Professional Documents
Culture Documents
Third Party Risk Management ISACA Central Maryland Chapter December 9, 2015
Third Party Risk Management ISACA Central Maryland Chapter December 9, 2015
com
December 9, 2015
PwC 2
Agenda
December 9, 2015
PwC 3
Learning objectives
A deep dive into Third Party Risk Management Programs and the information security
and privacy over third parties
• Describe the Third Party Risk Management lifecycle and why it is important
• Highlight the importance of TPRM as demonstrated by current events and news headlines
• Identify where Third Party Risk Management typically impacts Vendor Management events
• Identify key stakeholders, how they interact, and their roles and responsibilities of typical Third
Party Risk Management programs
• Identify the three lines of defense and how each apply to a Third Party Risk Management program
• Identify how Third Party Risk Management programs work to mitigate security and privacy risks
originating at our third party vendors
• Explain the process for identifying and monitoring third party vendors’ security postures
• Share common information security and privacy challenges surrounding TPRM
• Explain the benefits of Third Party Risk Management
• Highlight the key TPRM, information security, and privacy considerations for cloud
service providers
December 9, 2015
PwC 4
Questions to consider
Planning/Governance
• Do you have an inventory of Third Parties?
- Is it by service?
- Is it risk ranked?
- Do you have current contracts related to the service being provided?
• Do Third Parties go beyond traditional vendors and suppliers (e.g., affiliates)?
• Are there standardized risk profiling methodologies with defined assessment frequencies and types
in place?
• Who is accountable for overseeing your TPRM Program? and managing it?
Due Diligence and Third Party Selection
• Are due diligence assessments performed prior to contracting?
- Are they around privacy?
- Are they around security?
December 9, 2015
PwC 5
Questions to consider (continued)
December 9, 2015
PwC 6
Reputational drivers
– Healthcare Business & Technology, August 2013 – Wall Street Journal, January 2014
December 9, 2015
PwC 7
Recent breaches involving third-party vendors
December 9, 2015
PwC 8
Recent breaches involving third-party
vendors (continued)
“…the source of the Target intrusion traces back to
network credentials that Target had issued
to Fazio Mechanical, a heating, air conditioning
and refrigeration firm in Sharpsburg, Pa. Multiple
sources close to the investigation now tell this
reporter that those credentials were stolen in an
email malware attack at Fazio that began at least
two months before thieves started stealing card
data from thousands of Target cash registers.”
• 40 million customer credit cards stolen
• 70 million customer records (name, address,
email, phone)
• 46% decrease in Q4 2013 profits vs Q4 2012
http://krebsonsecurity.com/tag/target-data-
breach/
December 9, 2015
PwC 9
Recent breaches involving third-party
vendors (continued)
“Experian said the compromise of an internal
server exposed names, dates of birth, addresses,
Social Security numbers and/or drivers’ license
numbers, as well as additional information used in
T-Mobile’s own credit assessment.”
“…the breach lasted for two years from Sept. 1,
2013 to Sept. 16, 2015…Experian detected the
breach on Sept. 15, 2015, and confirmed the theft
of a single file containing the T-Mobile data on
Sept. 22, 2015.”
• Over 15 million customer records (name, dob,
address, ssn, driver’s license number)
December 9, 2015
PwC 10
Regulatory considerations
Apr, 2003
Jan, 2010
Jul, 2010
Revised OCR Oct, 2013
Aug, 2013
HIPAA Business NRS 603A, NV
Associates Data Security Law Wash. H.B. OCC
1149, WA Data PCI-DSS Bulletin
Security Law v3.0 2013-29
May, 2002 Mar, 2010
Aug, 2003
Jan, 2013 Dec, 2013
OCC Bulletin 2002-16, California 201 Mass.
Foreign 3rd Party Privacy Bill Code Regs.
17, Data Omnibus,
Service Providers SB 1386 FRB SR 13-19
Security Law HIPAA
December 9, 2015
PwC 11
PwC’s global state of information security
survey results
50%
Perform risk assessments Policy requiring third parties to comply with their
privacy & security policies
50% 54%
December 9, 2015
PwC 12
Third party risk management framework
Third Party risk management is focused on understanding and managing risks associated with third
parties with which the company does business and/or shares data.
Third Parties The PwC TPRM Framework Risk Considerations
Suppliers Regulatory/
Operational
Compliance
Broker Dealers
Regulated
Entities
December 9, 2015
PwC 13
TPRM – Security and privacy considerations
1. Document Need 1. Sourcing Approach 1. Conduct RFI/ 1. Contract Vehicle 1. Transition Pre- 1. Finalize Exit
2. Cost Benefit - Competitive Bid RFP/RFQ - MSA Contract to Post- Strategy
Analysis ◦ RFP/RFI/ 2. Competitive - SoW Contract 2. Provide Notifications
3. Determine business RFQ Bid/Proposal 2. Source paper 2. Track open issues 3. Risk Exposure
requirements - Sole Source Evaluation to closure assessment
3. Standard clauses
4. Determine ROI 3. Short List vs 3. Ongoing 4. Continuity
2. Identify Third 4. Clauses to address
Single Finalist performance & risk Planning
5. Determine Third Parties open Issues
4. Selection Criteria monitoring
Party Base - Existing 5. SLAs 5. Transition
6. Determine 5. Price vs Value 4. Ongoing due Planning and
- Potential 6. Training diligence
inherent risk 6. Due Diligence Execution
3. Third Party 7. Fee Structure &assessments
7. Document Assessments 6. Transfer of assets
Rationalization 8. Determine 5. Ongoing site visits
Source/No-Source 7. Nature, Location and Information
4. Single vs. Multiple residual risk and reviews
Decision Third Parties and Ownership of 7. Legal confirmation
Controls 9. Contract 6. Oversight and of transition
8. Obtain Approval 5. Validation Management Supervision
9. Assign owners 8. Number of third 8. Payments,
- Proof of parties to use 10. A/P Setup 7. Customer Penalties and final
10. Stakeholders Concepts Complaint
11. Stakeholders billings
- Pilot Handling
12. Subcontractor
requirements 8. Third Party
Contingency Plans
9. Re-certification
10. Spend Management
11. Monitoring and
Reporting
Cadence
12. Contract
Administration
Board of Directors
Third Line of Defense
Internal Audit • Independently test, verify and evaluate risk
management controls against internal policies
Governance • Report upon effectiveness of the program
Enterprise Risk Committee Enterprise Management
Legal & Compliance
Second Line of Defense
Management & Oversight
• Independent compliance framework, policy &
Third Party Management Office Operational Risk Oversight oversight
• Design and assist in implementing company-
Sourcing wide risk framework and oversee enterprise
Procurement Contracts Management risks
• Provide independent risk oversight across all
Subject Matter Specialists risk types, business units and locations
Sourcing Contracts
InfoSec Privacy PhySec BCM TP Compliance TPRM HR
First Line of Defense
Credit/Finance Reputational Risk Technology Operational Risk • Primary responsibility for compliance and
owner of risk
Business Unit • BU managers and third party relationship
owners are responsible for identifying,
Business Unit Sponsor Third Party Risk Manager
assessing and mitigating risk associated with
their business
Third Parties • Promote a strong risk culture and sustainable
risk-return decision making
Subcontractors
December 9, 2015
PwC 16
Planning and risk stratification
The Planning stage facilitates maintenance of the third party inventory, and enables management to
focus resources and efforts on those services that present greater risk to the organization.
Maintained Third
Segment 1 –”Criti cal” Segment 2 – “Hi gh Risk” Segmen t 3 – “M oder ate Segm en t 4 – “L ow Ris k”
Ri sk”
Na ture Timing Extent Nature Timing Extent Nature Timing E xtent Nature Timing E xtent
1 Controls do not exist/are not in place
Sco ped Scoped 18 Scoped 24 Scoped
1 Onsite Annual Onsite Annual Onsite Remote
Test ing Testing Months Testing Mo nths Inquiry
Party Inventory
12-16 Sco ped 18 Scoped 18 Scoped Self- 36 Scoped
3 Onsite Onsite R emot e
Mo nths Test ing Mo nths Testing Months Inquiry Assess Mo nths Inquiry
Controls are in place and are documented and rev iewed; manual or
3
partial automation
18 Sco ped 24 Scoped 24 Scoped Self- 48 Scoped
4 Onsite Onsite R emot e
Mo nths Test ing Mo nths Testing Months Inquiry Assess Mo nths Inquiry
December 9, 2015
PwC 17
Inherent risk assessment – Service level
stratification
The inherent risk assessment process allows for the sorting of third party services/products inherent risk
scores and inherent risk ratings.
Inherent risk assessment Risk stratification structure
1 – “High Risk” These third parties
Pre-Sourcing Example Stakeholders are handling high risk services,
have a critical level of disruption,
Legal access to highly restricted types of
“High data and are client facing.
Risk”
2 – “Moderate Risk”
Third Party Risk These third parties are handling
Office high or medium risk services, have
“Moderate high level of disruption, access to
Risk” restricted data and may be client
facing.
Subject Matter
Inherent Risk drives Specialists 3 – “Low Risk”
SMS input and due These third parties are handling
diligence medium risk services, have a
Business Unit moderate level of disruption, have
requirements “Low Risk”
Sponsor access to restricted data and are
not client facing.
December 9, 2015
PwC 18
Planning – TPRM security and privacy
What Third Party risk factors qualify for security and privacy assessments
by the TPRM program?
On-boarding,
Risk
approval,
Assessments
and renewal
Monitoring and
1 2 Compliance
December 9, 2015
PwC 19
Planning – TPRM security and privacy (continued)
1. IT systems and data sensitivity – Critical systems and sensitive data Monitoring and
Compliance
December 9, 2015
PwC 20
Planning – TPRM security and privacy (continued)
Business Units
Security &
Inherent Risk Security & Privacy
Confidentiality
Questionnaire Questionnaire
Agreement
Information
TPRM Program OGC Procurement
Security Dept.
December 9, 2015
PwC 21
Due diligence
The following correlates significant third party risks to the assessments utilized by organizations to
evaluate the effectiveness of third party controls in place to mitigate risks.
Reputational: Legend:
Assesses the impact to the organizations Assessment
reputation based on services provided by Risk
Compliance:
a third party.
Assesses the third party’s Operational Competency:
ability/control framework in place to Assesses the ability of the third party to
comply with laws/regulations. deliver the contracted products/services.
Reputational
Subcontractor:
Information Security & Privacy: Assesses the risk management processes
Compliance Operational
Assesses third party’s controls over surrounding the use of subcontractors by
the availability, confidentiality, and third parties.
integrity of third party data. Significant
Third Party Technology:
Risks Assesses the adequacy and
Information Credit/
appropriateness of the third party’s systems
Security Financial
Physical Security: and applications to provide the
Assesses facility access and security product/service.
Business
measures implemented by the third
Continuity
party. Strategic Financial:
and
Assesses financial stability for the third party to
Resiliency
Country Risk: continue provide the product/service.
Assesses political, geographic, regulatory,
legal, and economic risks of sourcing to a Business Continuity & Resiliency: Assesses the third party’s
country or region. ability to perform in the event of a process failure or catastrophic
event.
December 9, 2015
PwC 22
Risk assessment types
The following are examples of Third Party due diligence assessments performed on potential and
existing third parties to understand the existing control environment and capabilities.
Technology Information Security & Privacy Physical Security Subcontractor
• Technology Architecture • Security policies • Fire Suppression • Third Party Relationship
• Assets utilized • Change controls • Server Security & Conditions Management
• Technology Roadmap • Encryption • Data Centers • Sub-Service Third Party
• Technological capabilities • Logical access Control • Backup Power Sources Relationships
• Monitoring, communication and • Asset management • Logical access Control
connectivity • Key Card & Facility Access • Monitoring, communication and
• Incident management connectivity
• Application management
• System development
• Customer contact
Operational Compliance
• People • Regulatory requirements
• Process • HIPAA
• Financial Reporting • CFPB
• Subcontractors • GLBA
• Concentration • Customer complaints handling
• PCI
*Business Continuity Management includes Business Contingency (“BC”) planning and Disaster Recovery (“DR”)
Note: Regulation W requirements exist when a Financial Institution receives services from an Affiliate, which may have special due diligence assessment aspects to consider.
December 9, 2015
PwC 23
TPRM security and privacy
Security Administration Logical Security Security Operations Physical Security Compliance Monitoring
Policies and procedures, Security administration, Threat and vulnerability Data center access Regulatory compliance
security roles and privileged access, management, security controls, monitoring, management, policy and
responsibilities, HR authentication, monitoring, incident environmental controls standards compliance
personnel and workstation/application/dat response, backup and
subcontractor management abase/platform security, recovery, encryption
and oversight (e.g., network perimeter
background checks, protection, remote/wireless
security awareness access, network
training, etc.) segmentation
December 9, 2015
PwC 24
Ongoing monitoring
Results of the inherent risk should drive the nature, timing and extent of activities used to monitor,
oversee, and re-assess third party relationships. Due to the higher costs associated with more in-depth
assessment activities, a risk based approach should be leveraged ensuring higher risk relationships
receive more active risk management than lower risk relationships.
Depth and Frequency of
Ongoing Monitoring
0%
Very Low Low Moderate High
40-50% 20-30% 10-15% 3-5%
Inherent Risk Rating
December 9, 2015
PwC 25
Termination
Each third party termination will be unique; however, there are common decisions, considerations,
and results that should be addressed with key stakeholders and executed with a defined plan
and checklist.
Termination Termination
Termination result
decision considerations
• Service Failure/Significant • Product/Service Brought In- • Interim Processes
Customer Complaints House - NDA
• Regulatory/Legislative • Product/Service Transitioned to - Transfer Process Knowledge
• End of Contract Alternate Third Party - Migrate or Destroy
• Business Decision • Customer Impact • Costs
• Product/Service Discontinued • Contingency Procedures - Monetary
• Oral & Implied Contracts - Non-monetary
• Internal Employee Impact • Migrate/Sell Assets
- Software/Intellectual Property
- Hardware
- Facilities
• Notification to Customers and
Internal Employees
December 9, 2015
PwC 26
Ongoing monitoring – TPRM metrics
TPRM metrics:
What is the inherent risk distribution How much assurance is provided by
across the third-party population? the TPRM Assessments?
• Percentage count of third- • Number of TPRM assessments
parties at each security risk tier planned, in-progress, and
• Change in inherent risk completed
distribution over time TPRMTPRM • Number of third-parties assessed
Assessments
Assessments in comparison to broader portfolio
• Average number of findings (high,
medium, low) uncovered as part of
TPRM the assessments
Scope is
TPRM Security and
TPRM realistic
Portfolio Privacy
Portfolio and
Metrics
How often are third-parties on- managed Issue Tracking and Remediation
boarded and renewed? Issue • Total number of observations/risks
• Number of TPRM requests Tracking and • Total number of risks outstanding
• Count of third-parties that are Remediation
Stake- and mitigated
approved, in-process, and holders are • Estimated time to remediate
expired for purposes of TPRM committed
December 9, 2015
PwC 27
TPRM framework & benefits
Cost
• Reduced cost of managing third party risk through stratification, process simplification, and use of technology
Quality
Standardization
• Improved quality, efficiency, timeliness and accuracy of TPRM stemming from automated workflows and
reporting tools
Risk
• More effective monitoring of due diligence activities and their frequency driven by both inherent and residual risks
• Tighter focus on specific controls associated with those relationships found to pose the greatest risk
Shareholder value
• Improved compliance with laws and regulations, thereby reducing or eliminating fines and penalties that could prohibit
services and impact the bottom line
December 9, 2015
PwC 28
TPRM challenges and trends
• Third party management efforts focus on high-spend Third Parties instead of taking
risk based approach
• Organizations are unable to identify a complete inventory of Third Party relationships
(contracts in desk drawers, etc.)
• Third-party management and security standards are not formalized and requirements
are applied ad-hoc
• Beyond an organization’s IT and Infosec Departments, there tends to be a:
- Lack of training and awareness for Third Party security and privacy risks
- Lack of understanding in what constitutes sensitive data and information
• Organizations often fail to identify 4th party subcontractors engaged by the Third Party
who will have access to the organization’s data and/or systems, and the third-party
does not readily disclose them
• Ineffective coordination between stakeholders (Business Units, Procurement, OGC,
Infosec Department, and IT) often results in weak contractual requirements (security,
right to audit, etc.)
December 9, 2015
PwC 29
TPRM challenges and trends (continued)
• Lack of validation on the accuracy of the data and systems accessible to the third party;
resulting in improper inherent risk classification
• Improper tone at the top leads to a lack of professional skepticism over third party
security assertions
• Unauthorized use of organizational data not expressly prohibited by the contract
• Organizational belief that certain types of vendors are exempt (common to IT hosting
and cloud service providers)
• Organizations often lack enough headcount to support comprehensive Third Party
management activities
December 9, 2015
PwC 30
Reliance on cloud services
December 9, 2015
PwC 31
Reliance on cloud services
Deployment
Models
* Source: “The National Institute of Standards and Technology (NIST) Definition of Cloud Computing (NIST Special Publication 800-145), Sept. 2011
December 9, 2015
PwC 32
Reliance on cloud services (continued)
December 9, 2015
PwC 33
Reliance on cloud services (continued)
Analysts disagree on size of Cloud spending; but all agree it’s large, here to stay, and growing
$1.5 Trillion – Global IT spend Influenced by Cloud. $81 Billion Global Cloud Spend in 2014 (not
Source: “Global Tech Market Outlook 2013 – 2014” including marketing – which was single biggest
Forrester cloud spend category!)
Source: Gartner Cloud Forecast 2013
Forrester’s Global Tech Outlook – 2013 - 14 Gartner’s Cloud Forecast - Yr 2014
Servers
$68.60 Storage
$49.60
Applications
$234.70
Strategy and
consulting services
Computer $147.50 $13,035
equipment
$118.20
Custom-built
software $5,025
$130.20 Software
$364.90
$39,629
System
IT consulting and
integration
system integration
Computer
$1,519.90 services $404.30
project work $23,687
hardware $256.80
support services
IT outsourcing
$68.00 $2,020
and hardware
maintenance
Infrastructure $304.20
outsourcing
$72.50 Communications
equipment $328.30
Hosting Cloud Business Process Services (BPaaS) Total
$69.70
Cloud Application Infrastructure Services (PaaS) Total
Enterprise and
Application
outsourcing
SMBs Cloud Application Services (SaaS) Total
$131.30
$72.90 Application
Cloud Management and Security Services Total
management Telcos
$21.10 $197.00 Cloud System Infrastructure Services (IaaS) Total
December 9, 2015
PwC 34
Reliance on cloud services (continued)
PwC’s Digital IQ survey finds 3 of 5 top planned tech spend categories include “Cloud”
Mobile technologies for customers 5 36 59
Base= 344
Public cloud infrastructure 15 29 56
Base= 423
Public cloud applications 11 34 55
Base= 282
Private cloud 7 43 49
Base= 219
Gameification 21 32 47
Base= 576
Social media for external communication 8 44 47
Base= 301
Data security 4 49 47
Base= 367
Digital delivery of products/services 6 49 46
Base= 562
Data mining and analysis 10 48 42
Base= 417
Mobile technologies for employees 14 44 41
Base= 184
Data visualization 12 49 39
Base= 331
Simulation, scenario modelling tools 10 52 38
Base= 399
Social media for internal communication 13 49 37
Base= 289
Sensors, sensing technologies,… 14 49 37
Base= 202
Virtual meeting and collaboration technologies 14 50 36
Base= 51
Open source applications 8 61 31
Base= 257
Open source infrastructure 5 66 28
Base= 243
Other (please specify) 33 67 0
Base= 18
0 20 40 60 80 100
Will invest less Will invest the same amount Will invest more
*Source: PwC 4th Annual Digital IQ Survey report
December 9, 2015
PwC 35
Reliance on cloud services (continued)
“A-B-C’s of cloud security” succinctly identifies key risks that should be addressed across your cloud
use cases
Secure cloud domain Key risks, issues, and requirements
Access Control • Control access to sensitive data
• Audit and report user access and data use
• Provision and de-provision user access
• Elevated access
Business continuity • Provider availability; contingency of the consumer’s services
• Provide business continuity and disaster recovery
Compliance • Regulatory compliance overall and in face of shadow IT use of cloud
• Maintain regulatory compliance across cloud ecosystems and migration models
• Right to audit
• Contract and SLA compliance
Data protection and • Data classification scheme and processes for handling sensitive data
segregation • Prevent unauthorized data exposure, loss or corruption
• Maintain data segregation in multi-tenet environment
• Data flows across jurisdictions and zones with various regulatory and data protection requirements
• Securely dispose of data no longer required
Events – threats, • Ability to log, monitor, and communicate events; integration with consumer to turn data into actionable
response and intelligence
investigations • Event signature creation across new infrastructure/services to drive security intelligence
• Detect and correct security events
• Cooperate during investigations and incident responses
December 9, 2015
PwC 36
Reliance on cloud services (continued)
What are the implications of cloud migration on security & risk strategy?
1. Migration readiness framework: You need an integrated security and risk
assessment framework to determine the “readiness” of applications to move to cloud;
readiness should be determined based on risk and architecture/operational fit for
various cloud platforms
2. You’re responsible for securing the gaps: Outsourced/cloud providers do not
solve all your risk and security problems (though they take on some of them); many
technology, operations, contracting, and process controls are needed to operate
securely. You must design, implement, operate, and manage these controls. These
should not come as an afterthought to your cloud adoption.
3. Third-party Risk Management: Perform a TPRM risk analysis to understand the
security capabilities of the third party, control integration points, and gaps as you work
to migrate to a cloud service.
December 9, 2015
PwC 37
Reliance on cloud services (continued)
December 9, 2015
PwC 38
Questions
December 9, 2015
PwC 39
Appendix A – Bios
December 9, 2015
PwC 40
Placeholder for text
December 9, 2015
PwC 41
Placeholder for text
December 9, 2015
PwC 42
Placeholder for text
December 9, 2015
PwC 43
The information contained in this document is shared as a matter of courtesy and for
information or interest only. PwC has exercised reasonable professional care and diligence in
the collection, processing, and reporting of this information. However, data used may be from
third-party sources and PwC has not independently verified, validated, or audited such data.
PwC does not warrant or assume any legal liability or responsibility for the accuracy,
adequacy, completeness, availability and/or usefulness of any data, information, product, or
process disclosed in this document; and is not responsible for any errors or omissions or for
the results obtained from the use of such information. PwC gives no express or implied
warranties, including, but not limited to, warranties or merchantability or fitness for a particular
purpose or use. In no event shall PwC be liable for any indirect, special, or consequential
damages in connection with use of this document or its content. Information presented herein
by a third party is not authored, edited or reviewed by PwC and PwC is not endorsing third
parties or their views. Reproduction of this document or recording of its presentation, in whole
or in part, in any form, is prohibited except with the prior written permission of PwC. Before
making any decision or taking any action, you should consult a competent professional
adviser.
© 2015 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries
or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate
legal entity. Please see www.pwc.com/structure for further details.