David Geer recently spoke with Jose Granado, CISSP-certified and a Principal and Service Delivery Leader at the Security and Technologies Solutions Practice for Ernst & Young. Mr. Granado will be addressing findings on third-party data sharing risks from a 2006 Ernst & Young survey, "Achieving Success in a Globalized World: Is Your Way Secure?", which tallied the views of 1,200 senior information security professionals from 48 countries. Following is an edited transcript of that conversation.

You may listen to the original interview here, or visit our Podcast Center for more audio interviews.

---

David Geer: The survey found that over half of organizations are failing to manage the risks of sharing data with third parties. What kinds of third party data sharing risks are we talking about?



Jose Granado: There are numerous risks that are associated with third party data sharing. Take, for example, the scenario where you have an employer, an employee, and then a third party, say, managing your medical benefits, 401K or perhaps your corporate travel program via the web. A poorly constructed website or web application from a security perspective could allow an individual access to backend database containing employee personal identifiable information, or PII, as we say in the industry. Obviously, this could have grave consequences with regard to your specific perception in the corporate world as far as protecting data. Or, the scenario that we've seen recently in the news involving stored data in stolen laptops or lost backup tapes by third parties, which contain customer information is very grave as well. And then there's always the insider threat risk. Just like many organizations, whether it's a third party organization or a typical company, there's always a potential for employee misuse of data and authorized access of data. So, the risks of unauthorized access, unauthorized disclosure, and potential misuse of data really exists in a variety of formats and scenarios.



Geer: With particular reference to the results (i.e., that over half of organizations fail to manage these risks), what about that specific data result surprised you?



Granado: It is somewhat surprising because it's intuitive to me that you would want to manage the risk of your vendors. Any time a vendor is connecting to your company, to your enterprise, they are an extension of you. But from the practical side of things, and from the business side of things, the results are not surprising. Typically, vendor risk management is handled in a piecemeal approach, if at all. And larger organizations are driven at the business unit level where business unit IT teams or IT security teams are enabling data sharing and connectivity with vendors. And so you have one BU hooking up with a vendor for a specific business need and perhaps you have another BU hooking up with a separate vendor in a different fashion, and those vendors are managed differently. This is an issue that really needs to be addressed holistically, but oftentimes it's difficult to find someone within

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine