You've seen it before: that line in the contract that says the service provider has you covered on PCI compliance.
?
As businesses accumulate more data, many are turning to outsourcing to help them scale out their IT infrastructure as their companies - and clienteles - grow. In the process, they're finding outsourcing not only takes care of day-to-day infrastructure; it also helps with compliance.
?
In fact, 30 percent of IT leaders told a recent Savvis survey?the need to mitigate compliance risk is compelling them to boost the amount of infrastructure they outsource.
?
It's important for businesses to remember that while IT outsourcing takes some compliance pressure off IT organizations, it doesn't necessarily absolve the business of all risk. That's especially true when it comes to the all-important Payment Card Industry standards?for data security.
?
Too often, businesses assume it's enough that the contract states the service provider's responsibility for ensuring it is PCI compliant. But that's not always the case.
?
Imagine a worst-case scenario where a hacker locates an unsecure application, exploits it and reveals your customers' card data to the world. The fines and customer losses spread from your business to banks, merchants and payment processors that do business with you.
?
These partners have their reputations on the line too. And they want assurance that goes beyond a contract - often in the form of a Report on Compliance document that spells out the roles and responsibilities of the service provider.
?
This means it's not always enough to rely on a contract for PCI compliance. While reputable service providers can help you navigate the complexities of these standards, you must also assess the areas you're not outsourcing.
?
Here are three ways to start reviewing your operations from a compliance perspective:
?
Evaluate the flow of critical information. Diagram your flow of data and business processes, and make a list of any data handoffs between vendors and applications. Consider completing a RASIC chart that identifies the people and roles involved in the process.
?
Define all system and access components. Spell out your network connections, hardware, applications and storage systems and identify the responsibility owners of these areas, as well as the access levels required. Remember: It's not just about who does what, but who can do what.
?
Update your contract. Go back to your service provider contracts and cross-reference the provisions with what you're actually doing. Work with your service provider to define clear-cut compliance roles and responsibilities.
?
When it comes to compliance, the devil is always in the details. Get a detailed look at how to guard against potential PCI compliance risks by listening to this webinar? I recently participated in. It offers a model for building a successful security and compliance framework when outsourcing. ?
?
Walt Strubbe is a managed service principal for Savvis, a CenturyLink company
Source: http://blog.savvis.com/2012/11/when-outsourcing-it-know-your-pci-compliance-responsibilities.html
new years eve party ideas mars needs moms stephen curry hes just not that into you hes just not that into you texas longhorns texas longhorns
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.