OC Chapter. Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes.

Transcription

1 OC Chapter Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes.

2 2 Why Assess a Vendor? You don t want to be a Target for hackers via your vendors weak IT controls You may have to comply with various ever increasing regulatory and other compliance frameworks HIPAA PCI FFIEC Many others

3 3 FFIEC Announcement The appendix highlights that a financial institution s reliance on third-party service providers to perform or support critical operations does not relieve a financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner. An effective third-party management program should provide the framework for financial institution management to identify, measure, monitor, and mitigate the risks associated with outsourcing. Specifically, a financial institution should ensure that its third-party service providers do not negatively affect its ability to appropriately recover IT systems and return critical functions to normal operations in a timely manner: Third-Party Management Third-Party Capacity Testing with Third-Party Technology Service Providers Cyber Resilience

4 4 Assessment Approch B U S I N E S S C O N T I N U I T Y P L A N N I N G (BCP) CONTROL EVALUATION Other Audit Previous Audit Remediation Documentation Control Assessment Recommendations Recommendation Used? Based on inquiry, and review of company documentation, it PaceMaker Initial Screen.pdf N Based on the information None None appears that: provided, this control Claims BCP.pdf appears to be at CobiT 1a) Current Business Continuity Plans are maintained and Maturity Model Level 4 saved on an internal portal - PaceMaker (PaceMaker Initial Financial Reporting BCP.pdf Managed and Measurable. Screen.pdf). They cover both business and technical/it aspects of disaster recovery and business continuity. The IT BCP General.pdf samples selected (Claims, IT, and Financial Reporting) include sections for Maintenance Phase - Mandatory Update As IT BCP Hot-Site Required, Quarterly & Semi-Annual Review of Critical Implementation Team.pdf Information, Testing, Recovery Phase - Pre-Activation, Activation, Critical Operations, Full Recovery, Post Recovery IT BCP Alternative Office and Reference Attachments for applicable locations. (Claims Support Team.pdf BCP.pdf, Financial Reporting BCP.pdf, IT BCP General.pdf, IT BCP Hot-Site Implementation Team.pdf, IT BCP Alternative IT BCP Telecommunication Office Support Team.pdf, IT BCP Telecommunication Recovery Recovery Team.pdf Team.pdf) A Confidential Crisis Management Plan also exists and was examined with management. Hard-copy binders BCP System Recovery are kept by key executives at off site locations. The IT Procedures.Sharepoint department also maintains BCPs for significant Folder.pdf systems/applications and databases on the company's Sharepoint portal (BCP System Recovery BCP Zeus Recovery Procedures.Sharepoint Folder.pdf, BCP Zeus Recovery Procedures Folder.pdf Procedures Folder.pdf, BCP Oracle Financials Recovery Procedures Folder.pdf). The system BCPs outline specific BCP Oracle Financials procedures for recovering the system after a disaster (Control Recovery Procedures Procedures IT - BRP Zeus Checks.doc, DBA BCP Folder.pdf Procedures.doc, Forms_10_BCP_Documentation-v3.doc, R12 OAP BCP Process.doc). 1b) Management indicates that a comprehensive business Control Procedures IT - BRP impact analysis (BIA) has been performed for significant Zeus Checks.doc business areas and are maintained and saved to Pacemaker (PaceMaker Initial Screen.pdf). The documented BIA examins DBA BCP Procedures.doc areas such as: Background Information - General, Process Description, Operating Locations, Peak Operating Times & Forms_10_BCP_Documentati Cycle Time, Annualized Return, Annualized production Output; on-v3.doc Resource Requirements - General Resource Requirements, Notes, Key Records, Data, Intellectual Property & R12 OAP BCP Process.doc Documentation and Records Management Process, Disaster Preparedness/Work From Home Capabilities, Dependencies - PaceMaker Initial Screen.pdf Key Customers, Service Level Agreements w/ Customers, Process Dependencies, Product Dependencies, Technology Claims BIA.pdf Dependencies, Vendor/External Dependencies, Regulatory Requirements - Regulatory Considerations, Reporting Financial Reporting BIA.pdf Requirements and BIA - Recovery Objectives, Reputation Impairment - Customer and Stakeholder Considerations, Claims BIA.pdf Employees, Cash Flow Interruption, Financial Control and Reporting Exposure and Contractual Noncompliance (Claims Financial Reporting BIA.pdf BIA.pdf, Financial Reporting BIA.pdf). BCP-System RTOs.xls documents the Recovery Time Objectives for IT Supported Business Applications per Department/Functional area. CONTROL FINDINGS DOI Questionnaire Ref # DOI Questionnaire Question Management Response Is the business contingency plan a) current, b) based on a business impact analysis, c) has it been tested, and d) address all significant business activities, including financial functions, telecommunication services, data processing services and network services? Y Control Activity Findings Supporting Evidence Three Key Types of Assessment Approach E1 1. Spreadsheets and Word Documents 2. GRC (tools such as Evantix, Archer, MetricStream) 3. Onsite Interview and Observation MANAGEMENT RESPONSE Comments Evaluation of Response

5 5 Frameworks and Standards Ques NumSIG Question Text Response Additional Information SIG Lite A. Risk Assessment and Treatment Is there a risk assessment program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the SL.1 program? B. Security Policy Is there an information security policy that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the SL.2 policy? ISO Version 2013 COBIT 4.0 Relevan ce A.1 IT & Infrastructure Risk Governance and 5.1 Context Leadership & Commitment, Information Security Risk Assessment B.1 Information Security Policy Content & Maintenance Policies for information security PCI 3.0 FFIEC NIST SL.3 SL.4 PCI Version 3.1 SL.5 Have the policies been reviewed in the last 12 months? Is there a vendor management program? C. Organizational Security Is there a respondent information security function responsible for security initiatives? Do external parties have access to Scoped Systems and Data or processing facilities? D. Asset Management Is there an asset management policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? B.1 Procedure: d C.3 Security Organization Roles/Responsibiliti es PO6.1 IT policy and control environment 5.4, 12.1 IS Review of the policies for information security PO3.1 Information Security Roles and Responsibilities PO3.3 Technological direction planning 12.2.b IS Monitoring of future trends and regulations 15Supplier relationships Shared Assessment SL.8 Are information assets classified? E. Human Resource Security Are security roles and responsibilities of constituents defined and documented in accordance with the respondent s information security policy? Licensed version 2015 SL.9 D. Assessment Management Responsibility For Assets Classification of Information PO2.3 C.3 Security Organization Roles/Responsibiliti es Information security roles and responsibilities PO4.6 D.1.c.6 Data classification scheme Roles and responsibilities PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO3.3, PO3.5, PO4.3, PO4.4, PO4.5, PO4.8, IS PO6.3, PO6.4, 12.5MGMT PO6.5, DS5.1 PO6.4, DS5.5, ME2.2, ME2.5, 12.8 ME4.7 HIPAA update 2014 SL.7 COBIT 4.1 Relevance IS BCP BCP MGMT OPS.1.3 PO9.4 Not a Assessment tool more a ISMS but some have changed it to fit VRM SL.6 AUP 2015 Relevance ISO 27002:2 013 Relevan ce PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO2, AI2, DS9 PO4.6, PO4.8, IS.2.M.15.1 PO6.3, PO7.1, MGMT PO7.2, PO7.3, 12.1WPS DS5.4 Shared Assessments Program Cloud Comput Paper Description

6 6 Value of a Remote Assessment Audit Trail Delegation Functionally Sales or CSO completing the assessment Vendors Vendor! Procurement Contract RFI Provides Attachments Questions Scored Questions and Sections Weighted Cheaper to perform over 100s of Vendors

7 7 Onsite Assessment Interview Observation Data collection Immediate Remediation suggestions Ability to gage the honesty of the Vendor management Overall Risk Assessment more accurate Why note do both! Remote followed by Onsite for sub set of overall Vendor pool A bit less of Him! And more of this!

8 8 VRM Assessment Process Relationship Assessment Profile Assessment Control Assessment

9 9 Relationship Assessment High Risk Med Risk Low Risk

10 10 Source Profile Assessment D&B Experian Thompson Reuters Value RFP Selector Fraud Indicator Result Go No-Go Onsite Reserves against loses

11 11 Control Assessment SaaS Assessment Assess ISO Onsite Assessment Result Low Risk Score Interview and Observation Move to Annual Assessment Status Med Risk Score Move to Remediation Status Remediation Opt for 30 / 60 / 90 day plan for remediation of gaps Re-Assess

12 12 Assessment Frequency Annual Assessment First Year Small number of Vendors Assessing High Risk Vendors only 2 and 3 Year Rotational Plan Med and Low Risk Vendors To many Vendors to Assess Vendor change is service and or supply type

13 13 VRM Team ITS or Security Team VRM (Vendor Risk Management) Team Procurement Out Sourced Professional Services Internal Audit Independent Review of VRM Results CPA Firms FDIC

14 14 Vendors Risks Don t be a Target No Contract over your Vendors Vendors IP Customer DB Employee DB Out Sourced IT GEO FCPA Bankruptcy No longer able to support your need Disappearing hardware and IP Risk Reputational Financial Regulatory

15 15 Questions

16 16 Regents & Park VRM Blog LinkedIn Blog on VRM

17 17 Regents & Park Jason James President +1 (949) LinkedIn Blog on VRM