Evaluating and Managing Third Party IT Service Providers Are You Really Getting The Assurance You Need To Mitigate Information Security and Privacy Risks? Kevin Secrest IT Audit Manager, University of Pennsylvania September 30, 2015 Before we begin Learning Objectives 1 2 3 List options for evaluating and managing third party IT service providers' information security and privacy risk Compare the intended uses of different reports that IT service providers provide to demonstrate effective information security and privacy controls and determine the most appropriate type of report to request Determine internal audit's role with regard to evaluating and managing third party IT service providers 1
Terminology Third Party IT Service Provider = Vendor Vendor risk management includes the process of managing third parties that deliver IT services to mitigate information security and privacy risks Source: Adapted from Vendor Management: Using COBIT 5 Presentation focus Identify need Prepare Evaluate Execute contract Manage vendor Due diligence with regard to security and privacy Ongoing activities to manage information security and privacy risk Background Financial Operational Legal/Regulatory IT/Privacy Reputational Vendor risk Focus on core activities Potential cost savings Increased efficiency Access to expertise Outsourcing benefits 2
The Issues Significant changes in IT models/ consumption Drivers Issues Individuals evaluating information security and privacy risk may not have appropriate expertise Increasing regulatory requirements and customer expectations Some vendor provided reports (e.g., SSAE No. 16) do not effectively address customers concerns with regard to information security and privacy risks Number of IT vendor relationships has significantly increased Lack of a comprehensive vendor inventory results in challenges managing third party IT service providers information security and privacy risk A couple questions organizations should ask first during the evaluation phase is what type of data is being exposed to the vendor and how are they getting to it? Is there a data classification policy/standards in your organization? Data Sensitivity and Review Framework for Evaluating Privacy and Security Safeguards in Cloud and Hosted Services Data HIGH sensitivity Review procedure 1 Personally identifiable information types: SSN Credit card, debit card, or bank account number Other data requiring notification in event of breach Certain health information (treatment, diagnosis, certain care settings) Certain student records (final grades, disciplinary, academic materials) Certain HR records (salary, performance review, disciplinary) Certain alumni data (giving, contact reports) Other personal, highly sensitive data Legal Require contract with strong privacy and security requirements. Consider need for FERPA, HIPAA, PCI, subcontractor, security assurances language. Due diligence of security practices Examples: SOC Type II or ISO 27001 certification Alternate third party certification based on recognized security controls SPIA for Vendors that is reviewed and accepted by information security and privacy personnel Other detailed security program documentation reviewed and accepted by information security and privacy personnel Trustees of the University of Pennsylvania, rev. September 2011 Additional Risks and Mitigation Based on discussion/reviews, there may be additional steps necessary to address privacy and security concerns 3
Data Sensitivity and Review Framework for Evaluating Privacy and Security Safeguards in Cloud and Hosted Services Data MEDIUM sensitivity Personally identifiable information types: Contact information All FERPA protected information that is not included on the previous slide Other personal, but not highly sensitive data Trustees of the University of Pennsylvania, rev. September 2011 Review procedure Legal Require contract with strong privacy and security requirements. Due diligence of security practices Examples: Any of the practices noted on previous slide Review of Terms of Use and Privacy Policies by security or privacy personnel (note: determine whether Terms specify that they can be changed at any time) Additional Risks and Mitigation Based on discussion/reviews, there may be additional steps necessary to address privacy and security concerns Data Sensitivity and Review Framework for Evaluating Privacy and Security Safeguards in Cloud and Hosted Services Data LOW sensitivity Data very unlikely to be identifiable or, if identifiable, is broadly public information Review procedure Review of Terms of Use and Privacy Policies by security or privacy personnel (note: determine whether Terms specify that they can be changed at any time) Trustees of the University of Pennsylvania, rev. September 2011 1 2 Summarize the service offering, identifying the location of data being stored, the type of data being stored, transmission details (how frequently, through what mechanisms), and any aspects of the service that use subcontractors or are outsourced. Please specify if any sensitive, confidential, or other protected data is planned to be stored. Do you have a third party security assessment and certification of your information security controls? How recently was the review performed? How regularly are reviews performed? Can you supply a copy? SPIA for Vendors: Used to evaluate existing security and privacy posture and whether it meets Penn s current recommendations and guidelines 1 3 Do you have an established Information Security Program, including an Incident Response process? 4
4 Do you have any certifications for any compliance frameworks such as FISMA, HIPAA, PCI, etc.? If custom application developed, describe any security frameworks (e.g. OWASP) used or formal processes (e.g., SDLC) in place. 5 Please describe controls to address the threat of information being compromised by an external hacker or malicious software. 6 Please describe controls to address the threat of information being intercepted in transit by unauthorized persons. 7 Please describe controls to address the threat of information being mistakenly disclosed to unauthorized persons. 8 Please describe controls to address the threat of information knowingly being misused by your workforce and contractors. Please describe controls to address the threat of physical theft or loss. 9 Please describe controls to address community concerns regarding privacy practices. 10 11 12 Please describe controls to address the use, handling, protection and sharing of confidential data shared with subcontractors. Please describe controls to address threats to the availability of data based on inadequate business continuity procedures. Access Penn s SPIA for Vendors template at: http://www.upenn.edu/co mputing/security/cloud/s pia_for_vendors.pdf 5
Evaluating Third Party IT Service Providers Information Security and Privacy Risks - Summary Involve relevant parties Know your data and how it should be treated Determine what the vendor can provide to demonstrate effective information security and privacy controls Evaluate the vendor s existing security and privacy maturity and whether it meets your organization s current recommendations and guidelines Managing Third Party IT Service Providers Contract is signed now what? Typical management activities: Right-to-audit clauses (but only if included in contract terms!) Obtaining, where available, independent auditor reports (e.g., SSAE 16, SOC II) Challenges to effectively managing IT vendors: PwC 2013 Global State of Information Security Survey: 69% of the surveyed companies lack an accurate inventory of locations or jurisdictions where data is stored 74% of companies do not have a complete inventory of all third parties that handle personal data of its employees and customers 6
Right-to-audit In a decentralized environment, knowing the complete inventory of vendor relationships can be difficult If the organization feels it has a good handle on its IT service providers, likely will still need to prioritize what vendors to audit based on earlier due diligence efforts with regard to security and privacy risk How often will audits be performed? Who will be involved (e.g., Internal Audit, Information Security, Privacy, General Counsel)? Who will maintain documentation from the audit? From a practical standpoint, the audit could be the vendor answering more specific information security and privacy questions (similar to the SPIA for Vendors tool discussed earlier) Managing Third Party IT Service Providers SSAE 16 SOC I Type II is a high level security certification requiring a stringent audit process https://www.1099pro.com/serv_ssae_16_soc_1_type_ii.asp Managing Third Party IT Service Providers Standard issued in 1992 SAS 70 often became a check the box exercise 2 Standard superseded SAS 70 in June 2011 Service Organization Control (SOC) I examination SOC 2 and SOC 3 examinations Geared towards technology and cloud computing companies ISO/IEC 27001:2013 ISO/IEC 27002:2013 7
SAS 70 Examination Often was misused as a means to obtain assurance regarding compliance and operations to addressing control concerns, i.e., one size fits all Contract language asked organizations to have SAS 70 reports Organizations responding to proposals for new business often had to show they were SAS 70 compliant shared SAS 70 reports with potential customers Intent was to be auditor to auditor communication regarding controls relevant to organizations internal control over financial reporting Objectives and controls for the examination defined by the vendor not a pre-defined set of criteria that the vendor needs to meet SOC I, SOC II, SOC III Service Organization Control 1 (SOC 1) SSAE No. 16 service auditor guidance Restricted Use Report (Type I or II report) Purpose: Reports on controls for financial statement audits Service Organization Control 2 (SOC 2) Service Organization Control 3 (SOC 3) AT 101 AT 101 Generally a Restricted Use Report (Type I or II report) Purpose: Reports on controls related to compliance or operations General Use Report (with a public seal) Purpose: Reports on controls related to compliance or operations Trust Services Principles & Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy SOC II Examination Trust Services Principles, Criteria, and Illustrations: http://www.webtrust.org/principl es and criteria/item27818.pdf Generally Accepted Privacy Principles: http://www.aicpa.org/interestare as/informationtechnology/resour ces/privacy/generallyacceptedpri vacyprinciples/downloadabledocu ments/gapp_bus_%200909.pdf 8
Still With Me? ISO/IEC 27001/27002 Standards ISO/IEC 27001 is a specification for an information security management system ISO/IEC 27002 provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining information security management systems The standards are open-ended information security controls are suggested ISO/IEC do not actually perform certifications, but vendors can be certified through certification bodies To maintain the certificate, the vendor will need to both review and monitor the information security management system on an on-going basis More ISO/IEC Standards ISO/IEC 27018:2014 Information technology - Security techniques - Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors ISO/IEC 27032:2012 Information technology - Security techniques - Guidelines for cybersecurity Source: ISO/IEC About the 27K 27040:2015 Standards, http://www.iso27001security.com/html/iso27000.html Information technology - Security techniques - Storage security 9
Managing Third Party IT Service Providers - Summary Organizations looking for assurance with regard to a vendor s information security and privacy controls should not be accepting SOC I (SSAE 16) reports Organizations can possibly rely on a recurring SOC II examination/report as long as the Trust Principles/Criteria/implemented controls align with your needs you will not see a lot of this detail in the SOC III report Organizations can possibly rely on ISO/IEC standards/controls that the vendor has implemented as long as the standard(s)/controls align with your needs, the documentation the vendor provides is sufficient (if a certification body has not been engaged), and the vendor is able to show continuous compliance Organizations can audit vendors through right-to-audit clauses or tailored questionnaires the organization has direct control over what is asked of the vendor Internal Audit s Role Biggest role is creating awareness throughout your organization Start building a vendor inventory Review contracts to ensure that your organization has a means to assess the third party s control effectiveness Review, if applicable, independent auditor/security firm reports provided by third parties to determine their usefulness to the organization and whether there are issues that should be discussed Offer to your audit clients that you can assist in discussions with third party IT service providers about whether the vendor s existing reports/documentation effectively mitigates information security and privacy risk Offer to your audit clients the ability to assist with right-to-audit work Questions? Kevin Secrest IT Audit Manager, University of Pennsylvania (215) 573 4495 ksecrest@upenn.edu LinkedIn: https://www.linkedin.com/pub/kevinsecrest/2/62/b89 10