SlideShare a Scribd company logo

Third Party Risk Management Strategies

Download as PPTX, PDF
B
banerjeerohit

Details on how to conduct third party risk management, how to understand the target system, what are the regulatory compliance requirements, such as OCC 2013-29, etc. , what to do in case of breach, how to do conduct assessments, case study, what are the tools, Risk Capability Maturity Model, and other references.

Leadership & Management
1 of 39
Cincinnati ISACA – September, 2014 Christopher Dorr
Your company spends millions of dollars on IT security – systems, technologies, appliances • InfoSec professionals • Internal Audit professionals • External Auditors • Processes, technologies, systems Then some manager in marketing dumps your client data to an Excel spreadsheet, and emails it to a direct mail firm in Omaha. Perhaps even worse – Usually not random. Usually not one vendor. Often thousands of vendors. Third Party Risk Management
1. What it is 2. Business value and justification • Two main regulatory drivers: HIPAA & OCC 2013-29 3. What it looks like • Case study Information Security focus, but many additional areas of risk Overview –Third Party Risk Management
Fazio Mechanical Data Breach Fazio Mechanical is a 100-staff, $12M revenue HVAC company Perhaps better known as the $250,000,000Target data breach Full analysis of the breach is beyond the scope of today’s presentation, and much of what is described below is unconfirmed. Vendor Breach Background
Fazio Mechanical was vendor for Target for HVAC services Started with Fazio being targeted by typical phishing attack Fazio connected to Target’s internal systems for billing, contract management and contract submission via vendor portal called “Ariba” Vendor Breach Background
Target Design Process Ariba Vendor Platform Fazio Vendor A/P and GL Internet Internal Bank Internal POS POS POS
Target Breach Ariba Fazio A/P and GL Internet Internal Bank Internal POS POS POS Attacker SQL Injection & Privilege escalation RAM Scraping malware Staging Server
40,000,000 - Number of credit and debit numbers stolen 70,000,000 - Number of non-credit-card PII records stolen November 27 to December 15, 2013 – Duration of theft 46% - The percentage drop in profits for 4th quarter 2013 from the year before $250,000,000 - Total estimated costs as of August 2014 $90,000,000 - Amount paid by Target’s insurers (maxed out) $54,000,000 - Estimated amount generated from sale of cards stolen 0 – Number of CIOs and CEOs who kept their jobs Target by the Numbers
• 41% to 63% of breaches involved third parties • Per-record costs of a 3rd party breach higher - $231 vs. $188 • 71% of companies failed to adequately manage risk of third parties • 92% of companies planned to expand their use of vendors in 2013 • 90% of anti-corruption actions by DOJ involved 3rd parties Third Party Breach Numbers
What Is it? Third Party Risk Management
Third Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties OTHER than your own company. Due Diligence is the investigative process by which a company or other third party is reviewed to determine its suitability for a given task. Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire vendor lifecycle. No universally-accepted framework like CObIT or COSO TPRM –What It Is
Vendors Customers JointVentures Counterparties Fourth parties TPRM –Who It Is
Why Should We Do it? Third Party Risk Management
Reduce likelihood of data breach costs Reduce likelihood of costly operational failures Reduce likelihood of vendor bankruptcy Regulatory mandates may require it Prudent due diligence – ethical obligation Audit where the risk is Enterprise risk portfolio may expose the organization to most risk here Business Justifications
Office of the Comptroller of the Currency (OCC) US Department of Health & Human Services (HHS) State data breach laws Regulatory Guidance
Strongest language so far is for financial institutions regulated by the Office of the Comptroller of the Currency If precedents hold true, this will likely “migrate” to other financial entities, healthcare entities, and government contractors Consumer Financial Protection Bureau (CFPB) Since 2012, imposed over $1 billion USD in fines Was partially in response to 2008 financial crisis. Banks did not manage risk well. Regulatory Requirements
Very comprehensive guidance requiring banks to proactively evaluate ALL risks associated with ALL third parties Issued in October, 2013, governing all financial institutions regulated by the OCC Closest thing we currently have to a generally accepted framework “…. A third-party relationship is any business arrangement between a bank and another entity, by contract or otherwise” “The Office of the Comptroller of the Currency (OCC) expects a bank to practice effective risk management regardless of whether the bank performs the activity internally or through a third party. A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.” OCC 2013-29
An effective risk management process throughout the life cycle of the relationship includes: • Plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party. • Proper due diligence in selecting a third party. • Written contracts that outline the rights and responsibilities of all parties. • Ongoing monitoring of the third party’s activities and performance. • Clear roles and responsibilities for overseeing and managing the relationship and risk management process. • Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management. • Independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks. OCC 2013-29
In 2009, the HITECH Act extended compliance requirements explicitly to “Business Associates” Business Associates are persons or entities using PHI to perform services for a covered entity. PHI – Medical-related PII Many third parties in healthcare have access – very difficult to perform substantive activities without access to PHI Can impose fines on Covered Entity (insurer, hospital, etc.) for actions of a delegate HIPAA - HITECH
Massachusetts General Employee – took some work home Accidentally left 192 patient billing records on subway HHS imposed $1,000,000 fine HHS imposed three-year corrective action plan What would have happened had this been vendor? • Would there be a difference depending on due diligence? • Fines seem to be directly related to how lackadaisical oversight was HIPAA Example
Many different laws Almost all laws have provisions requiring notification within certain period after detection Detection by whom? Most appear to make no distinction between losses caused by an entity and losses caused by an entity’s vendor Penalties • Up to $500,000 in civil penalties per breach for failure to notify timely (Florida) • $5,000 “per violation” if not received within 10 days. Every subsequent day “not received” is a separate violation (Louisiana) State Data Breach Laws
What Does It Look Like? Third Party Risk Management
1. Initial Risk Review 1. Based on risk tier 2. Documentation review 3. On-site review 4. Business process documentation 5. Inherent risk/residual risk 6. Remediation plan 2. Ongoing Monitoring 1. Both for changed risks and for changes at vendor 3. Recurring Reviews 1. Based on risk tier WhatTPRM Looks Like - Process
“The Four RMs” 1. Risk Measurement 1. Linked to ERM 2. Measures the risk of both the activity itself and of the vendor in particular 2. Risk Management 1. Standard mechanisms for dealing with risk: accept, decline, transfer, modify 3. Risk Monitoring 1. New/evolving risks 2. Vendor changes 4. Response Management 1. Incident response, both on your part and the vendor’s WhatTPRM Looks Like - Elements
Using OCC 2013-29 as framework – “Banks should consider the following:” Legal and regulatory compliance Financial condition Qualifications, backgrounds and reputations of company principals Risk management Information security and management (including physical and logical security) Incident reporting and management Reliance on subcontractors Contract language, including right to audit and metrics WhatTPRM Looks Like - Assessment
RandomCo – 300 employee, midsized, technology-oriented company Specialized in document management and OCR Being considered for an engagement that required high levels of data security, operational reliability, and performance Would be subject to HIPAA requirements Case Study
Reviewed SAS 70 (Type 1) Reviewed architectural documentation Reviewed online reputation Reviewed legal entanglements Reviewed summary financials Nothing significantly negative was found Stage I – Case Study
Glass-sided stand-alone office building, surrounded by public, ungated parking lot Scanned for wireless networks.They had “RandomCoProd” SSID • WEP encryption Unlocked front door No security cameras “Netgear” wireless router bolted to wall in stairwell Unlocked server room and networking closet RandomCo– Case Study
Data center served by single internet feed “Some” systems were RAID 5 Some “servers” were recycled desktops running Linux Disaster Recovery Plan never tested Backup Plan • Network admin drove to data center • Network admin took tapes out of servers • Network admin threw the tapes in his trunk • Network admin drove tapes home RandomCo – Case Study
Not because particularly bad • In fact, not the worst Many smaller vendors lack controls • Many vendors will be 25-200 person companies (28M small bus.) • No full-time IT, let alone IT Security Never would have known without on-site “Vendor Development” Why this story?
Vendor tiering or stratification Tier 1 – Critical vendors (10%) – PII + critical systems Tier 2 – Major vendors (40%) – PII OR critical systems Tier 3 – Vendors (50%) – commodities/low risk purchases Workflow tools Capability Maturity Model Vendor scorecards (maintained by business owner of vendor) Tools
Shared Assessment Group (Santa Fe Group) – Shared Information Gathering Tool (SIG) Current version costs $5000 Version 6.0 freely available, but dated Lite and full versions – provides flexibility Vendor research tools Dunn & Bradstreet Supplier Risk Manager Lexis Nexis Research and monitoring tools Variety of checklists available online Contracting language – right to audit, required reporting, standards Tools
Level 0 •No processes exist Level 1 Initial •Processes exist, but are ad hoc and unpredictable Level 2 Managed •Processes are reactive, “hero driven” and project specific Level 3 Defined Level 4 Quantitative Level 5 Optimized Risk Capability Maturity Model • Processes are organized, formalized and documented • Processes are formalized, measured empirically and controlled • Processes are highly mature, and emphasize system feedback and improvement Are the vendor’s risk management processes: • Defined? • Comprehensive? • Repeatable? • Measured? • Reliable?
Very cost-effective way to manage risk One day on-site often is all that is required Complete review (including on-site) can cost less than $1,000 Lots of “low-hanging fruit” Emphasis area: Test data Emphasis area: Data retention & lifespan management Emphasis area: Physical security Emphasis area: Cloud reliance and architecture Often you get more pushback from internal parties. Many vendors appreciate the “free consulting” Personal Observations
70% of companies do not adequately do this now, yet over 90% say they will INCREASE their use of third parties. Data breaches caused by third parties cost $43 per record more than other breaches, yet account for over 40% of all breaches. EffectiveTPRM involves combination of oversight and review of the external partner AND implementation of internal controls and processes. Given the risk exposure and costs involved,TPRM can be the single most cost-effective risk management program that a company can implement, and Internal Audit and InfoSec can contribute in many significant ways. Summary
Third-party risk management failures contributed to attacks Vendor used FREE Malwarebytes Anti-Malware software The free version is only an on-demand scanner. No real-time scanning. Target did not require vendors to use multi-factor authentication If vendor used free anti-malware, what is probability that it required users to take security training? Or implement enterprise email system that might have caught phishing attack? But Target also left vast amounts of sensitive data about vendors on unsecured systems. This is also about vendor management. Ariba is vendor too. Was testing/scanning for SQL injection and architecture reviewed? How was Ariba monitoring for unusual activity? Target Breach -TPRM
Questions?
1. http://compliance.med.nyu.edu/news/documenting-inpatient- admissions 2. http://www.grantthornton.com/~/media/content-page-files/health- care/pdfs/2013/HC-2013-AIHA-wp-HIPAA-rule-data-control- concerns.ashx 3. http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013- 29.html 4. http://www.computerweekly.com/news/2240178104/Bad-outsourcing- decisions-cause-63-of-data-breaches 5. http://www.experian.com/assets/data-breach/brochures/ponemon- aftermath-study.pdf 6. http://www.fierceitsecurity.com/story/third-party-vendor-behind- possible-lowes-data-breach/2014-05-26 References
1. http://www.navexglobal.com/company/press-room/navex-global-survey-7- 10-us-companies-neglect-third-party-risk 2. http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of- data-breach-global-analysis 3. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1986461 4. http://listserv.educause.edu/cgi- bin/wa.exe?A3=ind1112&L=SECURITY&E=base64&P=1183182&B=-- _003_BF662A4EE06D844081EA3B2DB8CCF22B1FDD3423B4SSUMPEXCLU S01_&T=application%2Fvnd.ms- excel;%20name=%22SIGv6.2.xls%22&N=SIGv6.2.xls&attachment=q 5. http://www.privacyrights.org/data-breach 6. http://www.ejise.com/issue/download.html?idArticle=858 7. http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up- breach-at-target/ 8. http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/ References

Recommended

Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk ManagementEC-Council
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesCorporater
 
A compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementA compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementSALIH AHMED ISLAM
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyNICSA
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslideZakaria Salah, Ph.D,MBA
 

Recommended

Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk ManagementEC-Council
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesCorporater
 
A compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementA compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementSALIH AHMED ISLAM
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyNICSA
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
Key risk indicators shareslide
Key risk indicators shareslideKey risk indicators shareslide
Key risk indicators shareslideZakaria Salah, Ph.D,MBA
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and YouSchellman & Company
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
SOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessSOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessEmilyGladstoneCole
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness TrainingDenis kisina
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber SecurityFireEye, Inc.
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Eneni Oduwole
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptxDESTROYER39
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Operational risk & incident reporting
Operational risk & incident reportingOperational risk & incident reporting
Operational risk & incident reportingShivaLeela Choudary
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
The 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskThe 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskElizabeth Dimit
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 

More Related Content

What's hot

IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness TrainingDenis kisina
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber SecurityFireEye, Inc.
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Eneni Oduwole
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptxDESTROYER39
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Operational risk & incident reporting
Operational risk & incident reportingOperational risk & incident reporting
Operational risk & incident reportingShivaLeela Choudary
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 

What's hot (20)

SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
SOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessSOC2 Intro and Mindfulness
SOC2 Intro and Mindfulness
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
Security policies
Security policiesSecurity policies
Security policies
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...
 
Cyber Security Seminar.pptx
Cyber Security Seminar.pptxCyber Security Seminar.pptx
Cyber Security Seminar.pptx
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Operational risk & incident reporting
Operational risk & incident reportingOperational risk & incident reporting
Operational risk & incident reporting
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 

Similar to Third Party Risk Management Strategies

The 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskThe 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskElizabeth Dimit
 
Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Melih ÖZCANLI
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Emily2014
 
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015CBIZ, Inc.
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Course Session Outline - Internal control in Information System
Course Session Outline - Internal control in Information SystemCourse Session Outline - Internal control in Information System
Course Session Outline - Internal control in Information SystemTheodore Le
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better CybersecurityShawn Tuma
 
Privacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al RaymondPrivacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al Raymondspencerharry
 
Insight2014 mitigate risk_fraud_6863
Insight2014 mitigate risk_fraud_6863Insight2014 mitigate risk_fraud_6863
Insight2014 mitigate risk_fraud_6863IBMgbsNA
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsSkoda Minotti
 
Cyber Recovery - Legal Toolkit
Cyber Recovery - Legal ToolkitCyber Recovery - Legal Toolkit
Cyber Recovery - Legal ToolkitKevin Duffey
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk ManagementShaun Sloan
 
Cybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideCybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideJoAnna Cheshire
 
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...Jason Glass, CFA, CISSP
 
Setting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeSetting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeCloud Watchmen Inc.
 
Overcoming Hidden Risks in a Shared Security Model
Overcoming Hidden Risks in a Shared Security ModelOvercoming Hidden Risks in a Shared Security Model
Overcoming Hidden Risks in a Shared Security ModelOnRamp
 

Similar to Third Party Risk Management Strategies (20)

The 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party RiskThe 5 Steps to Managing Third-party Risk
The 5 Steps to Managing Third-party Risk
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities
 
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 
Course Session Outline - Internal control in Information System
Course Session Outline - Internal control in Information SystemCourse Session Outline - Internal control in Information System
Course Session Outline - Internal control in Information System
 
Solvency II Offering
Solvency II Offering Solvency II Offering
Solvency II Offering
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
 
Privacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al RaymondPrivacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management Al Raymond
 
Insight2014 mitigate risk_fraud_6863
Insight2014 mitigate risk_fraud_6863Insight2014 mitigate risk_fraud_6863
Insight2014 mitigate risk_fraud_6863
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
 
Cyber Recovery - Legal Toolkit
Cyber Recovery - Legal ToolkitCyber Recovery - Legal Toolkit
Cyber Recovery - Legal Toolkit
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and Eskins
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk Management
 
Cybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guideCybersecurity crisis management a prep guide
Cybersecurity crisis management a prep guide
 
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...
Wollmuth Maher & Deutsch LLP -Takeaways From The SEC Cybersecurity Examinatio...
 
Setting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance OfficeSetting up an Effective Security and Compliance Office
Setting up an Effective Security and Compliance Office
 
Overcoming Hidden Risks in a Shared Security Model
Overcoming Hidden Risks in a Shared Security ModelOvercoming Hidden Risks in a Shared Security Model
Overcoming Hidden Risks in a Shared Security Model
 

More from banerjeerohit

IEA Presentation - Electronic Records & Electronic Evidence: Section 65B
IEA Presentation - Electronic Records & Electronic Evidence: Section 65BIEA Presentation - Electronic Records & Electronic Evidence: Section 65B
IEA Presentation - Electronic Records & Electronic Evidence: Section 65Bbanerjeerohit
 
ADR Presentation - Arbitration Agreement.pptx
ADR Presentation - Arbitration Agreement.pptxADR Presentation - Arbitration Agreement.pptx
ADR Presentation - Arbitration Agreement.pptxbanerjeerohit
 
ADR Presentation - Arbitral Tribunal.pptx
ADR Presentation - Arbitral Tribunal.pptxADR Presentation - Arbitral Tribunal.pptx
ADR Presentation - Arbitral Tribunal.pptxbanerjeerohit
 
KSA Vision 2030 Strategic Objectives and Vision Realization Programs
KSA Vision 2030 Strategic Objectives and Vision Realization ProgramsKSA Vision 2030 Strategic Objectives and Vision Realization Programs
KSA Vision 2030 Strategic Objectives and Vision Realization Programsbanerjeerohit
 
Anti-Phishing Webinar to implement DMARC for Email trust
Anti-Phishing Webinar to implement DMARC for Email trustAnti-Phishing Webinar to implement DMARC for Email trust
Anti-Phishing Webinar to implement DMARC for Email trustbanerjeerohit
 
Scrum and Agile Software Development
Scrum and Agile Software DevelopmentScrum and Agile Software Development
Scrum and Agile Software Developmentbanerjeerohit
 

More from banerjeerohit (6)

IEA Presentation - Electronic Records & Electronic Evidence: Section 65B
IEA Presentation - Electronic Records & Electronic Evidence: Section 65BIEA Presentation - Electronic Records & Electronic Evidence: Section 65B
IEA Presentation - Electronic Records & Electronic Evidence: Section 65B
 
ADR Presentation - Arbitration Agreement.pptx
ADR Presentation - Arbitration Agreement.pptxADR Presentation - Arbitration Agreement.pptx
ADR Presentation - Arbitration Agreement.pptx
 
ADR Presentation - Arbitral Tribunal.pptx
ADR Presentation - Arbitral Tribunal.pptxADR Presentation - Arbitral Tribunal.pptx
ADR Presentation - Arbitral Tribunal.pptx
 
KSA Vision 2030 Strategic Objectives and Vision Realization Programs
KSA Vision 2030 Strategic Objectives and Vision Realization ProgramsKSA Vision 2030 Strategic Objectives and Vision Realization Programs
KSA Vision 2030 Strategic Objectives and Vision Realization Programs
 
Anti-Phishing Webinar to implement DMARC for Email trust
Anti-Phishing Webinar to implement DMARC for Email trustAnti-Phishing Webinar to implement DMARC for Email trust
Anti-Phishing Webinar to implement DMARC for Email trust
 
Scrum and Agile Software Development
Scrum and Agile Software DevelopmentScrum and Agile Software Development
Scrum and Agile Software Development
 

Recently uploaded

Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)jennyeacort
 
Measuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsMeasuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsCIToolkit
 
LPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business SectorLPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business Sectorthomas851723
 
Introduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-EngineeringIntroduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-Engineeringthomas851723
 
Reflecting, turning experience into insight
Reflecting, turning experience into insightReflecting, turning experience into insight
Reflecting, turning experience into insightWayne Abrahams
 
Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...
Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...
Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...Pooja Nehwal
 
Fifteenth Finance Commission Presentation
Fifteenth Finance Commission PresentationFifteenth Finance Commission Presentation
Fifteenth Finance Commission Presentationmintusiprd
 
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingSimplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingCIToolkit
 
LPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations ReviewLPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations Reviewthomas851723
 
Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchFarmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchRashtriya Kisan Manch
 
Board Diversity Initiaive Launch Presentation
Board Diversity Initiaive Launch PresentationBoard Diversity Initiaive Launch Presentation
Board Diversity Initiaive Launch Presentationcraig524401
 
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixUnlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixCIToolkit
 
ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...
ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...
ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...AgileNetwork
 
VIP Kolkata Call Girl Rajarhat 👉 8250192130 Available With Room
VIP Kolkata Call Girl Rajarhat 👉 8250192130 Available With RoomVIP Kolkata Call Girl Rajarhat 👉 8250192130 Available With Room
VIP Kolkata Call Girl Rajarhat 👉 8250192130 Available With Roomdivyansh0kumar0
 
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramBeyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramCIToolkit
 
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证jdkhjh
 

Recently uploaded (17)

Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
Call Us🔝⇛+91-97111🔝47426 Call In girls Munirka (DELHI)
 
Measuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield MetricsMeasuring True Process Yield using Robust Yield Metrics
Measuring True Process Yield using Robust Yield Metrics
 
LPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business SectorLPC Warehouse Management System For Clients In The Business Sector
LPC Warehouse Management System For Clients In The Business Sector
 
Introduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-EngineeringIntroduction to LPC - Facility Design And Re-Engineering
Introduction to LPC - Facility Design And Re-Engineering
 
Reflecting, turning experience into insight
Reflecting, turning experience into insightReflecting, turning experience into insight
Reflecting, turning experience into insight
 
Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...
Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...
Pooja Mehta 9167673311, Trusted Call Girls In NAVI MUMBAI Cash On Payment , V...
 
Fifteenth Finance Commission Presentation
Fifteenth Finance Commission PresentationFifteenth Finance Commission Presentation
Fifteenth Finance Commission Presentation
 
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes ThinkingSimplifying Complexity: How the Four-Field Matrix Reshapes Thinking
Simplifying Complexity: How the Four-Field Matrix Reshapes Thinking
 
LPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations ReviewLPC Operations Review PowerPoint | Operations Review
LPC Operations Review PowerPoint | Operations Review
 
Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan ManchFarmer Representative Organization in Lucknow | Rashtriya Kisan Manch
Farmer Representative Organization in Lucknow | Rashtriya Kisan Manch
 
Board Diversity Initiaive Launch Presentation
Board Diversity Initiaive Launch PresentationBoard Diversity Initiaive Launch Presentation
Board Diversity Initiaive Launch Presentation
 
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency MatrixUnlocking Productivity and Personal Growth through the Importance-Urgency Matrix
Unlocking Productivity and Personal Growth through the Importance-Urgency Matrix
 
ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...
ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...
ANIn Gurugram April 2024 |Can Agile and AI work together? by Pramodkumar Shri...
 
VIP Kolkata Call Girl Rajarhat 👉 8250192130 Available With Room
VIP Kolkata Call Girl Rajarhat 👉 8250192130 Available With RoomVIP Kolkata Call Girl Rajarhat 👉 8250192130 Available With Room
VIP Kolkata Call Girl Rajarhat 👉 8250192130 Available With Room
 
sauth delhi call girls in Defence Colony🔝 9953056974 🔝 escort Service
sauth delhi call girls in Defence Colony🔝 9953056974 🔝 escort Servicesauth delhi call girls in Defence Colony🔝 9953056974 🔝 escort Service
sauth delhi call girls in Defence Colony🔝 9953056974 🔝 escort Service
 
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why DiagramBeyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
Beyond the Five Whys: Exploring the Hierarchical Causes with the Why-Why Diagram
 
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
原版1:1复刻密西西比大学毕业证Mississippi毕业证留信学历认证
 

Third Party Risk Management Strategies

  • 1. Cincinnati ISACA – September, 2014 Christopher Dorr
  • 2. Your company spends millions of dollars on IT security – systems, technologies, appliances • InfoSec professionals • Internal Audit professionals • External Auditors • Processes, technologies, systems Then some manager in marketing dumps your client data to an Excel spreadsheet, and emails it to a direct mail firm in Omaha. Perhaps even worse – Usually not random. Usually not one vendor. Often thousands of vendors. Third Party Risk Management
  • 3. 1. What it is 2. Business value and justification • Two main regulatory drivers: HIPAA & OCC 2013-29 3. What it looks like • Case study Information Security focus, but many additional areas of risk Overview –Third Party Risk Management
  • 4. Fazio Mechanical Data Breach Fazio Mechanical is a 100-staff, $12M revenue HVAC company Perhaps better known as the $250,000,000Target data breach Full analysis of the breach is beyond the scope of today’s presentation, and much of what is described below is unconfirmed. Vendor Breach Background
  • 5. Fazio Mechanical was vendor for Target for HVAC services Started with Fazio being targeted by typical phishing attack Fazio connected to Target’s internal systems for billing, contract management and contract submission via vendor portal called “Ariba” Vendor Breach Background
  • 6. Target Design Process Ariba Vendor Platform Fazio Vendor A/P and GL Internet Internal Bank Internal POS POS POS
  • 7. Target Breach Ariba Fazio A/P and GL Internet Internal Bank Internal POS POS POS Attacker SQL Injection & Privilege escalation RAM Scraping malware Staging Server
  • 8. 40,000,000 - Number of credit and debit numbers stolen 70,000,000 - Number of non-credit-card PII records stolen November 27 to December 15, 2013 – Duration of theft 46% - The percentage drop in profits for 4th quarter 2013 from the year before $250,000,000 - Total estimated costs as of August 2014 $90,000,000 - Amount paid by Target’s insurers (maxed out) $54,000,000 - Estimated amount generated from sale of cards stolen 0 – Number of CIOs and CEOs who kept their jobs Target by the Numbers
  • 9. • 41% to 63% of breaches involved third parties • Per-record costs of a 3rd party breach higher - $231 vs. $188 • 71% of companies failed to adequately manage risk of third parties • 92% of companies planned to expand their use of vendors in 2013 • 90% of anti-corruption actions by DOJ involved 3rd parties Third Party Breach Numbers
  • 10. What Is it? Third Party Risk Management
  • 11. Third Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties OTHER than your own company. Due Diligence is the investigative process by which a company or other third party is reviewed to determine its suitability for a given task. Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire vendor lifecycle. No universally-accepted framework like CObIT or COSO TPRM –What It Is
  • 13. Why Should We Do it? Third Party Risk Management
  • 14. Reduce likelihood of data breach costs Reduce likelihood of costly operational failures Reduce likelihood of vendor bankruptcy Regulatory mandates may require it Prudent due diligence – ethical obligation Audit where the risk is Enterprise risk portfolio may expose the organization to most risk here Business Justifications
  • 15. Office of the Comptroller of the Currency (OCC) US Department of Health & Human Services (HHS) State data breach laws Regulatory Guidance
  • 16. Strongest language so far is for financial institutions regulated by the Office of the Comptroller of the Currency If precedents hold true, this will likely “migrate” to other financial entities, healthcare entities, and government contractors Consumer Financial Protection Bureau (CFPB) Since 2012, imposed over $1 billion USD in fines Was partially in response to 2008 financial crisis. Banks did not manage risk well. Regulatory Requirements
  • 17. Very comprehensive guidance requiring banks to proactively evaluate ALL risks associated with ALL third parties Issued in October, 2013, governing all financial institutions regulated by the OCC Closest thing we currently have to a generally accepted framework “…. A third-party relationship is any business arrangement between a bank and another entity, by contract or otherwise” “The Office of the Comptroller of the Currency (OCC) expects a bank to practice effective risk management regardless of whether the bank performs the activity internally or through a third party. A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.” OCC 2013-29
  • 18. An effective risk management process throughout the life cycle of the relationship includes: • Plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party. • Proper due diligence in selecting a third party. • Written contracts that outline the rights and responsibilities of all parties. • Ongoing monitoring of the third party’s activities and performance. • Clear roles and responsibilities for overseeing and managing the relationship and risk management process. • Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management. • Independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks. OCC 2013-29
  • 19. In 2009, the HITECH Act extended compliance requirements explicitly to “Business Associates” Business Associates are persons or entities using PHI to perform services for a covered entity. PHI – Medical-related PII Many third parties in healthcare have access – very difficult to perform substantive activities without access to PHI Can impose fines on Covered Entity (insurer, hospital, etc.) for actions of a delegate HIPAA - HITECH
  • 20. Massachusetts General Employee – took some work home Accidentally left 192 patient billing records on subway HHS imposed $1,000,000 fine HHS imposed three-year corrective action plan What would have happened had this been vendor? • Would there be a difference depending on due diligence? • Fines seem to be directly related to how lackadaisical oversight was HIPAA Example
  • 21. Many different laws Almost all laws have provisions requiring notification within certain period after detection Detection by whom? Most appear to make no distinction between losses caused by an entity and losses caused by an entity’s vendor Penalties • Up to $500,000 in civil penalties per breach for failure to notify timely (Florida) • $5,000 “per violation” if not received within 10 days. Every subsequent day “not received” is a separate violation (Louisiana) State Data Breach Laws
  • 22. What Does It Look Like? Third Party Risk Management
  • 23. 1. Initial Risk Review 1. Based on risk tier 2. Documentation review 3. On-site review 4. Business process documentation 5. Inherent risk/residual risk 6. Remediation plan 2. Ongoing Monitoring 1. Both for changed risks and for changes at vendor 3. Recurring Reviews 1. Based on risk tier WhatTPRM Looks Like - Process
  • 24. “The Four RMs” 1. Risk Measurement 1. Linked to ERM 2. Measures the risk of both the activity itself and of the vendor in particular 2. Risk Management 1. Standard mechanisms for dealing with risk: accept, decline, transfer, modify 3. Risk Monitoring 1. New/evolving risks 2. Vendor changes 4. Response Management 1. Incident response, both on your part and the vendor’s WhatTPRM Looks Like - Elements
  • 25. Using OCC 2013-29 as framework – “Banks should consider the following:” Legal and regulatory compliance Financial condition Qualifications, backgrounds and reputations of company principals Risk management Information security and management (including physical and logical security) Incident reporting and management Reliance on subcontractors Contract language, including right to audit and metrics WhatTPRM Looks Like - Assessment
  • 26. RandomCo – 300 employee, midsized, technology-oriented company Specialized in document management and OCR Being considered for an engagement that required high levels of data security, operational reliability, and performance Would be subject to HIPAA requirements Case Study
  • 27. Reviewed SAS 70 (Type 1) Reviewed architectural documentation Reviewed online reputation Reviewed legal entanglements Reviewed summary financials Nothing significantly negative was found Stage I – Case Study
  • 28. Glass-sided stand-alone office building, surrounded by public, ungated parking lot Scanned for wireless networks.They had “RandomCoProd” SSID • WEP encryption Unlocked front door No security cameras “Netgear” wireless router bolted to wall in stairwell Unlocked server room and networking closet RandomCo– Case Study
  • 29. Data center served by single internet feed “Some” systems were RAID 5 Some “servers” were recycled desktops running Linux Disaster Recovery Plan never tested Backup Plan • Network admin drove to data center • Network admin took tapes out of servers • Network admin threw the tapes in his trunk • Network admin drove tapes home RandomCo – Case Study
  • 30. Not because particularly bad • In fact, not the worst Many smaller vendors lack controls • Many vendors will be 25-200 person companies (28M small bus.) • No full-time IT, let alone IT Security Never would have known without on-site “Vendor Development” Why this story?
  • 31. Vendor tiering or stratification Tier 1 – Critical vendors (10%) – PII + critical systems Tier 2 – Major vendors (40%) – PII OR critical systems Tier 3 – Vendors (50%) – commodities/low risk purchases Workflow tools Capability Maturity Model Vendor scorecards (maintained by business owner of vendor) Tools
  • 32. Shared Assessment Group (Santa Fe Group) – Shared Information Gathering Tool (SIG) Current version costs $5000 Version 6.0 freely available, but dated Lite and full versions – provides flexibility Vendor research tools Dunn & Bradstreet Supplier Risk Manager Lexis Nexis Research and monitoring tools Variety of checklists available online Contracting language – right to audit, required reporting, standards Tools
  • 33. Level 0 •No processes exist Level 1 Initial •Processes exist, but are ad hoc and unpredictable Level 2 Managed •Processes are reactive, “hero driven” and project specific Level 3 Defined Level 4 Quantitative Level 5 Optimized Risk Capability Maturity Model • Processes are organized, formalized and documented • Processes are formalized, measured empirically and controlled • Processes are highly mature, and emphasize system feedback and improvement Are the vendor’s risk management processes: • Defined? • Comprehensive? • Repeatable? • Measured? • Reliable?
  • 34. Very cost-effective way to manage risk One day on-site often is all that is required Complete review (including on-site) can cost less than $1,000 Lots of “low-hanging fruit” Emphasis area: Test data Emphasis area: Data retention & lifespan management Emphasis area: Physical security Emphasis area: Cloud reliance and architecture Often you get more pushback from internal parties. Many vendors appreciate the “free consulting” Personal Observations
  • 35. 70% of companies do not adequately do this now, yet over 90% say they will INCREASE their use of third parties. Data breaches caused by third parties cost $43 per record more than other breaches, yet account for over 40% of all breaches. EffectiveTPRM involves combination of oversight and review of the external partner AND implementation of internal controls and processes. Given the risk exposure and costs involved,TPRM can be the single most cost-effective risk management program that a company can implement, and Internal Audit and InfoSec can contribute in many significant ways. Summary
  • 36. Third-party risk management failures contributed to attacks Vendor used FREE Malwarebytes Anti-Malware software The free version is only an on-demand scanner. No real-time scanning. Target did not require vendors to use multi-factor authentication If vendor used free anti-malware, what is probability that it required users to take security training? Or implement enterprise email system that might have caught phishing attack? But Target also left vast amounts of sensitive data about vendors on unsecured systems. This is also about vendor management. Ariba is vendor too. Was testing/scanning for SQL injection and architecture reviewed? How was Ariba monitoring for unusual activity? Target Breach -TPRM
  • 38. 1. http://compliance.med.nyu.edu/news/documenting-inpatient- admissions 2. http://www.grantthornton.com/~/media/content-page-files/health- care/pdfs/2013/HC-2013-AIHA-wp-HIPAA-rule-data-control- concerns.ashx 3. http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013- 29.html 4. http://www.computerweekly.com/news/2240178104/Bad-outsourcing- decisions-cause-63-of-data-breaches 5. http://www.experian.com/assets/data-breach/brochures/ponemon- aftermath-study.pdf 6. http://www.fierceitsecurity.com/story/third-party-vendor-behind- possible-lowes-data-breach/2014-05-26 References
  • 39. 1. http://www.navexglobal.com/company/press-room/navex-global-survey-7- 10-us-companies-neglect-third-party-risk 2. http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of- data-breach-global-analysis 3. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1986461 4. http://listserv.educause.edu/cgi- bin/wa.exe?A3=ind1112&L=SECURITY&E=base64&P=1183182&B=-- _003_BF662A4EE06D844081EA3B2DB8CCF22B1FDD3423B4SSUMPEXCLU S01_&T=application%2Fvnd.ms- excel;%20name=%22SIGv6.2.xls%22&N=SIGv6.2.xls&attachment=q 5. http://www.privacyrights.org/data-breach 6. http://www.ejise.com/issue/download.html?idArticle=858 7. http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up- breach-at-target/ 8. http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/ References