VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Transcription

1 1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

2 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management basis Evolving Risks and Challenges Conclusion at you at risk?

3 3

4 4 PWC s 2015 US State of Cybercrime Survey 19% of CIOs are not concerned about supply-chain risks Only 42% of respondents consider supplier risks 23% do not evaluate third parties at all Most companies do not have a process for assessing security third-party partner capabilities before they do business with them

5 Vendor Management what is? 5

6 6 Vendor Management what is? Vendor Is a third party that supplies products or services to an enterprise. These products or services may be outsourcing, hardware, software, services, commodities, etc.

7 7 Vendor Management what is? Vendor Management Vendor management is a strategic process that is dedicated to the sourcing and management of vendor relationships so that value creation is maximized and risk to the enterprise is minimized. The approach and level of effort vary based on the vendor relationship and the scope of services and products. Each type of relationship may require a different set of steps and documents, depending on the relationship, risks and the enterprise strategy.

8 8 An effective third-party management program should provide the framework for management to identify, measure, monitor, and mitigate the risks associated with outsourcing. FFIEC IT Examination Handbook s Outsourcing Technology Services Booklet,.

9 9 Vendor Management what is? Vendors Vendors vendors Suppliers Outsource providers Joint ventures partners Affiliates for which the institution is deemed to have control Business alliance members Contingency arrangement participants Contingent workers Counterparties

10 10 Vendor Management what is? Critical Vendor Play a vital role in the enterprise s daily operations Have a critical impact on the success of the enterprise s strategic projects Require long-term contracts Have potential for significant financial implications Are difficult to change overnight Require frequent interaction and collaboration for disputes or have complex problem-resolution mechanisms Access or manage substantial critical or sensitive data

11 Available Guidance 11

12 Available Guidance 12

13 Available Guidance 13

14 14 Available Guidance Source: ISACA, Vendor Management: Using COBIT 5

15 15 Available Guidance Source: ISACA, Vendor Management: Using COBIT 5

16 Available Guidance 16

17 Vendor Management basis 17

18 18 Vendor Management basis Planning and Risk Assessment Due Diligence and Selection Contract Negotiation and Review Ongoing Monitoring and Oversight Termination of third-party relationships

19 19 Vendor Management basis Planning and Risk Assessment: Organizations should assess risk and set out options for controlling risk through vendor agreements. Organizations should establish a risk-based program; implemented appropriate governance and oversight programs for third party risk The aspects to assess depends on the depth of the type of assurance the organization needs to manage third party risk for information protection, service continuity, or regulatory compliance.

20 20 Vendor Management basis Due Diligence and Selection: Conducting a review of a potential third party before signing a contract. Due diligence could include: Existence and corporate history; Qualifications, backgrounds, and reputations of company principals, including criminal background checks where appropriate; Other companies using similar services from the provider that may be contacted for reference Financial status, including reviews of audited financial statements; Strategy and reputation; Service delivery capability, status, and effectiveness;

21 21 Vendor Management basis Technology and systems architecture; Internal controls environment, security history, and audit coverage; Legal and regulatory compliance including any complaints, litigation, or regulatory actions; Reliance on and success in dealing with third party service providers; Insurance coverage; Site visit; and Ability to meet disaster recovery and business continuity requirements. Based on the risks identified the Due Diligence could be more extensive.

22 22 Vendor Management basis Contract Negotiation and Review: Negotiate contracts so that the rights and responsibilities are clearly laid out. Contracts should be reviewed by management periodically to ensure pertinent risks are addressed. Contracts should: Clearly define the rights and responsibilities of both parties; Ensure the contract contains adequate and measurable service level agreements; Ensure the contract does not contain provisions that may have an adverse effect on the organization; Engage legal counsel to review the contract; and Evaluate foreign-based third-party service providers

23 23 Vendor Management basis Ongoing Monitoring and Oversight: Continuously monitor the relationship and the operations of the third party vendor. Key service level agreements (SLAs) and contract provisions; Financial condition of the service provider; General control environment of the service provider through the receipt and review of audit reports and other internal control reviews; and Potential changes due to the external environment. The frequency of the monitoring will depend on the vendor risk level, the service and the nature of the indicator monitored.

24 24 Vendor Management basis Termination of third-party relationships: Management should ensure there is a procedure in place in the event of termination of the third-party relationship. This is imperative to a seamless transition to another vendor or in-house operation

25 Evolving Risks and Challenges 25

26 26 Evolving Risks and Challenges Fourth party and subcontracting risks Increase oversight concerns regarding security, data breaches, and compliance Organizations should developed sufficient approaches to assess and manage fourth party risk Requires adjusted due diligence processes as there is not a direct contractual relationship with the fourth party or subcontractor Service provider should have a documented policy and procedures to manage and assess risk of their own third party subcontractors.

27 27 Evolving Risks and Challenges The due diligence is focused on how your 3rd party has structured its program for oversight of their providers (risk management controls, methodology, type of data location). Require that your service provider conduct sufficient oversight which may include risk management reporting, site visits, inspections, and issue management. For key controls that your organization has deemed important in managing your risk, institution s need to request evidence of the implementation of those controls and effectiveness of implementation. Evidence can take many forms, and may or may not be distributed externally. However, most service providers will have a process to provide them in on-site visits, or by using online tools for information sharing via web meetings to show confidential documentation.

28 28 Evolving Risks and Challenges There should be provisions in the contract to govern the use of fourth parties, including but not limited to: Notification of non-compliance or security breaches Notification/approval of new fourth parties Obligation of the third party of maintaining a proper Vendor Management Program Obligation of evidencing proper governance/monitoring of fourth parties

29 29 Evolving Risks and Challenges Cloud Services Cloud Security Alliance, The Notorious Nine: Cloud Computing Top Threats in 2013 Without a complete understanding of the CSP environment, applications or services being pushed to the cloud, and operational responsibilities such as incident response, encryption, and security monitoring, organizations are taking on unknown levels of risk in ways they may not even comprehend, but that are a far departure from their current risks.

30 30 Evolving Risks and Challenges Cloud Services The top cloud security threats, as defined by the Cloud Security Alliance, include: Shared technology vulnerabilities Insecure application programming interfaces (APIs) Account or service traffic hijacking Malicious insiders Data loss and leakage Abuse and nefarious use of cloud computing

31 31 Evolving Risks and Challenges Cloud Services Usage of Cloud services could introduce different risks based on geography and requires modifications to the due diligence approach. Organizations should establish processes to monitor evolving geopolitical risk and have adequate business continuity management plans in place. Requires strong risk assessment, control review process and contract negotiation processes.

32 32 Evolving Risks and Challenges Cloud Services Cloud Standards Customer Council, Security for Cloud Computing: 10 Steps to Ensure Success: 1. Ensure effective governance, risk and compliance processes exist 2. Audit operational and business processes 3. Manage people, roles and identities 4. Ensure proper protection of data and information 5. Enforce privacy policies 6. Assess the security provisions for cloud applications 7. Ensure cloud networks and connections are secure 8. Evaluate security controls on physical infrastructure and facilities 9. Manage security terms in the cloud SLA 10. Understand the security requirements of the exit process

33 33 Evolving Risks and Challenges Cybersecurity Vendor should have effective, well-documented policies regarding cybersecurity. Policies should address how they manage sensitive and proprietary information, data transmissions and other security concerns, so as to ensure breach notification, if needed. Vendor should have a third-party review of its cybersecurity practices. The review should include internal and external network vulnerability and penetration testing. The vendor should be willing to share the results of past and future tests. Disaster recovery plans and test should consider different scenarios of Cybersecurity threats on both sides, the service provider and contracting party.

34 Are you at risk? 34

35 35

36 36

37 37

38 38

39 Questions? 39