KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

Similar documents
THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

Vendor Management Panel Discussion. Managing 3 rd Party Risk

Cloud Security and Managing Use Risks

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Identifying and Managing Third Party Data Security Risk

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Top 10 Tips for Effectively Assessing Third-party Vendors

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

University of Pittsburgh Security Assessment Questionnaire (v1.5)

HITRUST CSF Assurance Program

Third-Party Cybersecurity and Data Loss Prevention

Client Security Risk Assessment Questionnaire

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Third Party Risk Management 12 April 2012

Security Controls What Works. Southside Virginia Community College: Security Awareness

ADDENDUM #1 REQUEST FOR PROPOSALS

Third-Party Access and Management Policy

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Third Party Security: Are your vendors compromising the security of your Agency?

State of Oregon. State of Oregon 1

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

HIPAA Compliance Review Analysis and Summary of Results

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

Taking Information Security Risk Management Beyond Smoke & Mirrors

HIPAA Security & Compliance

Department of Management Services. Request for Information

HIPAA Compliance Evaluation Report

Cybersecurity The role of Internal Audit

Vendor Management. Outsourcing Technology Services

Third Party Security Guidelines. e-governance

Your world runs on applications. Secure them with Veracode.

PCI Compliance for Cloud Applications

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Data Security & PCI Compliance & PCI Compliance Securing Your Contact Center Securing Your Contact Session Name :

Harmonizing Your Compliance and Security Objectives. Bonnie A. Goins Adjunct Professor, Illinois Institute of Technology

PII Compliance Guidelines

CYBER & PRIVACY INSURANCE FOR FINANCIAL INSTITUTIONS

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Vendor Risk Management Financial Organizations

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

I n f o r m a t i o n S e c u r i t y

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Vendor Audit Questionnaire

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

SAP Secure Operations Map. SAP Active Global Support Security Services May 2015

HIPAA SECURITY RISK ANALYSIS FORMAL RFP

Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Address C-level Cybersecurity issues to enable and secure Digital transformation

This white paper describes the three reasons why backup is a strategic element of your IT plan and why it is critical to your business that you plan

WHITE PAPER Third-Party Risk Management Lifecycle Guide

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

STATE OF NEW JERSEY Security Controls Assessment Checklist

Vendor Management Best Practices

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

Supplier Security Assessment Questionnaire

Data Breach and Senior Living Communities May 29, 2015

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM

SECURITY RISK MANAGEMENT

Top Ten Technology Risks Facing Colleges and Universities

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

HITRUST CSF Assurance Program

Attachment A. Identification of Risks/Cybersecurity Governance

John Essner, CISO Office of Information Technology State of New Jersey

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Big Data, Big Risk, Big Rewards. Hussein Syed

Disaster Recovery Plan (Business Continuity) Template - Version 8.2

Governance, Risk, and Compliance (GRC) White Paper

Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A

IT Security & Compliance Risk Assessment Capabilities

Transcription:

1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

About Kyle Lai 2 Kyle Lai, CIPP/G/US, CISSP, CISA, CSSLP, BSI Cert. ISO 27001 LA President of KLC Consulting, Inc. Over 20 years in IT and Security Security Assessment, Network and Application Security Third Party Security Risk Assessment / Management Information Assurance and Regulatory Compliance Past Experience includes consulting for DoD, NIH, VA, RBS, Boeing, CIGNA, HP/EDS, PWC, RBS, Major Financial Institutions, and Fortune 1000 firms Author of the security software - SMAC MAC Address Changer, WebDAV Scan

Typical Vendor Experience 3

Overview of Vendor Security Concerns & Risk 4 Compliance Regulatory / Audit Legal Due Diligence / Contract Information Security Business Risk Financial / Credit Architecture System / Network

Why is Vendor Security Management Important? 5 Outsourcing to a 3 rd party vendor does not mean you are off the hook Do you know who has your data? Do you know how secure your data is with your 3 rd party vendor? Will you know if there is a security breach at your 3 rd party vendor? If you need to be meet regulatory compliance, are your vendors meeting the same level of compliance requirement? FFIEC PCI GLBA FISMA / DIACAP SOX HIPAA / HITECH

Manage Issues Assess Vendor Vendor Risk Classification Vendor Security Management Process 6 Inventory Vendors Classify Risk of Each Vendor by Relationship & Data handled Determine Type of Assessment Onsite / Phone / Self Assessment Create Questionnaire Coordinate Assessment with Vendor Review Questionnaire Responses Conduct Onsite / Phone Assessment Send Questionnaire to Vendor Vendor Completes & Returns Questionnaire Generate Issues Verify & Finalize Issues with Vendor Vendor Provides Remediation Plan Track Issues Close Issues

Vendor Security Management Program 7 How many vendors in total? How many reviews can you complete in a year? How to classify vendor security risk based on data classification? What vendor gets onsite vs. phone assessments? What is the baseline framework (ISO 27002, SIG, GLBA, HIPAA )? What baseline questions to include in the questionnaire? How will the vendor responses be documented? What results make a vendor High, Medium or Low Risk? How to address and track issues raised? Exception Process? What tool should I use to manage Vendor Security Program? What reports should be generated to track vendor security risks?

Dealing with Vendors 8 Define roles and responsibilities Internal Vendor Relationship Manager Internal Program/Project Manager Internal Vendor Security Assessor Vendor s Contact When should the Vendor Security Assessor engage the vendor? What is the process to schedule an assessment? How much lead time should be given to complete the questionnaire? How much time do you spend assessing the vendor? What is the right level of security assessment? Do you / Can you pull samples? (Do you have the Right To Audit)? What is the escalation process if a vendor is NOT COOPERATING?

Managing Issues 9 What tool will you use to track issues? Where will you store the issues? How do you efficiently generate management report? What is the allowed timeframe for vendor to address Critical, High, Medium and Low risk issues? What is the process for following up issue status? What is the process to close the issues? What is the Risk Acceptance Process? Who has the authority to make the decision? Can any findings that pose risk to regulatory compliance be accepted?

Some Common Findings with Vendors 10 Lack of Mobile Device Security (Bring Your Own Device - BYOD) Lack of Cloud Computing Usage Policy and Standards Lack of USB Lockdown / Encryption Lack of Laptop Hard Drive Encryption Lack of Local Administrator Privilege Lockdown Lack of regular vulnerability testing or penetration testing (Continuous Monitoring) Lack of Incident Response Management Policy and Procedures

Top Concerns from Program Mgr, CISO and COO (Financial, Healthcare, Consulting, Software and Energy sectors) 11 1. Cloud Computing Service Providers 2. Contract Compliance (meet security req, get notified when using a new 4 th party) 3. 4 th (+) parties service providers 4. Mobil Device Security Management (mobile apps, BYOD) 5. Regulatory Compliance Program (true level of compliance) 6. Data Destruction / Return after termination (Who, what, when, where, how, Cloud?) 7. Continuous Monitoring / Assessment (vuln scan, penetration test) 8. Incident Response Management Program (maturity, client notification process) 9. Appropriately handling of the regulatory changes and the regulator s expectation 10. Availability 11. Balancing risk, effort, and area of focus on the follow-up assessment

Regulatory Authority s Expectations 12 Will expect more every year or two years Expect proof of regulatory compliance from your 3 rd party vendors Compliant (or in process) with new regulations, i.e. Dodd-Frank How do you improve the vendor security management program? May expect more than just paper exercise May expect you to conduct audit: Testing, i.e. sampling, evidence How do you manage the risk for the ultra high risk vendors? Example: 3 rd party CRM firm may contain data sensitive to stock trading 401K / Retirement benefit management firm

Case Study 1 13 Scenario: A large Bank conducting general banking and mortgage underwriting Issued a Cease and Desist order from OCC due to inadequate Third Party Service Provider Security Review Management Program 800+ vendors are in-scope for the security review 8 month deadline to develop an effective program, improve the process, assess the vendors Merger and Acquisition (M&A) activities are blocked by OCC until OCC approves the program Action: Hired a consulting firm and assigned 30 consultants to assist with vendor security assessments Designed a vendor security review program and established processes to implement Quickly started executing the vendor security reviews Results: Initial push back from some vendors on the depth of processes and security reviews Made significant improvements in processes and quality, and received OCC approval Able to continue with regular M&A activities

Case Study 2 14 Scenario: A firm offers off-site backup tape and document storage, cloud based backup services Very limited resources for the vendor security review program About 200+ vendors and increasing The firm does not process regulatory related transactions, but stores data for companies that are regulated Action: Established a vendor security review program with defined processes Acquired GRC software, automated the vendor security questionnaire response process Automatically calculated the risk score for the vendor security questionnaire response Vendor Security Analyst identifies higher risk vendors and performs additional phone interviews. Also conduct on-site reviews with vendors as appropriate. Results: Efficient, effective and automated vendor risk questionnaire response and risk calculation The program is effectively managed using limited resources

Other Items to Consider 15 What Management Reports to generate? How to assess application development vendors? How do you assess vendors that are outside of USA? How about assessing vendors that are no longer doing business with you but have the obligation to store your data for 7 years? Before getting into security concerns, is the vendor financially stable?

Contact 16 Kyle Lai KLC Consulting, Inc. President klai@klcconsulting.net www.klcconsulting.net Linkedin Group: Vendor Security Risk Management

Reference 17 GLBA FDIC Exam Procedures - http://www.fdic.gov/news/news/financial/2001/fil0168a.html Verizon Data Breach Investigation Report - http://www.verizonenterprise.com/dbir Third-Party Presentation from OCC - http://www.occ.gov/static/past-conferences-andseminars/edited-outsourcing-transcript-final-110404.pdf Cross-border outsourcing and Risk Management for banks - http://www.occ.gov/topics/bank-operations/bit/cross-border-outsourcing-risk-mgmt-forbanks.pdf Cloud Computing Legal and Regulatory Issues: http://technet.microsoft.com/enus/magazine/hh994647.aspx

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information