October 2nd, 2002, 11:22 PM
peer opinion needed
i have been battling all day about corporate policies at my company and would really like some other opinions to make sure i'm not being to hardnosed about this. we have an existing client that has asked to us to send them a copy of our corporate policies. policies that i went over with their audit team a few months ago when they were in our office. anyway, nobody at my office thinks that corporate policies contain sensitive data that should be kept internally so we should send the client the documents that they ask for. i have never passed out that information before at any company, for any client, but i'm wondering if i should not fight this battle. what do other people do in this situation? do you simply give the client the policies? do you create custom policies pertaining only to that client? these people are driving me crazy about this.
TIA for any feedback.
just making some minor adjustments to your system....
October 2nd, 2002, 11:56 PM
That's a tough one. However, I think that Security Management at my company would probably fight at least a little. It may depend on how important this client's business is to your company. One idea is to give them a copy...go ahead and do it, but make sure that there is some sort of line/comment that advises that the policy is subject to change without notification or something or another along those lines...if you know what I mean...that way you cover yourself for any modifications. Then again, if you already have a policy in place (your ahead of the game on that as many companies don't even have this), you may already have a clause of this nature...just an idea > hope this helps your brainstorm.
Opinions are like
holes - everybody\'s got\'em.
October 3rd, 2002, 12:03 AM
Personally, I would be a little reluctant to hand out corporate policies, but on the other hand, how can an accurate audit be done without them? What a dilemma!!
I believe that the company should have asked to view your policies on site, I would have many issues with that. But I would be reluctant providing any company with hard or soft copies of policies.
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]
October 3rd, 2002, 12:09 AM
This is a topic that hits very close to home for me right now. Where I work we recently had someone send one of our clients soft copies of our policies and business plan, which should be off-limits to anyone external to our company. Based on the data in the documents the client decided to take their business elsewhere.
It is my opinion that policies and corporate culture are internal to a company and any other company that asks for access to information regarding those things is excercising poor taste. I would think really hard before handing over that information.
October 3rd, 2002, 12:18 AM
as t2k2 mentioned, i fear that the decision will come down from above depending on this client's importance. what is irritating is that i showed the clients audit team, hard copies of our policies to show that they existed (which i have done elsewhere, but NEVER gave out hard or soft copies, EVER). i even told them then, that we do not hand out our policies to clients, but they are always here for their review if they wish. they obviously, decided to attempt going around me and get what they wanted. i can't for the life of me figure out WHY they would want a copy for themselves. i have actually never had a client ask for a copy, only if we had them and could see them if they wanted.
just making some minor adjustments to your system....
October 3rd, 2002, 01:03 AM
i can't for the life of me figure out WHY they would want a copy for themselves.
Not knowing why is the best reason i can think of NOT to give it to them. If the powers that be insist the client must have a copy, make sure its down for the record that your opposed too it. just becase a problem isn't seen dosn't mean there isn't one as im sure you know
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
October 3rd, 2002, 01:12 AM
I'd have to agree with Tedob on this one. Why in the heck would they want a copy of your corporate policies?
It is true you are there to serve your client but what purpose does your corporate policies serve them? It makes no sense. I would say unless they have a very good reason for wanting them, don't give them the policies.
I wonder if they would give you copies of their corporate policies?
October 3rd, 2002, 01:21 AM
This topic is a very sensitive subject for anyone who works in the security area (including myself). You and other members of your company have busted your rears to develop, draft, test, approve, and implement corporate security policies. Keep in mind that policies are different from procedures.
Now, if I were in zaggy's shoes...There would be several questions I would want answered before I even hand them an electronic copy of the policies. (1)Get your legal team involved. Does this present a risk to the company itself? If legal says it's okay, have legal sign an agreement to that effect. (2)Have your client provide written documentation expressly stating why they wish to obtain a copy of your policies. This way, you have written proof why they need a copy in the first place.
The company I work for asks for copies of a vendor's security policies, as well as documentation of the last time a disaster recovery test was performed. This is part of an overall due diligence review for my company. Before we store any materials and information at a vendor, we want proof that they have adhered to industry best practices.
Just my .02 worth. Security policy development and security compliance with corporate policy are two of my main job responsibilities...
\"No matter where you go,
there you are.\"
October 3rd, 2002, 02:48 AM
I'm curious about something. You stated that they are an existing client and that you reviewed your policy with their audit team a few months ago. I'm wondering what kind of audit it was. The reason being, if it was a security audit, one might request documentation as to what you test so they can make sure they are complient. When we are audited on things of this nature, we obtain a copy of what we are audited on so we can make sure all our "ducks" are in a row.....I'm just wandering out loud of that.
My advice/opinion is this...if they are an existing client, you should check the contract they signed or the Statement of Work agreement between you. There should be something in there that states what they have a legal right to and what they don't. If you're still getting the run around on this, you could try legal or maybe even a hotline (some companies, depending on size, have hotlines set up to question unethical behavior. This one could very well be a question of ethics and I wouldn't want my job on the line.
Follow your gut.....it's usually right.
The true measure of a man is how he treats someone who can do him absolutely no good. - Ann Landers