More Related Content
Similar to Ensuring Data Security at Third-Party Providers (20)
Ensuring Data Security at Third-Party Providers
- 1. Session # D5
Ensuring Data Security at Third-Party
Providers
Thursday, May 12, 2011
1:30 – 2:45
Peter Hand, CISA, CRISC
Sr. Auditor
© If appropriate, Insert your organization’s copyright information
- 2. About your presenter
Peter Hand
– Bachelors Degree in Computer Information Systems
– CISA and CRISC certified
– Former Computer Programmer who actually did coding for Y2K,
and has to say that the movie Office Space hit what it was like
right on the head
– Currently a Sr. IT Auditor for a Chicago based company who
performs Data Security audits at third party providers
© If appropriate, Insert your organization’s copyright information
- 3. Key Points
Defining security requirements for third-party business partners in
line with corporate policies
Creating and maintaining an inventory of third-party providers with
services performed
Using your Internal Audit and Information Security teams to
perform monitoring through audits and site visits
Linking corporate information security standards to third-party
business partners requirements
© If appropriate, Insert your organization’s copyright information
- 4. Assumptions
In order to reach the true goal of lockdown Data Security the
following should be considered as part of your reality:
– The Earth, Sun, and Moon are all aligned
– There is an unlimited budget and resources are readily available
– 3-6-9-23-35-44 will be the winning lottery numbers
– The Chicago Cubs will win the World Series
© If appropriate, Insert your organization’s copyright information
- 5. Importance of Third Party Data Security
Why is Data Security so important?
– The trust factor
• Reputational impact
• Business impact
© If appropriate, Insert your organization’s copyright information
- 6. Importance of Third Party Data Security
Why is Data Security so important? (cont’d)
– The financial impact of a data breach (aka the bottom line)
• Per a study performed by the Ponemon Institute and
Symantec the cost of a data breach is an average of 7.2
million dollars per incident. This is a 7% increase from the
previous year
• According to a Bloomberg.com article dated March 8, 2011,
one breach incident cost a company $35.3 Million dollars
© If appropriate, Insert your organization’s copyright information
- 7. Importance of Third Party Data Security
Why is Data Security so important? (cont’d)
– The average cost of a breached record
• A malicious or criminally compromised record costs a
company an average of $318
• A compromised record at a third party costs an average of
$302
© If appropriate, Insert your organization’s copyright information
- 8. Importance of Third Party Data Security
The value of data & why would anyone attempt to break into a
system
– Tough economic times
– SSN = $1
– Medical Identity Information = $50
© If appropriate, Insert your organization’s copyright information
- 9. Importance of Third Party Data Security
What happens if a breach occurs at the Third Party Business
Partner?
– Who is responsible and who gets the “black eye”?
© If appropriate, Insert your organization’s copyright information
- 10. Importance of Third Party Data Security
YOUR COMPANY
© If appropriate, Insert your organization’s copyright information
- 11. Importance of Third Party Data Security
© If appropriate, Insert your organization’s copyright information
- 12. The Four Areas of consideration
The path to ensuring Data Security at Third-Party Providers can
be found in four areas:
– Internal Initiation / Setup / Standards
– External Relationship Initiation / Implementation
– Production State
– Termination State
© If appropriate, Insert your organization’s copyright information
- 13. Internal Initiation / Setup / Standards
© If appropriate, Insert your organization’s copyright information
- 14. Internal Initiation / Setup / Standards
Understand and maintain up to date documentation of your Third
Party Business Partners with, at a minimum, the following:
– Policies & Procedures for defining contractual, technical, and
business rule requirements before a relationship is initiated
– Business Partner Inventory
– Services rendered & performance Service Level Agreements
(SLA’s) of engaged Business Partners
– Costs
© If appropriate, Insert your organization’s copyright information
- 15. Internal Initiation / Setup / Standards
Policies & Procedures for defining contractual, technical, and
business rule requirements should exist before a Business Partner
relationship is initiated
– Policy & Procedures should be in place defining expected
security requirements, SLA’s, and any other expectations for
Business Partners
– All of these expectations should be clearly defined and
documented so that relationship expectations are clearly
understood and can be communicated before beginning a
relationship
© If appropriate, Insert your organization’s copyright information
- 16. Internal Initiation / Setup / Standards
Business Partner Inventory
– A comprehensive list needs to be maintained of all existing
Business Partner relationships including the following:
• Internal relationship owner
• Primary Business Partner contacts
• Services performed
• Production implementation date
• Business instrument expiration / renewal date
© If appropriate, Insert your organization’s copyright information
- 17. Internal Initiation / Setup / Standards
Services rendered & performance SLA’s of engaged Business
Partners
– Understanding the services performed by Business Partners
allows you to determine if this relationship can be leveraged
for your needs, or if a new Business Partner relationship
should be implemented
– Understanding the SLA’s, and whether or not they are being
met, will also allow you to determine if a relationship can be
leveraged for new needs as well as whether or not the
relationship should be terminated or re-negotiated
© If appropriate, Insert your organization’s copyright information
- 18. Internal Initiation / Setup / Standards
Costs
– Understand the costs associated with the existing population to
determine if it is cheaper to leverage an existing relationship or
establish a new one
– When establishing a new relationship consider not only new
work, but also transferring existing work if efficiencies and / or
savings can be realized
© If appropriate, Insert your organization’s copyright information
- 19. Internal Initiation / Setup / Standards
Other considerations
– Clearly defined Production State parameters:
• Regularly scheduled status meetings
• Regular reporting on SLA achievement versus target
• A dedicated team in place for the “managing” of the
relationship
© If appropriate, Insert your organization’s copyright information
- 20. Internal Initiation / Setup / Standards
Other considerations
– Clearly defined Relationship Termination parameters:
• How data will be handled upon relationship termination
• How final resolution of data storage will be handled
• How will data destruction be accounted for
© If appropriate, Insert your organization’s copyright information
- 22. External Relationship Initiation / Implementation
Understand requirements for engaging, pricing, testing, and
implementing Business Partner into production.
– Policies & Procedures for:
• Initiating contact
• Request for Information (RFI) requirements
• Request for Pricing (RFP) requirements
• Security standards
• Implementation standards
– Contractual requirements
– Site visits
© If appropriate, Insert your organization’s copyright information
- 23. External Relationship Initiation / Implementation
Initiating contact
– Central point of contact for handling Business Partner initiation,
such as a procurement department
– A central business area contact, responsible for maintaining
relationship and keeping open communication channels
– A central technical area contact, responsible for working with
Business Partner in all technical aspects of relationship during
the entire relationship lifecycle
© If appropriate, Insert your organization’s copyright information
- 24. External Relationship Initiation / Implementation
Request for Information (RFI)
– Documentation which outlines Business Partner requirements
for services requested as well as security and business
processing requirements
– Specific parameters outlining expected deliverables for RFI
© If appropriate, Insert your organization’s copyright information
- 25. External Relationship Initiation / Implementation
Request for Pricing (RFP)
– Documentation which outlines Business Partner requirements
for services requested as well as security and business
processing requirements
– Parameters defining number of iterations of process or control
execution expected during a defined time period, such as
monthly or weekly
© If appropriate, Insert your organization’s copyright information
- 26. External Relationship Initiation / Implementation
Security Standards
– Documentation outlining the security standards which outlines
Business Partner requirements for services requested as well
as security and business processing requirements
© If appropriate, Insert your organization’s copyright information
- 27. External Relationship Initiation / Implementation
Security Standards (cont’d)
– Some security standards to consider include:
• An assigned contact, such as a Security Officer,
responsible for ensuring compliance with any and all
regulations, including industry standards such as HIPAA
• Defined Policies & Procedures for the technical and
administrative controls for the handling of data
© If appropriate, Insert your organization’s copyright information
- 28. External Relationship Initiation / Implementation
Security Standards (cont’d)
• Continual Security Monitoring & Issue Reporting
• Monthly Performance Reporting
• Incident Response procedures, including breach notification
procedures
• Employment screening for new employees who will interact
with your data, this can include new or existing employees
© If appropriate, Insert your organization’s copyright information
- 29. External Relationship Initiation / Implementation
Implementation Standards
– Standard testing Policies & Procedures outlining all test cases
and expected results
• This should include communication, security, and access
testing
– Dependent on the size of contract, site visits should be
performed at Third Party Data Centers to ensure physical
access security
© If appropriate, Insert your organization’s copyright information
- 30. External Relationship Initiation / Implementation
Implementation Standards (cont’d)
– Review different reports that may be available:
• SAS70 – Statement of Auditing Standards No. 70
– Allows service organizations to disclose their control
activities and processes to their customers in a uniform
reporting format.
© If appropriate, Insert your organization’s copyright information
- 31. External Relationship Initiation / Implementation
Implementation Standards (cont’d)
• Service Organization Control Reports (SOC) – Provides a
framework to examine controls and to help management
understand related risks. There are three reporting options:
– SOC1 – Also known as SSAE16 (Statement on
Standards for Attestation Engagements No. 16,
Reporting of Controls at a Service Organization). This
focuses on controls at a service organization that are
likely to be relevant to an audit of a user entity’s
financial statement.
© If appropriate, Insert your organization’s copyright information
- 32. External Relationship Initiation / Implementation
Implementation Standards (cont’d)
– SOC2 – A report that specifically addresses one or
more of the following five key system attributes:
Security
Availability
Processing Integrity
Confidentiality
Privacy
© If appropriate, Insert your organization’s copyright information
- 33. External Relationship Initiation / Implementation
Implementation Standards (cont’d)
– SOC3 – A general-use report that provides only the
auditor’s report on whether or not the system achieved
the trust services criteria.
© If appropriate, Insert your organization’s copyright information
- 34. External Relationship Initiation / Implementation
Contractual Requirements
– Right to Audit clause
– Service Level Agreements defining expectations of services
performed and expected delivery timeframes
– Business language requiring any use of subcontractors by the
engaged Business Partner must be approved before their
engagement
© If appropriate, Insert your organization’s copyright information
- 35. External Relationship Initiation / Implementation
Contractual Requirements (cont’d)
– Defined security requirements based upon defined and tested
security parameters
– Defined escalation procedures in the case of incidents /
breaches
– Defined parameters for the handing of data in the case of
relationship termination
© If appropriate, Insert your organization’s copyright information
- 36. Production State
© If appropriate, Insert your organization’s copyright information
- 37. Production State
Production State reporting and monitoring
– Periodic business partner reviews should be performed by a
defined team. Some requirements to consider when performing
the review:
• Review of audit documents such as SAS70 or SSAE16
• Annual site visits to a selection of business partners based
on a pre-defined criteria, such as risk level or performance
© If appropriate, Insert your organization’s copyright information
- 38. Production State
Production State reporting and monitoring (cont’d)
– Regularly scheduled meetings to discuss business partner
performance against defined SLA’s
– Regular planning and status meetings for any new projects /
implementations / upgrades
© If appropriate, Insert your organization’s copyright information
- 39. Termination State
© If appropriate, Insert your organization’s copyright information
- 40. Termination State
Relationship Termination processing
– Previously defined parameters should be enacted to account
for data handling
– Negotiated time parameters regarding processing cut-off date
– Final meeting to discuss official end of relationship
© If appropriate, Insert your organization’s copyright information
- 41. Summary
Conclusions
– There is no 100% guarantee of data security, because you
are not monitoring 24 X 7
– In order to achieve a high level of data security most of the
work is performed by the company outlining their
expectations and requirements before engaging a third
party business partner
© If appropriate, Insert your organization’s copyright information
- 42. Summary
Conclusions (cont’d)
– An inventory of business partners, and services performed,
should be maintained for multiple purposes
– Regular contact should be maintained and a dedicated
team should be established with members of all parties
involved
– Most of the work needed to ensure some, not absolute,
comfort around Data Security happens before the external
Business Partner is engaged
© If appropriate, Insert your organization’s copyright information
- 43. Questions
© If appropriate, Insert your organization’s copyright information
- 44. Helpful articles and websites
Bloomberg Article - http://www.bloomberg.com/news/2011-03-
08/security-breach-costs-climb-7-to-7-2-million-per-incident.html
Ponemon and Symantec 2010 Data Breach Study -
http://www.symantec.com/content/en/us/about/media/pdfs/symant
ec_ponemon_data_breach_costs_report.pdf?om_ext_cid=biz_soc
med_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_
costofdatabreach
American Institute of Certified Public Accountants, inc –
www.aicpa.org
SAS70 – www.SAS70.com
SSAE16 – www.SSAE16.com
Identity Theft information – www.theidentityadvocate.com
ISACA – www.isaca.org
MIS Training Institute – www.misti.com
Institute Internal Auditors – www.theiia.org
© If appropriate, Insert your organization’s copyright information
- 45. More helpful websites
United States Computer Emergency Readiness Team (US-CERT)
– www.us-cert.gov
Carnegie Mellon Software Engineering Institute – www.cert.org
Dark Reading – www.darkreading.com
© If appropriate, Insert your organization’s copyright information
- 46. Contact Information
Thank you for your time!
If you have any question please feel free to contact me at
phand9@me.com
© If appropriate, Insert your organization’s copyright information