Whenever organizations bring external partners into their business processes, it raises security questions. How will those partners impact your company’s governance, risk and compliance policies?
It’s one thing to enable a business partner or consultant to deliver a core piece of your workflow, since your customers will hold you accountable regardless of who is doing the work. However, if one or more of your workflows involves outsourcing access to sensitive data — through billing or tech support, for example — your customers have every right to be concerned about who has access to their private information at various steps in your business process.
Providing a satisfactory answer to those concerns requires you to scrutinize how your organization is sharing information, how it is secured and how access and usage are monitored.
The Many Downsides of Non-Compliance and Data Leaks
While regulations vary by industry, the data involved in business processes and workflows may be subject to strict requirements for access control, distribution and storage. What’s more, a data leak can result in significant costs to remediate, fines for non-compliance, loss of trust with your customers or business partners and the potential for long-term damage to your brand.
I recently lead a roundtable discussion with more than 20 CIOs, spanning a broad range of industry segments. I asked how risk and compliance factors affect their decisions when allowing external partners to view or handle sensitive data. Their answers were somewhat surprising.
Balancing Risk and Compliance in CIO Decision-Making
The consensus was that it is nearly impossible to be 100 percent in compliance, 100 percent of the time. Several participants stressed that, in their industries, many of the regulations were so vague that determining whether or not they were compliant with those regulations often came down to a judgment call on the part of their internal governance teams or external auditors.
Even more telling, was the fact everyone agreed that their organizations’ dedicated Risk and Compliance functions needed to adopt a more risk-oriented view of the task at hand. They felt that the old mantra of unswerving compliance was not only unrealistic but too disruptive to workflows.
Maintaining Control Through Access and Permissions
Now, there’s no doubt that by opening business processes to external partners, your organization will lose some degree of control. For instance, on the personnel side, your ability to conduct background checks and require cybersecurity training may be limited without a direct relationship between employer and employee. And from a systems perspective, you may not be able to install specific software on endpoints or monitor the network that a consultant or contractor uses.
Depending on the type of data you need to share and the risk tolerance of your organization, your auditors or internal compliance team will want to understand exactly what is being shared, as well as what controls are in place to ensure that only authorized users can access and distribute the data.
Minimizing the Damage from Data Leaks
Accordingly, you will need to show precisely who has access to what data and what level of access they have been granted. For example, are they restricted simply to viewing a document or can they download it and invite others to view or download it as well?
In the case of unauthorized access such as a data leak or network security breach, your forensics team will want to determine the root cause, not only to implement an incident response plan, but to prevent a continuation of that leak or similar future disclosures.
Securing External Workflows
So, what can organizations do that addresses key compliance requirements, while still enabling their employees and external partners to share content efficiently and productively?
By focusing on a few key elements in your organization’s approach to sharing content, you can secure these external workflows and allow your organization to consistently demonstrate a high level of governance over their data sharing activities.
Since many compliance requirements are in place to protect sensitive data, security and compliance are inherently linked. That means that for organizations to demonstrate compliance — particularly as sensitive information is crossing enterprise borders — they must first be able to show that their existing enterprise security infrastructure covers data being shared externally.
Documenting External Access
Only then can an organization move to the point where the requisite levels of control and logging are being enforced, so that all external access is fully documented. There are two important factors to consider:
1. Core security elements
Can you deploy systems that store or share your content on-premise or on a private cloud capable of providing you with full control over the content in those systems? For example, a multi-tenant solution, especially where encryption keys can be accessed by the provider, will limit your ability to restrict access to sensitive content.
In addition, to be able to leverage the tools and systems you have in place for securing your systems of record — for example data loss prevention (DLP) software or multi-factor authentication — are you able to ensure that the file sharing solution you utilize can integrate with these components?
2. A trusted, detailed log of all activity
The first step toward governance is the ability to track and report file use such as who accesses a file, when it’s accessed, what’s done with it (downloaded, printed, shared, etc.) and the IP address and device from which it was accessed. Such a record of file activity not only provides a trail of touchpoints for auditors or investigators if any file should be compromised, but also provides valuable governance insights for CIOs and CISOs in their ongoing efforts to understand how their organization interacts with data.
‘Trust but Verify’ Your External Partners’ Data Security
The reality is that organizations today must involve external partners in their workflows to increase their efficiencies and deliver a better customer experience. As a result, they must extend a certain amount of trust to these external partners that they will handle sensitive data responsibly.
But as any controller or auditor will tell you, you need to ‘trust, but verify.’ To do that, organizations should put in place solutions, systems and processes that provide governance over sensitive data at the appropriate level for a given process, as determined by both regulations and risk analysis.
Putting your core security elements in place and keeping detailed logs of all activity will position your organization to demonstrate compliance throughout your external business processes.