Practical Vendor Management to Minimize Compliance Risks November 12, 2015

Transcription

1 Practical Vendor Management to Minimize Compliance Risks November 12, 2015 v 1

2 Today s Speakers Ray Everett Principal Consultant & Director Product Management TRUSTe Charlie Miller SVP Shared Assessments 2

3 Agenda Welcome Introduction to Shared Assessments 2015 Vendor Risk Management Benchmark Study Current Privacy Best Practice for Managing Vendors Next Steps: Collaborative Onsite Assessments Q&A LIVE DEMO: Vendor Management Assessments 3

4 The Shared Assessments Program Charlie Miller, SVP, Shared Assessments v 4

5 The Shared Assessments Program Setting the standard in U.S. vendor risk assurance since 2005, now expanding internationally Created by leading financial institutions, the Big 4 accounting firms, and key service providers to: Standardize an objective framework for outsourcers to gather service provider information through a repeatable and consistent evaluation process Raise the bar on third party risk management by creating a comprehensive onsite security evaluation process, regardless of who performs the assessment (CPA, independent assessment firm, internal assessor) Ensure a means for keeping current with the latest regulations, standards and new risk control areas Create efficiencies and reduce costs for all stakeholders 5

6 The Shared Assessments Program Tools TRUST Standardized Information Gathering (SIG) Questionnaire-Based Procedure Developed using ISO 27001/2 for the framework methodology Standards correspond to ISO, PCI-DSS, HIPAA/HITECH, COBIT, NIST CSF and FFIEC guidance (Appendix J) Aligns with OCC Provides a complete picture of service provider controls Scoring capability for response analysis and reporting Developed to be a standardized and repeatable process VERIFY Agreed Upon Procedures (AUP) Onsite Assessment Testing Procedures Shared Assessments AUP provides objective, robust, repeatable and consistent procedures to evaluate key controls Factual-based reporting which does not provide an opinion Objective test of controls, validation of vendor self-assessment(s) and report of results Companies view results in the context of their unique vendor risk management requirements 6

7 2015 Vendor Risk Management Benchmark Study Charlie Miller, SVP, Shared Assessments v 7

8 2015 Benchmark Study Remarks Surging volume of outsourced products and services = greater risks associated with vendors and third-party providers. Not only in highly regulated industries (financial services, healthcare), but in any organization relying on third parties to manage critical operations and processes. Greater urgency today recent massive and highly publicized security breaches at several large companies, resulting in public and regulatory scrutiny. Understanding vendor risk management best practices until recently has been difficult. 8

9 Average Results by Respondent Role Maturity Levels 5 = Continuous improvement benchmarking, moving to best practices 4 = Fully implemented and operational 3 = Fully defined and established 2 = Determine roadmap to achieve goals 1 = Initial visioning 0 = Do not perform Category C-Level Execs Directors Managers 1 Program Governance Policies, Standards, Procedures Contracts Vendor Risk Identification and Analysis Skills and Expertise Communication and Information Sharing Tools, Measurement and Analysis Monitoring and Review Average

10 Benchmark Study Final Thoughts Third party security goal posts seem to be moving as risk scope becomes more apparent shell shock for some organizations. Increased management understanding of the size of incremental resources required to better manage increased third party risk has led to reassessment of current organizational capabilities important survey lens. That lens has tempered survey self-assessment results. Of eight survey categories, four were flat compared to last year s results and four showed very slight declines. Resource inadequacy was consistently identified as a major concern (five questions touched on it), but well designed vendor risk programs will respond to the right types of investment. 10

11 Survey Background Shared Assessments partnered with Protiviti to conduct the 2015 Vendor Risk Management Benchmark Study based on the VRMMM Conducted online in Q and Q More than 450 participants 24% of organizations - $10 billion or more in assets/annual revenues Notable industries represented: Financial Services (42%) Insurance (10%) Healthcare (6%) Notable positions represented C-suite (25%) Internal/IT Audit Manager (25%) ORM (20%) Internal/IT Audit VP/Director (10%) IT Manager (7%) IT VP/Director (4%) 11

12 Current Privacy Best Practice for Managing Vendors Ray Everett, Principal Consultant & Director Product Management, TRUSTe v 12

13 Vendor Risk Assessment in Privacy Goals Identify nature of the risks posed Evaluate ability of vendor to mitigate those risks Assess impact of unmitigated risks Monitor risks that cannot be eliminated Enable decision making re accepting those risks and impacts Know your business requirements Know your data flows Know your relationships Know your risk tolerance 13

14 Conducting Vendor Risk Assessments Initial assessment Ongoing assessment cadence Incident-based assessment Calibrating and categorization Core Customer-facing Customer data Back office Non-essential Responsibility and ownership 14

15 Notable FTC Actions in Indirect Liability GMR Transcription (Aug 2014) Relied on service providers and independent typists to process medical records Credit Karma (Aug 2014) Mobile app developer failed to implement required encryption protections but FTC alleged company failed to verify functionality before launch Take-aways: Exercise due diligence before hiring 3 rd party data service providers Have appropriate contractual protections Take steps to verify adherence to policies/requirements 15

16 Next Steps: Collaborative Onsite Assessments Charlie Miller, SVP, Shared Assessments v 16

17 Collaborative Onsite Assessments Introduction Q: How do we achieve standardization, efficiencies and cost savings in the third party risk assessment process? A: By agreeing that third party risk management is not a competitive issue. Collective Intelligence + Industry Standard Improved Risk Assessment Process 17

18 The Environment Dependence on outsourcing critical services increases inherent risk Numerous and overlapping regulatory requirements and heightened expectation on assurance, including increased transparency regarding cybersecurity practices Boards and senior management involvement in the risk reporting process Proprietary methods for information gathering and assessments are inefficient, costly and lack standardization Risk areas continue to evolve and expand Threats are becoming increasingly more sophisticated 18

19 What Constitutes a Robust Vendor Management Program? Evaluate, track, and measure third party risk over a number of domain areas It must align, such as software application security, cloud, mobile, resiliency, privacy, access control, physical security Comply to regulations, standards, and guidelines Consistent, robust, and repeatable process Monitor throughout the vendor management lifecycle 19

20 The Problem Lack of standardized risk assessment processes by outsourcers Each outsourcer performing similar due diligence activities Varying interpretation of regulations and differing risk appetites Regulators historically reluctant to commit to a standardized approach Service providers resources strained by outsourcers Need to respond to diverse client information requests Time and resource intensive onsite visits 20

21 The Solution The Collaborative Onsite Assessment Top-tier US-based financial institutions risk managers working collaboratively to improve the third party risk environment Leverage the collective intelligence to improve current standards for IT, privacy, business resiliency and data security controls Shared Assessments Agreed Upon Procedures (AUP) Service Organization Control (SOC) 2 NIST Cyber Security Framework Utilize industry associations to foster collaboration and provide project management Shared Assessments Program Securities Industry and Financial Markets Association (SIFMA) 21

22 Project Goals Creating Efficiencies Collaborate on Onsite Assessments of Key Third Parties To the extent that common services are offered to multiple organizations in the financial services industry, evaluate the associated risk in a consistent, uniform manner Leverage the Shared Assessments Agreed Upon Procedures (AUP), standardized testing procedures for onsite assessments, as the common risk assessment methodology Reduce the time and expense of conducting multiple onsite vendor assessments Ensure a standardized, robust, consistent, and repeatable evaluation of a vendor s risk posture Share the Assessment report with multiple clients 22

23 Project Goals Improve the Framework Top tier financial institutions worked collaboratively to develop: A Superset Shared Assessments AUP framework for onsite assessments Development of a SOC 2 Plus (SIFMA) Both projects hold the same common goals the development of a more robust and scalable risk assessment process that injects speed, efficiency and cost savings into the third party risk assessment process 23

24 Project Pilot Collaborative Onsite Assessments Performed Participants piloted the process of working collaboratively to assess key third parties for whom they share common shared services: Pilot 1: Iron Mountain + 3 financial institutions Pilot 2: Early Warning Services, LLC + 5 financial institutions Pilot 3: Small Business Financial Exchange (SBFE) Superset AUP now meets all internal corporate requirements for many U.S. financial institutions, including key pilot participants: JPMorgan Chase, Citigroup, Capital One, US Bank, Morgan Stanley, Northern Trust 24

25 Benefits Summary Increased rigor, consistency, efficiency and cost savings in the control assessment process for both the outsourcing organizations and the service provider Larger Tier 1 and 2 service providers would benefit most immediately from participating in collaborative assessments For mid- and small size institutions who cannot necessarily dedicate a high level of resources to meet the changing regulatory and evolving risk environment, there exist tangible cost savings and personnel efficiencies benefits through use of a standardized, consistent, repeatable tool More robust control sets developed through collective intelligence and expected to drive improvements in service provider programs 25

26 Continuous Efforts and Improvements Next Steps: Ongoing development and refinement of the Superset AUP to ensure additional robustness by expanding the collective intelligence to include additional financial institutions Develop and broaden the collaborative onsite assessment program including project management services Release the enhanced Superset AUP Program Tool Promote adoption of the Program s Superset AUP as a best practice standard for each industry or sector as they are developed 26

27 Apply What You Heard Today Understand that third party management is not a competitive issue Form cooperative relationships and open the lines of communication with your counterparts at other organizations Get involved in industry associations and public-private partnerships Adopt a standardized framework to keep current with new regulatory requirements and changing risk control areas Outsourcers: Consider working collaboratively with other companies to perform collaborative onsite assessments Service Providers: Understand what organizations share common services and encourage them to perform a collaborative onsite assessment 27

28 Questions? v 28

29 Contacts Ray Everett TRUSTe Charlie Miller, CIPP CTPRP The Santa Fe Group v 29

30 Appendix The Shared Assessments Program Tool Alignment to Standards and Regulations Charlie Miller, SVP, Shared Assessments v 30

31 Shared Assessments Program Tool Alignment US Regulations, Standards & Guidelines Financial Services Regulatory Guidances and Standards FFIEC Appendix J OCC ; Merchant Processing Handbook Healthcare Regulatory Guidances and Standards HIPAA Incident Response Reporting Procedures Governmental Guidances & Standards (All Industries) NIST Cyber Security Framework (CSF); Computer Security Incident Handling Guide (NIST.SP r2) Title 21 of the Code of Federal Regulations (CFR) Part 11 Section 11.1 (a) 31

32 Shared Assessments Program Tool Alignment US Regulations, Standards & Guidelines Governmental Guidance & Standards (Federal and/or State Agencies) DOJ Breach Procedures US CERT Federal Incident Notification Guidelines US-Based National Standards AICPA Incident Response Procedures COBIT US-Based International Standards Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) ISO 27001, PCI-DSS v Privacy Insight Series 32

33 Shared Assessments Program Tool Alignment EU Regulations, Standards & Guidelines UK Cyber Essentials Scheme EU Data Protection Directive 33

34 International Regulations & Standards Under Development Asia Pacific Japan (APJ) Asia-Pacific Economic Cooperation (APEC) Association of Banks in Singapore Outsourced Service Provider (OSP) Standardized Guidelines Australian Prudential Regulatory Authority (APRA) Hong Kong Monetary Authority (HKMA) Monitory Authority of Singapore (MAS) Europe EU European Central Bank (ECB) Europe Germany Bundesbank/Central Bank of Germany (BuBA) German Federal Financial Supervisory Authority (BaFIN) v Privacy Insight Series 34

35 International Regulations & Standards Under Development Europe Luxembourg Commission de Surveillance du Secteur Financier (CSSF) Europe Switzerland Financial Market Supervision Act (FINMA) Europe UK Financial Conduct Authority (FCA) Financial Services Authority (FSA) Prudential Regulation Authority (PRA) Rulebook 35

36 Thank You! Don t miss the next webinar in the Series Solutions for Cross-Border Data Transfers: APEC CBPRs, BCRs and Global Interoperability on December 9th See for details of future webinars and recordings. v 36