If you listen very carefully, the age of information security as we know it ended recently, not with a bang, but with a whimper. While that may be something of an overstatement, a recent event put us on the track to that very end.
Consider the “old-way”: Your company decides to engage a vendor to provide services or products in which the vendor will have possession of, hosting of, access to, or other use of your sensitive data or interaction with your production systems. In those cases, a prudent company would do three things to address information security. First, they would conduct due diligence of the vendor’s security practices, including past security incidents, compliance with recognized security standards, security policy review, etc. Second, they would include specific, strong protections in their contract with the vendor addressing the vendor’s obligations with regard to security, including service level obligations to ensure the availability of critical data. Finally, a prudent company would conduct post-contract execution audits and inspections to ensure the security requirements in the agreement are being followed.