InfoSecurity Infrastructure Inc.’s just-introduced scripted compliance audit process now enables all United States corporations, non-profit organizations, and government agencies to demand that their third-party business partners prove that their information systems are both secure and private. That process, called a Duties Audit™, is used to assess the “tone at the top” of third-party corporations. More specifically, it provides an independent attorney’s professional opinion indicating whether the directors and officers at any third-party corporate business partner are, in all material respects, in compliance with all of their information security and privacy legal duties.
Cutting through the incredible complexity of the information security and privacy field, this new process can be performed in a few weeks, for a very reasonable price, according to a rigorous and scripted process, and delegated to an independent attorney. The result is a one-page professional opinion, which can then be delivered to the directors and officers. That opinion indicates whether or not they are “fully compliant,” and in those cases where they are not, a separate management letter – providing specific recommendations for coming into compliance – is also delivered. The process uses the most rigorous technical and legal protections for the information examined by the independent attorney performing the Duties Audit, such as attorney-client privilege and attorney work product doctrine. These rigorous protections allow the independent attorney to obtain an accurate assessment of the “tone at the top” that has been set by the directors and officers. This “tone at the top” (prevailing ethical climate) creates both an example for employees and a corporate culture. The “tone at the top” is vitally important because it flows down to the entire third-party firm, and according to a 2018 study by Opus and Ponemon Institute, some 61% of breaches are caused by inadequate controls at third-party vendors (increasing 5% from the prior year).
All that a customer firm sees is the professional opinion … that is if the audited firm chooses to disclose that opinion. The Duties Audit process can be performed entirely internally, and then the results can be quietly used to up-level internal information security and privacy activities. Alternatively, a professional opinion can be shared confidentially with certain business partners, or it can be released publicly. The last option is particularly powerful because it communicates to existing customers and prospective customers, in addition to investors, creditors, regulators, and the public, that the firm is well-managed, that it is a good corporate citizen, that it has taken diligent steps to make sure that it complies with all relevant legal requirements. This can be particularly important for marketing, public relations, and competitive advantage purposes. Trust of corporate America is a big issue these days. For example, according to a 2001 Harris Interactive survey, 91% of the respondents indicated that if privacy practices were verified by a third party, that fact would cause them to do more business with the audited firm.
The Duties Audit process is far better than existing mechanisms to assess third party risk, like an evaluation of the security policies of third-party firms, or the demand that third party firms respond to a questionnaire. These existing mechanisms include the Privacy Rule in the Health Insurance Portability and Accountability Act (HIPAA), which requires that “satisfactory assurances” be provided by third-party firms. Likewise, these insufficient mechanisms include the Sarbanes-Oxley Act (SOX) § 404 which requires certain high-ranking officers to make representations about the adequacy of internal controls. All of these existing mechanisms are weak and suspect, because the results originate with the management at the third-party firm, and that group has reason to paint an unduly rosy picture. Unlike all of these approaches, the Duties Audit method involves the provision of a legal opinion from an independent attorney auditor, someone who has performed a compliance audit, and someone who has no motive to shade the truth. Furthermore, since this legal opinion is generated by a rigorous scripted process, it is replicable, and meaningful, to allow comparisons from firm to firm, and from year-to-year.