Concerned about your QSA's experience?
Inside the mind of a black hat
Are these the ICO's new teeth?
If a third party has access to your customer or cardholder data, there is a risk that you could have a breach of confidentiality or availability of your data via that third party. A risk assessment looks at all the third parties you use and works out the risk associated with each one. We:
- List all the companies you use to outsource any business activity where they deal with personal data. Many are obvious (such as an outsourced IT provider) but others will include confidential waste disposal, off-site document storage, solicitors, off-site backup providers, contract printers, contact centre services, marketing companies etc.
- Work out what type (personal, financial, sensitive) of information you send to these processors and what volumes of data they get on a monthly basis and will retain. We like to ask, “how much data will the company have in 12 months time?”
- Do a simple assessment to help you prioritise your work. We break them down into high-, medium- and low-risk categories.
- Perform an information security risk assessment of each supplier. The higher the risk, the more detailed the assessment needs to be. We rate each supplier on the likelihood of there being a breach of confidentiality, integrity or availability of the data. We also assess the risk of data loss in transit to and from the Data Processor.
- If they are handling cardholder data on your behalf, verify that the arrangement complies with the PCI-DSS requirements and assess their most recent self-assessment or ROC.
- Review each risk assessment and formally decide whether:
- You are comfortable continuing to work with the Data Processor
- You want to insist that they make some improvements to their information security (and set a timetable)
- You want to find a different provider
- Check you have a written, signed and in-date contract with each processor that fulfils the requirements of the DPA and whether the processing is compliant with your DPA policy.
- Agree when the Data Processor will be re-assessed (at a minimum this should be annually).
Call us: