Professional Documents
Culture Documents
Vendor Risk Management 4-20-2018 Guidepoint
Vendor Risk Management 4-20-2018 Guidepoint
Vendor Risk Management 4-20-2018 Guidepoint
• ITOps+NetOps+SecOps+GRC
• GuidePoint’s VRM Practice Lead
• Cloud enthusiast
3
© Copyright GuidePoint Security LLC
What is Vendor Risk Management?
What is a “Vendor”?
A vendor in this case is a third party that has entered into a relationship via contract, agreements or other business
arrangement with the entity to provide products or services to the entity or its customers.
What is “Management”?
This is the fiduciary duty of an organization to protect the customer data and its bottom line. This implies the
requirement that a vendor applies the same level of control, as the company does internally.
Also known as Third Party Risk Management (TPRM)
4
© Copyright GuidePoint Security LLC
Understanding the Risks and Concerns
• Risk of breach within the vendor (Delta’s Customer Center – Vendor Breach)
• Data and geographic violations (US and EU regulations)
• Directly affected by attacks on Cloud platforms
• Misunderstanding what data is being exchanged
• Misunderstanding the impact of breach (downtime, reputation, cost, fines, etc.)
• Loss of visibility (“I used to be able to see everything”)
• Identity and access management (Extension into the vendor’s realm)
• New technology and a new lexicon
5
© Copyright GuidePoint Security LLC
The Real Reason We Need VRM
Compliance
• Are you a government contractor? DFARS
• Are you doing business with the EU/European Nationals? GDPR
• Are you doing business in NY? 23 NYCRR 500
• 50 states have a Breach Notification Requirement
• Consumer data? FTC requires companies to implement "reasonable cybersecurity" measures
to protect consumer data
• Financial data? FDIC states that An institution’s board of directors and senior management
are ultimately responsible for third party risks. FIL-22-2017; OCC Bulletin 2013-29; OCC
BULLETIN 2011-12
• Patient data? HHS HIPAA-HITECH
• If your customer’s data includes Personally Identifiable Information (PII), Nonpublic Personal
Information (NPI), Personally Identifiable Financial Information (PFI), Protected health
information (PHI), Cardholder Data (CHD), etc.
• You need to protect it to comply with a regulatory requirement.
6
© Copyright GuidePoint Security LLC
Who is Really a Vendor?
• Is the vendor that installed that nice fish tank, a vendor?
2017. North American casino through a fish tank connected to the internet
7
© Copyright GuidePoint Security LLC
How to Start the Process?
• The initial phase: Discovery
• Identify if there is a Vendor Management process in place
• Investigate with each business unit, which contracts exist.
• Perform a data inventory and review the external data flows
8
© Copyright GuidePoint Security LLC
Where to Focus?
• The initial phase: Discovery
• Identify if there is a Vendor Management process in place
• Investigate with each business unit, which contracts exist.
• Perform a data inventory and review the external data flows
• Concentrate on vendors that play a vital role for the company’s operation
• Have a significant or critical impact on the company’s mission
• Have potential financial (legal/regulatory) impact
• Manage a large volume of the company’s customers or products
9
© Copyright GuidePoint Security LLC
Where Does VRM Belong?
ERP
Do we need a Requirements
vendor? Due Diligence Onboard Monitor VRM
PMO ERM
VRM
10
© Copyright GuidePoint Security LLC
Due Diligence
• Develop vendor tiers
• Impact to the organization
• Data type being accessed
• Volume of data
11
© Copyright GuidePoint Security LLC
Due Diligence, Cont…
• Develop a Workflow:
• Start once a decision has been made to explore if an vendor is needed.
• Send out internal survey
• Data Type
• Business requirements
• Business Risk
• Vendor selection
• RFI/RFP (External surveys)
• Due diligence (Financials, D&B report, references, years in business…)
• Assess Risk (Ensure that Integration feasibility is accounted for)
• Vendor status
• Work with business unit(s) and vendor to address any outstanding risk
• Final disposition (Accepted, rejected, conditional)
• Ongoing monitoring (Frequency of risk assessment depends on vendor tier)
12
© Copyright GuidePoint Security LLC
How to Obtain Assurances?
• Have lost the right to audit?
• More or less, but we can have a robust vendor risk management program
13
© Copyright GuidePoint Security LLC
What Frameworks are Available?
Information Security Management Information Security Program
Service Organization Controls
Examination Engagement Systems Assessment and Certification
Assessment and Certification NIST 800-53
SOC 1, 2 and 3 And its derivatives
ISO 27001
Following the American Institute Following the Following the Security
of Certified Public Accountants International and Privacy Controls
(AICPA) Statement on Organization for Guidance developed by
Standards for Attestation Standardization (ISO) the National Institute of
Engagements No. 18 (SSAE Information security Standards and
18) Clarified Examination management systems Technology (NIST) for
Engagement Section 205 (AT-C (ISMS) 27000 Series, Federal Information
205) for Service Organization and Systems and
Controls (SOC) Examinations. specifically the ISO Organizations.
SOX 27001:2013 for Documented in the
CSA STAR Certification Special Publication 800-
Contractual 53 Revision 4
Obligations PCI DSS
14
© Copyright GuidePoint Security LLC
A Special Note on Cloud Security?
Source: https://aws.amazon.com/compliance/shared-responsibility-model
15
© Copyright GuidePoint Security LLC
Conclusions
• Are you sure you want to do this? Yes! There are many benefits to properly
manage vendor outsourcing process.
• In today’s business environment it is impossible to not use third parties for key
business functions, including internal and external processes.
• Properly assessing third party risks ensures that your organization is delegating
key business functions to the best possible vendor/partner.
Thank You
17
© Copyright GuidePoint Security LLC
Resources
COSO - Enterprise Risk Management — Integrated Framework
https://www.coso.org/Pages/erm-integratedframework.aspx
NIST SP 800-122 - Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
https://csrc.nist.gov/publications/detail/sp/800-122/final
18
© Copyright GuidePoint Security LLC