3 rd -party Security Risk Assessment

Transcription

1 3 rd -party Security Risk Assessment Understanding Supplier Chain Risks. Presented by: Nasser Fattah CISSP, CISM, CISA, CGEIT Linkedin: April 14, 2015

2 Disclaimer The views, opinions, and material presented by Nasser Fattah at the New York Summit are solely based on his experience and opinions relating to 3 rd -party security risk assessments. Material included within does not necessarily reflect or represent MUFG Union Bank processes, practices, or actions.

3 Agenda 1. What are the benefits to outsource to a 3 rd -party? 2. When to outsource? 3. What are the risks associated with 3 rd -parties? 4. What is driving the need to review 3 rd -parties? 5. What is Vendor Risk Management? 6. Who is responsible for vendor risk management? 7. What we need to know about Vendor Risk Management? 8. Why implement Vendor Risk Management? 9. What are the key components of a Vendor Risk Management framework? 10. High-level processes for framework 11. Example of vendor categorization 12. What are examples of risk assessments? 13. What are examples of due diligence? 14. What are examples of contract provisions? 15. Key takeaways

4 What are the benefits to outsource to a 3 rd -party? Reduce labor and operational costs Permit a company to focus on its core competency Access to special services Produce better product/service Faster turnaround time Competitive advantage Much more Remember: A business CAN T Outsource Responsibility or Liability!!!

5 When to outsource? Strategic Strategic Non-Strategic Non-Strategic Competitive Not Outsourced Grey Area Non-Competitive In House if Possible Outsource

6 What are the risks associated with 3 rd -parties? Types of Business Risks Strategic Reputational Compliance Example Vendor doesn t meet business goals, including expected return of investment Vendor doesn t meet expectations of business customers, or when the vendor is subjected to public scrutiny or experiences negative publicity. Vendor is not compliance with law or the business regulations and internal policies and procedures, and when audit and control features are weak or nonexistent. Transaction Vendor is unable to meet SLA or deliver its product or provide its service due to error, fraud, or technology failure. Ineffective business continuity planning increases transaction risk. Credit Vendor s failure to meet the terms of the contract, including cost, or otherwise to perform as agreed.

7 What is driving the need to review 3 rd -parties? Most industries (financial, healthcare, retail, etc.) have regulations that mandate vendor risk management. The same is true for industry standards and information security best practices.

8 What is Vendor Risk Management? Vendor risk management is the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance. * Gartner definition

9 What we need to know about Vendor Risk Management? The business objective with 3 rd -parties is to select the right vendor, for the right job and for the right price. However, business must still do the right risk assessment/due diligence, and have the right contract terms, including security, to best safeguard business from potential harm and liabilities

10 Who is responsible for risks associated with vendors? Business lines are ultimately responsible for risks associated with their vendors/partners. Here the business lines need to work with many subject matter experts (SMEs)/stakeholders for appropriate assessments (due diligence), selection and monitoring of vendors. InfoSec Procurement Legal Compliance Vendors Oversight Business Continuity Vendor Mgmt IT Business

11 What are examples of risk assessments? Security questionnaires that map to business and security controls Supporting evidence and documentation from vendor (pentests, DR results, etc.) Onsite review Independent reviews (SSAE 16) and industry certifications (ISO 27001, Sys Trust, etc.)

12 What are examples of contract provisions? Right to audit NDA Onsite visits Incident response Data destruction and retention Data center relocation Activities of 4 th -parties Timely breach notification

13 Questions for us, and some food for thought? What is a vendor? Software providers, SaaS, office cleaners, florists, affiliates, etc.? Know vendor definition as per regulations. What is a Critical vendor? Whose definition? Impact, and by which SME? Regulators expect more due diligence on critical vendors. Assess vendor or engagement? What happens when vendor provides more than one service? What type of Due diligence?: How do we scope due diligence for vendors same due diligence for all vendors? What is required, including documentation, to perform due diligence? Do all due diligence include onsite reviews? What triggers onsite review? How about 4 th -party reviews? What about ongoing monitoring? How do you monitor vendors, and how often? Which ops model to assess vendors? Internal SMEs, managed services, or a hybrid to conduct 3 rd -party risk assessments? What needs to go into a contract: Any standard security provisions in contracts based on vendor type?

14 Key takeaways Partner with business lines and other SMEs (procurement, privacy, legal, etc.) to review vendors Evaluate your vendors, and repeat based on risk posture (inherent, residual risk) Report and track risks associated with vendors Get security provisions into contracts

15 Questions?