Rabitə və İnformasiya Texnologiyaları Nazirliyinin elektron xəbər xidməti
Supplier security audits on rise, but questions over cloud ignored
More organisations than ever are conducting IT audits of suppliers and potential business partners to ensure they comply with minimum security standards, particularly ISO 27001 – the international computer security standard.
Even companies such as Hewlett-Packard have to respond to security audits in order to win business, says Dr Rhodri Davies, security and service operations architect at HP.
"I see it quite regularly from HP's customers, auditing us against our services," said Davies.
According to Davies, the number of security audit requests has increased during the past eight or nine years as companies conduct more business electronically with suppliers and other business partners, while fears over computer security have also increased in that time.
"I don't have any hard numbers, so it's really a matter of perception. The first one I was involved in would have been about eight or nine years ago. But it has increased over that period," said Davies.
However, he warns that many of the questions – which are normally based on ISO 27001 – ignore the rise of cloud computing and the consequent inter-connectedness that cloud computing has introduced.
ISO 27001 is based on BS7799, the British standard for computer security that was originally devised in 1995 – incidentally, year when Amazon was founded – when many companies did not even have websites.
HP is not the only company to report an increase in partner security auditing. Vineet Jain, CEO of cloud storage service provider Egnyte, says the company has had several clients that have conducted security audits before signing up in order to ensure the company's security is as good as it says it is.
"When we signed up Lincoln Financial Group in the US they actually flew in their IT director to come and take a look at our data centre to see what kind of security we have.
"That was the first time I'd experienced that, but there have been others where they run their own security audits - they will try SQL script injections or denial of service attacks," says Jain.
"It often depends on the class of the company and, typically, their size," he adds.
Since the 1980s, major companies, particularly those with valuable intellectual property, have increasingly conducted security audits of partners and potential partners to make sure that their physical and computer security reaches a particular standard.
This due diligence typically includes site visits, as well as checks to ensure that partners' firewalls, anti-virus defences and other facets of security infrastructure are secure.
When plane-maker Airbus was designing its A380 ‘super jumbo', it needed to co-ordinate a supplier base of thousands located across the world, and established an audit team and methodology to rate suppliers, regardless of whether they were based in Europe or elsewhere in the world, including China, India and Seattle - home of Airbus's great rival Boeing.
However, even for seasoned security professionals as Davies, it is never easy to be on the end of such an audit.
"It's certainly not an easy experience. I've been through a lot of them and I know what the questions are going to be, and I'm ready with the answers. But I still come out of them like I've been through the wringer. It's not just a paper exercise in most cases," said Davies.
"When we signed up Lincoln Financial Group in the US they actually flew in their IT director to come and take a look at our data centre to see what kind of security we have.
"That was the first time I'd experienced that, but there have been others where they run their own security audits - they will try SQL script injections or denial of service attacks," says Jain.
"It often depends on the class of the company and, typically, their size," he adds.
Since the 1980s, major companies, particularly those with valuable intellectual property, have increasingly conducted security audits of partners and potential partners to make sure that their physical and computer security reaches a particular standard.
This due diligence typically includes site visits, as well as checks to ensure that partners' firewalls, anti-virus defences and other facets of security infrastructure are secure.
When plane-maker Airbus was designing its A380 ‘super jumbo', it needed to co-ordinate a supplier base of thousands located across the world, and established an audit team and methodology to rate suppliers, regardless of whether they were based in Europe or elsewhere in the world, including China, India and Seattle - home of Airbus's great rival Boeing.
However, even for seasoned security professionals as Davies, it is never easy to be on the end of such an audit.
"It's certainly not an easy experience. I've been through a lot of them and I know what the questions are going to be, and I'm ready with the answers. But I still come out of them like I've been through the wringer. It's not just a paper exercise in most cases," said Davies.
11/05/12 Çap et