How to Build a Successful Incident Response Program
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
1. 3rd Party Risk – Pt. 1
Practical Considerations for Privacy &
Security Due Diligence
2. Agenda
• Introductions
• 3rd Party Risk Due Diligence Best Practices
• Questionnaires
• On-Site Reviews
• Q&A
Page 2
3. Introductions: Today’s Speakers
• Ted Julian, Chief Marketing Officer, Co3 Systems
• Security / compliance entrepreneur
• Security industry analyst
• Deb Hampson, AVP & Assistant General Counsel, The
Hartford
• Head of Corporate Privacy Office since 2006
• Previously head of The Hartford Life's Corporate
Compliance Unit and the Group Benefits Legal Team
• Specialties: privacy law, insurance law, corporate
compliance, social media legal and compliance issues.
Page 3
4. Co3 Automates Breach Management
PREPARE ASSESS
Improve Organizational Quantify Potential Impact,
Readiness Support Privacy Impact
• Assign response team Assessments
• Describe environment • Track events
• Simulate events and incidents • Scope regulatory requirements
• Focus on organizational gaps • See $ exposure
• Send notice to team
• Generate Impact Assessments
REPORT MANAGE
Document Results and Easily Generate Detailed
Track Performance Incident Response Plans
• Document incident results • Escalate to complete IR plan
• Track historical performance • Oversee the complete plan
• Demonstrate organizational • Assign tasks: who/what/when
preparedness • Notify regulators and clients
• Generate audit/compliance reports • Monitor progress to completion
Page 4
5. About The Hartford
Personal Middle Mutual
Retirement
Lines Market Funds
Small Group Individual
Specialty Annuities
Commercial Benefits Life
Page 5
6. Data Breaches and 3rd Party Leaks
Internal/
Malicious Lost/Stolen 3rd Party
Employee
Cyber-Attacks Assets Leaks
Actions
Global Community- Multi-Channel Government
Consumer Based Healthcare Marketing Service: Agency:
Electronics Firm: Plan:
Digital marketing Employee sent
Hackers stole Laptops with agency exposes CD-ROM with
customer data, patient data stolen customer data of personal data on
including credit by former dozens of clients registered advisors
card information employee
Millions of 139,000
100 million 208,000 records records
records records
The multitude of breach regulations don’t care how the data was
lost. You are subject to the same requirements.
Page 6
10. Who Receives a Questionnaire?
• Every vendor that handles customer data, employee
data or company confidential data receives a
questionnaire.
• The questionnaire is developed using:
• International standards:
• ISO/IEC 27001 Information Management Systems
• ISO/IEC 27002 Code of Practice for Information Security Management
• the BITS Financial Institution Shared Asset Program and
• internal Privacy and Information Protection Policies
• Internal Privacy and Information Protection policies
based on regulatory requirements.
Page 10
11. What Areas Does the Questionnaire Address?
Overview of services Operations
being provided Management
Privacy and Security Network Management
Policies
Information Handling
Organizational
Structure Access Control
Personnel Security Compliance
Environmental Business Continuity
Security and Disaster
Recovery
Page 11
13. Who gets an On-Site Visit?
Risk-Based Approach For Vendors Who:
• Provide incomplete questionnaire responses
• Provide unsatisfactory questionnaire responses
• Handle contracts over a specified dollar amount
• Handle information that is sensitive or confidential
• Are located in a foreign country
Page 13
14. Components Of An On-Site Review Process
Address key privacy and security policies
Meetings with vendor
and procedures to ensure senior
Senior management
management buy in
Allows assessors to obtain more
Interviews with key
personnel specific information on vendor’s
controls
Comprehensive Verify the existence of key
document Review security documents
Physical security Verify key physical security and
inspection environmental controls in place
Verify that security requirements
Policy/Statement of work
detailed in the Statement of Work are
verification
implemented.
Page 14
15. Top Questions
1.Do comprehensive information security policies exist that all
employees must read and accept?
2.Are all employees and contractors with access to Company data
required to take information security awareness training?
3.Are there processes in place that ensure access to Company data is
authorized and granted in the most restrictive manner possible and
limited to those having a business need for such authorization?
4.Is access to Company data contingent on a thorough criminal
background history investigation performed using an accredited
personnel investigation agency?
5.Are physical security measures in place to control physical access to
systems or output that contain Company data?
Page 15
16. Top Questions (cont.)
6. Is all access to Company data logged and reviewed on a regular basis?
7. Is there a Security Incident Response Plan in place that contains procedures
to be followed in the event of any actual, suspected, or threatened security
breach, including unauthorized use, access, disclosure, theft, manipulation,
or reproduction of Company data?d
8. Will the vendor submit to an annual Security Risk Assessment review based
on ISO 27001, conducted by the Company (or it's agent)?
9. Is there commercially reasonable and effective network intrusion prevention
or detection, firewalls and anti-virus protection in place and functioning
properly?
10. Are operating systems and applications associated with the Company
appropriately patched after knowledge of any security vulnerabilities?
11. Are all sensitive or confidential data sent over public networks encrypted with
at least 256-bit encryption?
Page 16
17. Considerations For Foreign Service Providers
Scope of Services and Sensitivity of Data
• Are the services contemplated to be performed temporarily or on an ongoing
basis?
• Do the services involve the handling, storage or transmission of sensitive data?
• Can the company execute an exit strategy if services disrupted?
Geographic, Cultural, Social and Political Factors
• How far away is the vendor?
• What language barriers?
• How often does the Company plan to review or audit the vendor?
• Do on-site reviews need to be done?
• What social or political factors are reasonably likely to affect the provider?
• Can the Company monitor these factors?
Business Continuity and Disaster Recovery
• Does the vendor have Business Continuity Plan?
• Does the vendor have experience executing the plan?
• Local Laws Regulating Privacy and Data Security
Page 17
18. Considerations For Foreign Service Providers (cont.)
Local Laws Regulating Privacy and Data Security
• Are there local laws that impose requirements on vendor with regard to data?
• How do the local laws apply to the Company?
Legal/Compliance Risk
• What contractual provisions required to ensure proper resolution of disputes?
• If local laws create requirements are they consistent with the provisions the
Company applies to its US based service providers?
• What is the process under local laws for responding to access requests by
individuals, subpoenas or other requests for disclosure from governmental
agencies?
Security Controls
• Can the vendor reasonably be expected to satisfy stricter or rapidly evolving
standards for data security?
• Is the vendor transferring data to other locations or countries?
Page 18
19. How About When You Receive A Questionnaire?
• What do you do when there are too many questions to
answer?
• How do you ensure consistent responses?
• How do you respond to yes/no questions?
• How do you manage the volume?
• Whose Privacy and Security Policies and Procedures
do you follow?
Page 19
21. Next Webinar
• Canadian Breach Regulations
• Next Thursday, 10/25 @ 1 PM
• Invites with more info and registration information in the
next day or two
Page 21
22. “Co3 Systems makes the process of
planning for a nightmare scenario as
painless as possible, making it an Editors’
Choice.”
PC MAGAZINE, EDITOR’S CHOICE
One Alewife Center, Suite 450
“Co3…defines what software packages
Cambridge, MA 02140 for privacy look like.”
PHONE 617.206.3900
GARTNER
WWW.CO3SYS.COM
“Platform is comprehensive, user
friendly, and very well designed.”
PONEMON INSTITUTE
Deb Hampson
Assistant VP & Assistant GC
debra.hampson@thehartford.com
www.thehartford.com
Editor's Notes
Head of Corporate Privacy Office since 2006Previously head of The Hartford Life's Corporate Compliance Unit and the Group Benefits Legal TeamSpecialties: privacy law, insurance law, corporate compliance, social media legal and compliance issues.