Information Security and Privacy Training and Awareness for Business Partners: Their Lack of Knowledge Will Be Your Pain
By Rebecca Herold, Posted 01/09/10
In Part I of this three-part Executive Update series,1I covered why smart business leaders need to provide their personnel with regular training about information security and privacy as well as ongoing awareness communications. In Part II,2 I described 14 mistakes that organizations consistently make that undercut training and awareness programs, which are often detrimental to information security and privacy efforts. I have seen the majority of organizations make a 15th mistake, which I will cover in-depth in this third and final Update. That mistake is not providing information security or privacy training and ongoing awareness to outsourced vendors and business partners.
Business leaders have an obligation to make sure that all information within the organization is adequately protected. You cannot outsource your organization’s responsibility and accountability for appropriately and diligently safeguarding information that you have entrusted to third parties. This means you must make sure that vendors and business partners of all kinds who handle or have access to your company’s critical information assets and personally identifiable information (PII) receive effective information security and privacy training along with ongoing awareness communications.
A SIGNIFICANT AMOUNT OF BUSINESS PROCESSING IS OUTSOURCED
I have talked with many organizations over the past several months, and every one I have asked indicates it outsources some type of business processing that includes PII in some form. The trend for outsourcing business processes is increasing. Studies reinforce this perception that, despite the horrible economy, outsourcing is thriving. Some believe that the “global turmoil would hardly make a dent in the global outsourcing industry”; in fact, it “may even lead to more outsourcing by various firms.”3 That optimism is corroborated by TPI, said to be the world’s largest sourcing firm, which reported that 2008 was a strong year for the outsourcing industry, as both total contract and annualized contract values exceeded overall values for 2007.4
Many organizations are outsourcing very specialized data processing and management activities in an effort to save money, or because they just don’t have the resources, experience, or capabilities to do it themselves. Organizations also often outsource to get specific expertise that they may not possess internally. However, you cannot outsource your organization’s responsibility and accountability for appropriately and diligently safeguarding information that you have entrusted to business partners. Entrusting business partners with confidential data and PII is, in essence, placing all control of security measures for your organi-zation’s data completely into the hands of someone else. That trust cannot be blind. Many recent security incidents have resulted from loose security practices within outsourced third-party organizations with another com-pany’s customer or employee personal information.
When you outsource critical data processing and management activities, how can you stay in charge of your own business and minimize your business risks? How do you know your business partner is complying with your regulatory responsibilities? How can you demonstrate to regulators that you are in compliance when someone else possesses your data? You will need to hold such business partners to strict standards for information security and privacy. In many instances, such standards will be more stringent than your own organi-zation’s security requirements. Those standards should include regular training and ongoing awareness communications, most especially when PII is involved.
MOST OUTSOURCING INVOLVES PII
Personal information plays a key role and is involved within many business processes. PII is stored in an extremely large number of corporate systems and data storage repositories. Because of all the business processes and storage locations, every decision to outsource a business process or business activity may involve access to PII, or the transfer of PII from the organization to a third party, and possibly even subcontracted parties.
Multiple activities should be performed to help ensure third parties are protecting information appropriately.5 Providing information security and privacy training, as well as ongoing awareness communications about these issues, are two of the ways by which organizations can not only help to ensure business partners have effective security practices, but also to demonstrate an appropriate standard of due care practice to regulatory oversight agencies and outside auditors.
TRAINING TOPICS FOR BUSINESS PARTNERS
Do not assume that your business partners provide regular training and ongoing awareness communications. If they say they do, and even have it in the contract, do not assume that the training is good, much less effective. I have done more than 150 reviews of security programs for business partners over the past few years, and I have seen some spectacularly atrocious activities and content trying to be passed off as training. Here are a couple examples:
- One medium-sized company that processed health-care claims had copied the full text of the HIPAA privacy and security rule, pasted the text a section at a time into a slide presentation, and required all their personnel to look at it for their “training.” This is most definitely not training! The likelihood that even a small fraction read through all the slides, let alone remembered anything from them, is probably close to zero.
- One large company, a support organization for man aged services, sent to all personnel an e-mail that had a copy of the information security policies attached. If a “read confirmation” was received, the person was marked as having received training merely because he or she might have looked at the e-mail message. This most definitely is not training! Sending an e-mail and assuming the policies attached will be read, much less understood, should never be viewed as training.
Require third-party personnel to have training for appropriate information security and privacy topics that are related to the activities they perform for your organization before providing them with access to your company’s information. Don’t limit the training just to covering electronic data; if business partners handle storage media, paper documents, or any other type of storage media, make sure it is covered in the training.
Require regularly scheduled training and ongoing awareness communications to occur following the initial training. Your training and awareness communications should not simply be the same as you provide to your own personnel. In fact, if the training your personnel gets includes sensitive information or details about procedures that could be used by business partners to inappropriately access your business assets, then you should definitely not give the same training.
To determine the training to provide to business partners, first answer the following nine questions:
- Where is all our PII? How can you protect PII if you do not know where it is? How can your business partners? You need to know and then provide training for how to protect the PII in all those storage locations.
- Which business partners access PII or obtain copies of it? If your business partners have any kind of access to PII for which your organization is responsible, then you need to make sure the business partner gets effective training and receives ongoing awareness communications for how to protect the PII. Make a list of these business partners so you can make sure they get the training and awareness communications they need.
- What laws apply to protecting PII, not only for your organization, but also within the countries where your business partners and customers are located? If you have business partners in countries other than your own accessing your organization’s PII, then you need to make sure they receive training for the related issues. There are many cross-border issues involved that must be followed, and training will help to ensure compliance with the related requirements.
- What data protection clauses are within the contracts with these companies? If there are specific data protection requirements, such as those related to firewalls, anti-malware protection, making backups, and using encryption, then the business partner should receive training for those topics and the associated required activities.
- How do you know the business partners are complying with the contractual requirements? One of the ways to make sure business partners are complying is to provide training to them for how to meet compliance and observe their participation and knowledge for information security actions that they should know about and be performing.
- What processes are in place to monitor the security of outsourcing business partners? Organizations need to confirm that business partners consistently follow good information security practices. Training helps to ensure security and privacy are addressed appropriately.
- Are any business partners subcontracting processing to other organizations? This very risky practice should be avoided if possible. Too many breaches have occurred as a result of not only subcontracting, but sub-subcontracting many times. If it is not possible to prohibit subcontracting, then your business partners need to know the security requirements for these subcontractors.
- What type of security exists for each of the PII transfers with your business partners? Proper security needs to exist if you are sending PII via physical tapes, DVDs, FTP transfers, Web site applications, e-mail attachments, or some other method.
- Do your business partners have direct access to your customers?If so, you must make sure they are communicating the appropriate types of information to them and that they do not provide any PII until after they have appropriately verified the identities of your customers.
The following are some of the topics for which your various types of business partners should receive training. Incorporate the answers to the previous questions within the appropriate topics:
- Business partner information security and privacy expectations
- Information security and privacy policies that cover the business activities within which the business partners are involved
- Physical security requirements for protecting PII within work areas
- Information security and privacy procedures that business partners must follow
- Applicable laws related to the third-party business activities
- PII transfers for business partners involved in such business activities
- PII storage for business partners with access to such information
- Information security incident response and breach escalation process
- Information security and privacy contractual requirements
- Key contacts for information security and privacy
CALL CENTER PERSONNEL NEED CUSTOMIZED EDUCATION CONTENT
I want to focus on a kind of business partner that is important but severely undertrained. A very large and increasing number of organizations are outsourcing their call center activities. Think about it. A staff member of a typical call center has direct contact with many kinds of individuals — including customers, potential customers, business partners, vendors, regulators, and personnel. Think about all the types of information the call center staff provide to the folks who call them:
- Requests for account information and details
- Questions about the organization’s policies and procedures
- Questions regarding the accounts of family members and even friends
- Complaints regarding services and products
- Employment inquiries
ENTERPRISE RISK MANAGEMENT & GOVERNANCE ADVISORY SERVICE
Many privacy breaches and other bad things have already happened through the mistakes, lack of knowledge, or malicious intent of call center personnel. The large majority of those who work for call centers are responsible and want to do the best job possible, but they cannot if they do not know how to effectively safeguard information. Organizations must provide call center personnel with the knowledge necessary to do their work in the most secure way possible and to maintain the privacy of customer and employee information. Educating all call center personnel significantly helps to reduce the risks of (1) mistakes, (2) actions done because of lack of knowledge, and (3) bad things done with malicious intent.
When you consider the kinds of information to which call center staff have access and the direct contact they have with consumers, customers, and employees, that should be compelling enough to provide to staff members ongoing information security and privacy training as well as ongoing awareness communications, activities, and events.
Here are 16 important topics about which call center personnel, including those to whom you have outsourced this function, need to know and understand:
- Information security and privacy policies
- Web site privacy policies
- Information security and privacy roles and responsibilities
- Information security and privacy in job definitions and performance appraisals
- Applicable laws and regulations for protecting PII
- Security and privacy procedures for customer and consumer communications
- Dealing with an unexpected situation or request related to PII
- Mitigation for customer concerns and complaints
- Securing third-party access to business and customer information
- Information security and privacy incident response
- Physical security for PII
- Computing equipment security
- Identity verification
- Notice to customers for how requested PII will be used
- Sanctions and disciplinary actions
- Key information security and privacy contacts
DO YOU PROVIDE THE TRAINING, OR DO THEY?
This is an important question, but one that is not considered often enough. Go beyond the one bullet-point requirement for training within your business partner contract. Be sure to review the business partner’s information security and privacy awareness materials as well as the communications and training curriculum. You need to see that its personnel receive effective awareness information and training. As mentioned, I have found many vendors that indicated they provided information security and privacy training, but on looking at their materials, I found absolutely horrible content. It is in your best interest to make sure the business partners to whom you entrust business processing and PII access know and understand how to appropriately safeguard your information.
It is often most prudent and demonstrates due diligence to provide training to business partners that have access to your organization’s PII and other business information assets. I have worked with several organizations to create training for them to provide to their business partners. This worked quite well. The organizations then knew the quality and effectiveness of the training, and they demonstrated an exemplary standard of due care. In addition, by providing the training, they also could easily monitor and provide statistics about the training activities to demonstrate that, if the business partner experienced a breach with its information, it had done all it could to make sure that the business partner followed effective safeguards, thus helping to lessen its liabilities for the breach.
1Herold, Rebecca. “How Information Security, Privacy Training, and Awareness Benefit Business.” Cutter Consortium Enterprise Risk Management & Governance Executive Update, Vol. 5, No. 11, 2008.
2 Herold, Rebecca. “Avoiding Common Mistakes in Information Security and Privacy Training and Awareness Programs.” Cutter Consortium Enterprise Risk Management & Governance Executive Update, Vol. 6, No. 3, 2009.
3 “Global Turmoil Will Hardly Make Dent on Global Outsourcing Industry, Says Expert.” BusinessWorld, Vol. XXII, No. 123, 23 January 2009.
4 “Outsourcing Sees Strong Growth in 2008, Exceeding 2007 Values.” PR Newswire, 20 January 2009.
5 See expanded discussions of these many issues in the “Articles” section of my Web site, www.privacyguidance.com.
ABOUT THE AUTHOR
Rebecca Herold, CISSP, CISA, CISM, FLMI, CIPP, is a Senior Consultant with Cutter Consortium’s Enterprise Risk Management & Governance practice and a contributor to that advisory service. She has been an information privacy, security, and compliance consultant, author, and instructor with her own company, Rebecca Herold & Associates, LLC, since mid-2003. Ms. Herold has more than two decades of privacy and information security experience and has provided information security, privacy, and compliance services to organizations in a wide range of industries throughout the world. Her blog was listed among the “Top 50 Internet Security Blogs” by the Daily Netizen; Computerworld named her among the “Best Privacy Advisers” and “Best Privacy Firm” in both 2007 and 2008; and IT Security named her as “Top 59 Influencers in IT Security.”
Ms. Herold is also an Adjunct Professor for the Norwich University Master of Science in Information Assurance program. She is currently working on her 13th book. A few books she has written include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Privacy Management Toolkit, and she cowrote The Practical Guide to HIPAA Privacy and Security Compliance. Ms. Herold has also authored chapters for dozens of books along with close to 200 published articles, including contributions to Cutter Benchmark Review and Cutter IT Journal (as Guest Editor). She creates the Protecting Information newsletter and contributes articles to other publications regularly. Ms. Herold has a BS in math and computer science and an MA in computer science and education. She can be reached at firstname.lastname@example.org.
The Executive Update is a publication of the Enterprise Risk Management & Governance Advisory Service. © 2009 by Cutter Consortium. All rights reserved. Unauthorized reproduction in any form, including photocopying, faxing, image scanning, and downloading electronic copies, is against the law. Reprints make an excellent training tool. For information about reprints and/or back issues of Cutter Consortium publications, call + 1-781-648-8700 or e-mail email@example.com.