industry unlocked
Alternatively, if they outsource such
activities or obtain a platform-based
solution from an external vendor, then
they must conduct a security due
diligence exercise annually.
The risk of security breaches exists in
every organisation and a vendor that is
able to adequately provide assurance
affirming that they consider security
as an important business objective for
themselves, is the one that will usually
be able to avoid such embarrassing and
costly incidents.
Retail organisations should also
consider including security metrics in
their own business reviews. These could
include numbers related to vulnerabilities
discovered and resolved in the software
applications that are being actively used,
the number of incidents or events that
surfaced in a given duration.
It can also include whether an active bug
bounty program has been implemented
46
Retail organisations
should also consider
including clauses
and penalties related
to data protection
and data privacy
in their vendor
agreements.
and if so, then how many bugs were
reported and resolved within a given
period. It should also review the risk
assessment of the data that is being
saved, whether a detailed risk mitigation
and business continuity plan exists and
whether these plans have been tested.
Retail organisations should also
consider including clauses and penalties
related to data protection and data
privacy in their vendor agreements.
This ensures that a vendor becomes
legally bound to provide adequate
measures of security as part of their
promised security deliverables.
The retail industry as a whole has been
adopting most of the practices that
appreciate security as an important
business objective for them and it is
quite likely that those who treat security
seriously are the ones that will ultimately
prevail in the market.
Security and privacy consciousness
of the general population has been
improving rapidly in the post EU
GDPR world.
This industry stands to upset the very
audience it targets if security is not
treated the way it should be. u
Issue 16
|
www.intelligentciso.com