As a general rule of thumb, it costs 40 times as much to fix the security of a project after the fact as it would have cost to build security in at the front of the project.

You should always design your applications and solutions be designed with security in mind. Call the Information Security team in your IT department for help identifying and prioritizing security risks. They should also be able to help you develop the business requirements and technical controls necessary to ensure that your confidential data is properly secured. Contact them as early in the design cycle as possible – preferably during the business case stage of the initiative. They can help make sure that all the hidden costs and implications have been identified.

If you’re planning to buy a service from a third party where the vendor or service provider will have access to any company data, especially confidential customer data, or will have access to any system or accounts which could be used to get access to our data, the vendor’s security practices should be evaluated against your company’s security standards. Many companies use an Application Service Provider (ASP) Questionnaire to evaluate the vendor’s security practices. Again, contact your IT department for help with understanding the vendor’s practices. Do not assume that their practices live up to your standards without checking on them.

Leave a Reply