Cybertrust launched a new program on Sept. 26 that aims to help companies improve their network and applications security by further testing the electronic systems they share with business partners.
Labeled Cybertrusts Partner Security Program, the array of software and services provided via the offering are being touted by the vendor as a comprehensive manner of policing security policies and potential security weaknesses present among companies doing business together online or via shared networks.
While many companies have employed pricey consultants to help determine risk on shared infrastructure in the past, Cybertrust claims it has launched the first package of applications and services built specifically to address partner security issues. As more organizations adopt the so-called extended enterprise model and create new avenues for sharing information, such as online transactional systems and Web services applications, the demand for such tools is only going to grow, Cybertrust officials predict.
According to a recent user study conducted by Cybertrust, based in Herndon, Va., roughly 75 percent of the customers it polled indicated a belief that business partners are increasing their information security risk. Roughly 30 percent of respondents reported that their organizations had suffered a security incident in the previous 12 months that involved a business partners operations.
Among the primary benefits proposed by the program is the ability for customers to create a standardized way to test partners security that can be used with all of a companys various business partners. Most companies use a patchwork system of checks to determine where security risks lie between companies, which often leads to overlooked details, said Jennifer Mack, director of product development at Cybertrust. In particular, the program will help companies keep tabs on all of their regulatory compliance efforts, she said.
"This is a compliance management service that helps customers better understand their partners and how they affect the security of shared IT systems; it shows them how to make risk-based decisions more intelligently," Mack said. "Doing this right involves more than just asking questions. Theres also a lot of follow-up and security remediation involved."
Included in the types of information processed by the service are reports from real-time security audits, Mack said, which will allow users of the system to address any security compliance issues among partners more quickly. Having the ability to close potential loopholes as they appear, rather than via periodical testing, could be a substantial leap forward for many companies, Cybertrust contends.
One company already working with the applications and services being rolled into the Partner Security Program is Fiserv, whose electronic data systems process transactions and other sensitive information for over 17,000 banks, insurance companies and financial services companies. Bob Wilcox, chief information security officer at Fiserv, which is based in Brookfield, Wis., said Cybertrusts tools allowed his firm to create security policies to be enforced across the companys business units and external customers.
Fiserv has been using the technologies and services packaged in the Partner Security Program for roughly one year.
"The biggest security challenge we face is making the awareness of all the different threats out there understood across all our operations. We need to make sure all the business units are on the same page in terms of patching or updating systems, which has been tough to do in years past," Wilcox said. "Now we have an internal standard established that all these autonomous, distributed operations and IT staffs must adhere to, and we can test against that, which really increases our ability to identify and eliminate problems."
Since many of the firms business units and customers are governed by data handling regulations such as the Sarbanes-Oxley Act, the package also improved Fiservs ability to ensure and document compliance with those types of guidelines, the CISO said.
"Everyone is aware of the regulations, but weve effectively taken any interpretation out of our related policies and built that into our own standards," Wilcox said. "We were able to change some of the wording to ensure people knew what they were required to do. I think thats a great model for creating more consistent security enforcement looking forward."