As part of our expert panel question series, we have the following question for the month of April 2017 to our expert panel members.
Companies can build an excellent security system, but until their third-party partners achieve the same security maturity, their customers are at risk. How can companies effectively manage the risk posed by their partners and what approaches should be taken to minimize this risk?
Experts Responses:
Rebecca Herold – CIPM, CIPP/IT, CIPP/US, CISSP, CISM, CISA, FLMI
Co-Founder & President, SIMBUS; and Founder & CEO, The Privacy Professor
Third party security and privacy risk management is an area I’ve worked in, and for which I’ve performed hundreds of third party assessments, for 17 years. In fact, I learned through all that experience not only how to most effectively manage risk, but also some of the most common risks that organizations will encounter. I’ve also discussed this topic many times throughout the years, such as for an ISACA webinar in 2015 (https://www.isaca.org/Education/Online-Learning/Pages/webinar-an-effective-framework-for-third-party-information-security-and-privacy-oversight-risk-management.aspx), and gave a keynote on this topic at the April18, 2017 St. Paul / Minneapolis ISSA Spring Meeting (https://www.eventbrite.com/e/chapter-meeting-apr-2017-tickets-29414130456#). I will also be participating in a webinar on this topic on May 23 for the IT GRC Forum; sign up for it here:https://www.brighttalk.com/webcast/5586/226061/strategies-for-effective-3rd-party-risk-management
For brevity, here is a very brief, high-level outline for an effective vendor security and privacy risk management framework:
- Identify, document and keep up-to-date in a centralized location all 3rd Parties / Vendors / BAs (from this point forward collectively referenced as “vendors”)
- Names and contact information
- Location(s)
- Date of contract and who signed
- Services performed
- Identify, document, map the data flows and keep up-to-date in a centralized location the information each of your vendors access
- Personal information items (PHI, NPPI, PII, etc.)
- Sensitive information (intellectual property, tax info, patents, treatment info, etc.)
- Where data is stored
- Their geographic locations and storage media
- Your geographic locations and storage media
- Somewhere else
- How data is transmitted & associated safeguards
- Determine and keep in a centralized location the contractual requirements specific to each vendor. These will include the following, applicable to the services and/or products provided:
- Risk evaluations
- Audits
- Document reviews
- Safeguards
- Subcontracting restrictions
- Breach response
- Access controls
- Access logging
- Training
- Notification of employee changes
- Non-shared IDs
- Cyber Liability Insurance
- Data disposal
- Etc…
- Determine the level of risk that each vendor brings to your organization. This will be determined by a wide range of factors.
- Amount of access to personal information and sensitive information
- Contracted activities and services
- Location (vendors outside of the organization’s country, where personal information is involved, is typically considered high risk)
- Size (# of workers)
- Reference checks
- Risk level evaluation (RLE) results
- Assigned risk level category, that considers the results of RLEs in addition to the following factors.
- High Risk: Large, multiple and/or complex services involving personal and sensitive information often falls within this category
- Medium Risk: Small to medium sized businesses (SMBs) providing narrowly-scoped non-mission-critical services involving personal and sensitive information often falls within this category
- Low Risk: Organizations providing services that do not involve personal or sensitive information often fall within this category
- Establish a plan for ongoing vendor oversight
- Weekly, monthly or quarterly communications. The higher the risk, the more frequent the communications.
- Keep up with new legal requirements and ensure the vendors are keeping up also.
- Make sure updates are made (risk levels, data inventories, etc.) for business changes.
- Keeping an eye on vendors risk on an ongoing basis through one or more of the following; depend upon the type of vendor, location, data involved, etc.:
- Oversight management service with direct access to see the vendors’ policies, current risk levels, breach history, etc.
- Attestations completed and signed by executive management to validate effective information security and privacy practices are in place.
- Evaluations of the vendors’ security and privacy programs.
- Meetings with key stakeholders within the vendors.
- Risk and audit reports from third parties, such as SSAE 16 SOC 2 reports, risk assessment executive summaries, compliance audit reports, etc.
You can obtain the free PDF I created for this topic on my SIMBUS360 website here: https://simbus360.com/wp-content/uploads/2017/04/Herold-SIMBUS360-Vendor-Management-Tips-April-2017.pdf
Professor John Walker – FMFSoc FBCS FRSA CITP CISM CRISC ITPC
There are many examples which underpin the real-time dangers of poor capabilities within Third Party Support. These ranging from hacks on UK Government Websites, through to the example of Lincolnshire Country Council falling victim to a Ransomware attack. However, that said, if the choice of the Third-Party engagement is achieved and supported by a robust due diligence to assure quality of the delivered security services, there is no doubt that the possibility exists to meet the expectations, or even to improve on what may be achieved in house. If, however, as with some of the examples introduced here, if the mission is based only on cost reduction, it may be a simple case of buyer beware to expect what may amount to a lacklustre delivery of what is, or should be considered essential protection in an age of high risk cyber adverse opportunities.
Brian A. McHenry, Security Solutions Architect, F5
Effective risk management is the cornerstone of any good security program. The most fearsome risks are those beyond our direct control, which are often personified by third-party providers. In the past, we could limit our exposure to third-party services by building those services into our on-premises infrastructure. Those in-house services weren’t necessarily more secure, but the notion of direct control provided the opportunity to address security issues as they arise to mitigate risk.
In today’s world, the use of third-party services is unavoidable. The rise of SaaS and other cloud-based service models has delivered much more efficient service deployment and management, while offering more feature-richness of those services than would otherwise be possible. Risk, generally, is centered upon the sensitivity of data. When engaging any third-party service, evaluating the risk associated with that service will be dictated by the sensitivity of the data it might hold.
Services like Office 365 can hold a ton of sensitive data, and it’s incumbent to evaluate Microsoft’s practices for protecting and restricting access to that data. One way to maintain a measure of control when leveraging SaaS services like Office 365, is to maintain control of the identity and access management via federation solutions. Identity federation enables the use of SaaS-based services while keeping the directory in your traditional data center under direct control.
For Infrastructure- or Platform-as-a-Service, the security responsibility grows and we must evaluate not only the provider’s security practices and service level agreements, but also our ability to extend our existing security services into those service models.
You can read our expert panel members biographies here.
As a Senior Security Solutions Architect at F5 Networks, Brian McHenry focuses on web application and network security. McHenry acts as a liaison between customers and F5 product teams, providing a hands-on, real-world perspective. He is a regular contributor on InformationSecurityBuzz.com, a co-founder of BSidesNYC, and a speaker at AppSecUSA, BC Aware Day, GoSec Montreal, and the Central Ohio Infosec Summit, among others. Prior to joining F5 in 2008, McHenry, a self-described IT generalist, held leadership positions within a variety of technology organizations, ranging from startups to major financial services firms.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.