Vendor Management Panel Discussion. Managing 3 rd Party Risk

Transcription

1 Vendor Management Panel Discussion Managing 3 rd Party Risk

2 Vendor Risk at its Finest Vendor Risk at its Finest CVS Care Mark Corporation announced that it had mistakenly sent letters to approximately 3,500 health care members providing them with other members personal medical information. This incident was caused by an unspecified program error by CVS error by CVS pharmacy benefits manager. pharmacy benefits manager St. Elizabeth s Medical Center in Massachusetts recently notified over 6,800 patients that their billing information, including credit card numbers and security codes may have been compromised when the hospital s documents were removed by a vendor from a building scheduled for demolition. demolition

3 Problem Statement While companies can realize real financial benefits from outsourcing operational processes to third parties, they must recognize that they cannot outsource their risks. In fact, due to the inherent lack of control companies maintain i over their hithird parties, they may even be introducing additional risks by outsourcing Fortunately, these risks can be managed

4 Regulations and Standards Numerous regulations and industry guidelines require management of vendors and 3rd parties GLBA ISO FCRA Red Flag NIST HIPAA HiTECH FFIEC Examiners Handbook PCI EU BSPR COBIT CERT RMM

5 Managing Your Risk Require IT Risk / Information Security Specific Contract Terms Right to Audit Need for documented and tested security program Like kind controls of 3rd parties Documented Service Level Agreements (SLAs), measurements to demonstrate compliance with SLAs, and documented penalties for failure to adhere to SLAs Requirements to comply with all applicable legal requirements such as GLBA, HIPAA Requirements to comply with all necessary industry requirements such as PCI Requirement to remediate adverse findings in a timely fashion Specific requirement for incident notification Indemnification against suits resulting from breach

6 Managing Your Risk Perform Due Diligence Onside audits Review of security program Review of security assessments and tests Review of control validations and industry certifications (e.g., PCI ROC, SSAE16, ISO 27001/27002) Request and track remediation of findings

7 Panel Discussion How does your company manage vendor risk? What does your vendor management organization look like, and who has responsibility for it? Contracting Financial Due Diligence Security Due Diligence BCP Due Diligence IT Due Diligence Does your company have staff dedicated to these tasks? Who brings it all together? Do you outsource any of these tasks? Do you use a GRC or other tool to manage your duediligence activities?

8 Panel Discussion What regulatory requirements mandate that you manage your 3 rd party risks? Describe how your company manages IT Risk and Information Security Due Diligence? Do you perform onsite assessments? Physical walkthroughs? Interviews? Do you use a security questionnaire? How many questions? Is it your own questionnaire i or do you use something like BITS? Do you review vendor documentation? Policies/Standards/Guidelines/Procedures? Network and Security Diagrams? 3 rd Party Contract Templates? Certifications and Assessments?» 3 rd Party Penetration Tests» ISO/IEC 27001/27002?» SSAE16/SAS70

9 Panel Discussion Do you roll up your due diligence into risk reports? How do you quantify vendor risk? ik? Can you explain what goes into it? Can you explain how you rate your vendors (by tier, by risk level)? Do you have one or more committees dedicated to vendor risk management? Do you carry cyber insurance to protect against third party breaches? How do you manage insertion of contract terms on your paper vs. theirs? Do you require specific terms in your vendor contracts? Do you get much pushback from your vendors on the terms? What would you say are your top 5 terms? Do you include a set of Third Party Security Standards in your vendor agreements? Do you get much pushback on that standard? How verbose/prescriptive is the standard? How many pages?

10