{"id":2161,"date":"2014-05-05T00:00:00","date_gmt":"2014-05-05T00:00:00","guid":{"rendered":"https:\/\/www.clockwork.com\/?p=2161"},"modified":"2026-03-13T19:21:13","modified_gmt":"2026-03-13T19:21:13","slug":"assessing-a-companys-commitment-to-security","status":"publish","type":"post","link":"https:\/\/www.clockwork.com\/insights\/assessing-a-companys-commitment-to-security\/","title":{"rendered":"Assessing a Company\u2019s Commitment to Security"},"content":{"rendered":"\n

Security matters<\/h3>\n\n\n\n

If you\u2019re reading this close to its publication date, security breaches and vulnerabilities are everywhere in the news. From Heartbleed to the massive Target credit card breach, digital security has never been more important to the average person.<\/p>\n\n\n\n

Nancy, our CEO, recently wrote about how you must take responsibility for protection of your personal data, but what about data in the workplace? Choosing the partners you entrust with your company\u2019s and your customers\u2019 data is vitally important nowadays.<\/p>\n\n\n\n

When to talk about security<\/h3>\n\n\n\n

In short\u2014right away<\/em>. Assessing a prospective partner or vendor\u2019s security posture is critical to determining the long-term risk in working with them. Therefore, due diligence on a company\u2019s security practices is necessary upfront, before engaging a new partner.<\/p>\n\n\n\n

But how do you know that a partner takes security seriously (and walks the walk)?<\/p>\n\n\n\n

Basics<\/h3>\n\n\n\n

There are a few basic questions that any technology partner should be able to answer without \u201cgetting back to you about that.\u201d<\/p>\n\n\n\n

  1. Who is responsible for information security at your company?<\/strong>
    A ready answer here means a company has formally assigned this responsibility to an accountable individual, a crucial first step in ensuring a consistent security practice. Do not <\/em>accept \u201ceveryone at our company is responsible\u201d as an answer.<\/li>
  2. Do you have an information security policy?
    <\/strong>A \u201cyes\u201d here means that a company values writing down rules for fostering and maintaining secure business practices, a very good sign. Ask to see the policy if you like, but know that many companies restrict sharing of internal policies and procedures without an NDA.<\/li>
  3. When was the last time you received security training?
    <\/strong>Most policy frameworks recommend a minimum of annual security training. A lack of regular training may mean security policies exist, but are not known or followed.<\/li><\/ol>\n\n\n\n

    Operations<\/h3>\n\n\n\n

    How a company performs its daily operations has a huge impact on their overall security. These items will help you understand how securely a company operates day-to-day, not just at their datacenter:<\/p>\n\n\n\n

    1. How do you dispose of paper documents? Computers?
      <\/strong>Look for on-site shredding or secure document storage containers for a shredding service. Dealing with paper (even in the digital age) is important, since an attacker can learn lots of information to prepare an attack from discarded documents\u2014sensitive or not. For hardware, the best practice is to physically destroy<\/em> any media capable of containing sensitive data so that it is rendered unreadable.<\/li>
    2. How should I send you sensitive information?
      <\/strong>The wrong answer is \u201ce-mail just me\u201d because e-mail is not a secure channel. Better answers include: