and them being self regulated. That industry being self regulated, they'll conduct audits,
and they have very stringent requirements for you to pass an audit.
And if you don't pass that audit their immediate repercussions and you're given a time period to be brought into compliance. We should be that stringent within our organization. You know, we should conduct audits, make sure policies followed, but not just technical audits, administrative audits,
physical security audits, you know, audit to see if people are following policies in relation to social engineering.
Are people giving out misinformation? And if they're not, or if they aren't great and if they are, hold them accountable, cheat people in compliance. One of the things that I that I say very frequently policy is on Lee as good as its enforcement. So if you've got a policy in place, if you're going to the trouble of auditing that policy,
have people required to be in compliance and if they're out of compliance, have repercussions and there's repercussions should be immediate.
Okay, um, now, other things that we think about, you know what I was our client requirements.
Uh, if we you know, maybe a client has outsourced work. Tow us. Maybe we're an organization that does software development for customers, and those customer requirements are absolutely going to drive how we approach the development in the creation of this application of that application.
You know, we've all heard the phrase the customer's always right,
but we have to, and certainly we consider their requirements of the first front and foremost.
the customer isn't always right. Sometimes the customer needs to be assistant. Sometimes the customer needs to be educated, so that's our responsibility. You know, the customer may ask us to do something that will not benefit either of us in the wrong long run. So though we take their requirements
into consideration and that's our top goal is to satisfy our customer.
Sometimes we have to help that customer figure out what their needs are.
Top level management.
Everything flows downhill. We've heard that phrase and many spinoffs on that phrase for a long time. Senior management sets the tone for security within our organization. If senior management's not on board were dead in the water, I can't tell you how many times I've heard senior management refer to I T. As a necessary evil
or information security
as a necessary evil. Well, it's necessary. There's nothing evil about protecting your company's assets, and you know, there is always that given and take that push and pull. It costs money to secure your resource. Is
it costs effort? It costs usability, ease of use.
But the costs are much less than the potential for loss, and senior management has to understand. And a lot of times as technical people, we tend to talk in acronyms. We like to talk about the latest, you know, threat. And, you know,
I don't know many senior managers that no heart bleed or any of these others from a hole in the ground.
We've got to stop talking in technical terms, and we've got to start talking in terms of assets. Vulnerabilities potential for los senior managers understand liabilities. They understand potential for loss. So if we take these technical ideas and say, Look, the bottom line is, if this threat materializes,
it's going to cost us $15,000 in man hour alone,
not to mention regeneration of data or potential for data loss, loss of reputation, whatever. So once we start talking with senior management in terms that they understand, they are more likely to be on board with supporting the security function. But certainly all of these elements can affect their risk. US at risk posture