Ensuring Data Security at Third-Party Providers

Session # D5
Ensuring Data Security at Third-Party
Providers

Thursday, May 12, 2011
1:30 – 2:45

Peter Hand, CISA, CRISC
Sr. Auditor

© If appropriate, Insert your organization’s copyright information

About your presenter

 Peter Hand

– Bachelors Degree in Computer Information Systems

– CISA and CRISC certified

– Former Computer Programmer who actually did coding for Y2K,
and has to say that the movie Office Space hit what it was like
right on the head

– Currently a Sr. IT Auditor for a Chicago based company who
performs Data Security audits at third party providers


Key Points

 Defining security requirements for third-party business partners in
line with corporate policies

 Creating and maintaining an inventory of third-party providers with
services performed

 Using your Internal Audit and Information Security teams to
perform monitoring through audits and site visits

 Linking corporate information security standards to third-party
business partners requirements


Assumptions

 In order to reach the true goal of lockdown Data Security the
following should be considered as part of your reality:

– The Earth, Sun, and Moon are all aligned

– There is an unlimited budget and resources are readily available

– 3-6-9-23-35-44 will be the winning lottery numbers

– The Chicago Cubs will win the World Series


Importance of Third Party Data Security

 Why is Data Security so important?

– The trust factor

• Reputational impact
• Business impact



 Why is Data Security so important? (cont’d)

– The financial impact of a data breach (aka the bottom line)

• Per a study performed by the Ponemon Institute and
Symantec the cost of a data breach is an average of 7.2
million dollars per incident. This is a 7% increase from the
previous year
• According to a Bloomberg.com article dated March 8, 2011,
one breach incident cost a company $35.3 Million dollars



 Why is Data Security so important? (cont’d)

– The average cost of a breached record

• A malicious or criminally compromised record costs a
company an average of $318
• A compromised record at a third party costs an average of
$302



 The value of data & why would anyone attempt to break into a
system

– Tough economic times

– SSN = $1

– Medical Identity Information = $50



 What happens if a breach occurs at the Third Party Business
Partner?

– Who is responsible and who gets the “black eye”?



YOUR COMPANY


The Four Areas of consideration

 The path to ensuring Data Security at Third-Party Providers can
be found in four areas:

– Internal Initiation / Setup / Standards

– External Relationship Initiation / Implementation

– Production State

– Termination State


Internal Initiation / Setup / Standards



 Understand and maintain up to date documentation of your Third
Party Business Partners with, at a minimum, the following:

– Policies & Procedures for defining contractual, technical, and
business rule requirements before a relationship is initiated

– Business Partner Inventory

– Services rendered & performance Service Level Agreements
(SLA’s) of engaged Business Partners

– Costs



 Policies & Procedures for defining contractual, technical, and
business rule requirements should exist before a Business Partner
relationship is initiated

– Policy & Procedures should be in place defining expected
security requirements, SLA’s, and any other expectations for
Business Partners

– All of these expectations should be clearly defined and
documented so that relationship expectations are clearly
understood and can be communicated before beginning a
relationship



 Business Partner Inventory

– A comprehensive list needs to be maintained of all existing
Business Partner relationships including the following:

• Internal relationship owner
• Primary Business Partner contacts
• Services performed
• Production implementation date
• Business instrument expiration / renewal date



 Services rendered & performance SLA’s of engaged Business
Partners

– Understanding the services performed by Business Partners
allows you to determine if this relationship can be leveraged
for your needs, or if a new Business Partner relationship
should be implemented

– Understanding the SLA’s, and whether or not they are being
met, will also allow you to determine if a relationship can be
leveraged for new needs as well as whether or not the
relationship should be terminated or re-negotiated



 Costs

– Understand the costs associated with the existing population to
determine if it is cheaper to leverage an existing relationship or
establish a new one

– When establishing a new relationship consider not only new
work, but also transferring existing work if efficiencies and / or
savings can be realized



 Other considerations

– Clearly defined Production State parameters:

• Regularly scheduled status meetings
• Regular reporting on SLA achievement versus target
• A dedicated team in place for the “managing” of the
relationship



 Other considerations

– Clearly defined Relationship Termination parameters:

• How data will be handled upon relationship termination
• How final resolution of data storage will be handled
• How will data destruction be accounted for


External Relationship Initiation / Implementation



 Understand requirements for engaging, pricing, testing, and
implementing Business Partner into production.

– Policies & Procedures for:

• Initiating contact
• Request for Information (RFI) requirements
• Request for Pricing (RFP) requirements
• Security standards
• Implementation standards

– Contractual requirements
– Site visits


 Initiating contact

– Central point of contact for handling Business Partner initiation,
such as a procurement department

– A central business area contact, responsible for maintaining
relationship and keeping open communication channels

– A central technical area contact, responsible for working with
Business Partner in all technical aspects of relationship during
the entire relationship lifecycle



 Request for Information (RFI)

– Documentation which outlines Business Partner requirements
for services requested as well as security and business
processing requirements

– Specific parameters outlining expected deliverables for RFI



 Request for Pricing (RFP)

– Documentation which outlines Business Partner requirements
for services requested as well as security and business
processing requirements

– Parameters defining number of iterations of process or control
execution expected during a defined time period, such as
monthly or weekly



 Security Standards

– Documentation outlining the security standards which outlines
Business Partner requirements for services requested as well
as security and business processing requirements



 Security Standards (cont’d)

– Some security standards to consider include:

• An assigned contact, such as a Security Officer,
responsible for ensuring compliance with any and all
regulations, including industry standards such as HIPAA

• Defined Policies & Procedures for the technical and
administrative controls for the handling of data



 Security Standards (cont’d)

• Continual Security Monitoring & Issue Reporting

• Monthly Performance Reporting

• Incident Response procedures, including breach notification
procedures

• Employment screening for new employees who will interact
with your data, this can include new or existing employees



 Implementation Standards

– Standard testing Policies & Procedures outlining all test cases
and expected results

• This should include communication, security, and access
testing

– Dependent on the size of contract, site visits should be
performed at Third Party Data Centers to ensure physical
access security



 Implementation Standards (cont’d)

– Review different reports that may be available:

• SAS70 – Statement of Auditing Standards No. 70

– Allows service organizations to disclose their control
activities and processes to their customers in a uniform
reporting format.




• Service Organization Control Reports (SOC) – Provides a
framework to examine controls and to help management
understand related risks. There are three reporting options:

– SOC1 – Also known as SSAE16 (Statement on
Standards for Attestation Engagements No. 16,
Reporting of Controls at a Service Organization). This
focuses on controls at a service organization that are
likely to be relevant to an audit of a user entity’s
financial statement.




– SOC2 – A report that specifically addresses one or
more of the following five key system attributes:

 Security
 Availability
 Processing Integrity
 Confidentiality
 Privacy




– SOC3 – A general-use report that provides only the
auditor’s report on whether or not the system achieved
the trust services criteria.



 Contractual Requirements

– Right to Audit clause

– Service Level Agreements defining expectations of services
performed and expected delivery timeframes

– Business language requiring any use of subcontractors by the
engaged Business Partner must be approved before their
engagement



 Contractual Requirements (cont’d)

– Defined security requirements based upon defined and tested
security parameters

– Defined escalation procedures in the case of incidents /
breaches

– Defined parameters for the handing of data in the case of
relationship termination


Production State


Production State

 Production State reporting and monitoring

– Periodic business partner reviews should be performed by a
defined team. Some requirements to consider when performing
the review:

• Review of audit documents such as SAS70 or SSAE16
• Annual site visits to a selection of business partners based
on a pre-defined criteria, such as risk level or performance


Production State

 Production State reporting and monitoring (cont’d)

– Regularly scheduled meetings to discuss business partner
performance against defined SLA’s

– Regular planning and status meetings for any new projects /
implementations / upgrades


Termination State


Termination State

 Relationship Termination processing

– Previously defined parameters should be enacted to account
for data handling

– Negotiated time parameters regarding processing cut-off date

– Final meeting to discuss official end of relationship


Summary

 Conclusions

– There is no 100% guarantee of data security, because you
are not monitoring 24 X 7

– In order to achieve a high level of data security most of the
work is performed by the company outlining their
expectations and requirements before engaging a third
party business partner


Summary

 Conclusions (cont’d)

– An inventory of business partners, and services performed,
should be maintained for multiple purposes

– Regular contact should be maintained and a dedicated
team should be established with members of all parties
involved

– Most of the work needed to ensure some, not absolute,
comfort around Data Security happens before the external
Business Partner is engaged


Questions


Helpful articles and websites

 Bloomberg Article - http://www.bloomberg.com/news/2011-03-
08/security-breach-costs-climb-7-to-7-2-million-per-incident.html
 Ponemon and Symantec 2010 Data Breach Study -
http://www.symantec.com/content/en/us/about/media/pdfs/symant
ec_ponemon_data_breach_costs_report.pdf?om_ext_cid=biz_soc
med_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_
costofdatabreach
 American Institute of Certified Public Accountants, inc –
www.aicpa.org
 SAS70 – www.SAS70.com
 SSAE16 – www.SSAE16.com
 Identity Theft information – www.theidentityadvocate.com
 ISACA – www.isaca.org
 MIS Training Institute – www.misti.com
 Institute Internal Auditors – www.theiia.org


More helpful websites

 United States Computer Emergency Readiness Team (US-CERT)
– www.us-cert.gov
 Carnegie Mellon Software Engineering Institute – www.cert.org
 Dark Reading – www.darkreading.com


Contact Information

Thank you for your time!

If you have any question please feel free to contact me at
phand9@me.com


Ensuring Data Security at Third-Party Providers

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (10)

Similar to Ensuring Data Security at Third-Party Providers

Similar to Ensuring Data Security at Third-Party Providers (20)

Recently uploaded

Recently uploaded (20)

Ensuring Data Security at Third-Party Providers