Segmented Architectures
Some security analysts advocate "segmenting" enterprise architecturesinto smaller networks, all behind separate firewalls. That way, if onepart of the network is compromised, the rest remains safe. Bethesda,Md.-based defense contractor Lockheed-Martin does that--and looks forit in its partners too, says A. Padgett Peterson, Lockheed's seniorsecurity analyst.

Background Checks
If it's standard practice in your own organization to conductbackground checks on employees with access to sensitive data, it'sreasonable to request the same for partners' employees who also haveaccess. Wade declined to say whether he requires background checks ofthe Fed's partners, but he's required it while working at othercompanies. By having business representatives, not just IT people,involved in the negotiations, you're more likely to get your partnerto agree to background checks. "It's difficult for many IT people toappreciate the risks involved in the relationship being established,"he says.

Compliance Audits
Experts and practitioners agree the best way to validate compliance isthrough periodic audits, either by your own auditors or an independentthird-party security company, as Visa requires. Typically the partyrequesting the audit will foot the bill.

The most security-conscious organizations require their partners tosubmit to penetration testing on a regular or random basis. But LeGrand says that is an extreme measure, because there is potential tobring a partner's system down. "If you run a denial-of-service attackjust to see how they recover, the recovery will be expensive," hesays. "So you'd better not do this haphazardly and without agreeing onyour right to do this."