Third Party Risk Management

Cincinnati ISACA – September, 2014
Christopher Dorr

Your company spends millions of dollars on IT security – systems,
technologies, appliances
• InfoSec professionals
• Internal Audit professionals
• External Auditors
• Processes, technologies, systems
Then some manager in marketing dumps your client data to an Excel
spreadsheet, and emails it to a direct mail firm in Omaha.
Perhaps even worse – Usually not random. Usually not one vendor. Often
thousands of vendors.
Third Party Risk Management

1. What it is
2. Business value and justification
• Two main regulatory drivers: HIPAA & OCC 2013-29
3. What it looks like
• Case study
Information Security focus, but many additional
areas of risk
Overview –Third Party Risk Management

Fazio Mechanical Data Breach
Fazio Mechanical is a 100-staff, $12M revenue HVAC
company
Perhaps better known as the $250,000,000Target data
breach
Full analysis of the breach is beyond the scope of today’s
presentation, and much of what is described below is
unconfirmed.
Vendor Breach Background

Fazio Mechanical was vendor for Target for HVAC services
Started with Fazio being targeted by typical phishing attack
Fazio connected to Target’s internal systems for billing, contract
management and contract submission via vendor portal called “Ariba”
Vendor Breach Background

Target Design Process
Ariba
Vendor
Platform
Fazio
Vendor
A/P and
GL
Internet
Internal
Bank
Internal
POS
POS
POS

Target Breach
Ariba
Fazio
A/P and
GL
Internet
Internal
Bank
Internal
POS
POS
POS
Attacker
SQL Injection &
Privilege escalation
RAM Scraping
malware
Staging
Server

40,000,000 - Number of credit and debit numbers stolen
70,000,000 - Number of non-credit-card PII records stolen
November 27 to December 15, 2013 – Duration of theft
46% - The percentage drop in profits for 4th quarter 2013 from the year
before
$250,000,000 - Total estimated costs as of August 2014
$90,000,000 - Amount paid by Target’s insurers (maxed out)
$54,000,000 - Estimated amount generated from sale of cards stolen
0 – Number of CIOs and CEOs who kept their jobs
Target by the Numbers

• 41% to 63% of breaches involved third parties
• Per-record costs of a 3rd party breach higher - $231 vs. $188
• 71% of companies failed to adequately manage risk of third parties
• 92% of companies planned to expand their use of vendors in 2013
• 90% of anti-corruption actions by DOJ involved 3rd parties
Third Party Breach Numbers

What Is it?

Third Party Risk Management (TPRM) is the process of analyzing and
controlling risks presented to your company, your data, your
operations and your finances by parties OTHER than your own
company.
Due Diligence is the investigative process by which a company or
other third party is reviewed to determine its suitability for a given
task. Due diligence is an ongoing activity, including review,
monitoring, and management communication over the entire vendor
lifecycle.
No universally-accepted framework like CObIT or COSO
TPRM –What It Is

Vendors
Customers
JointVentures
Counterparties
Fourth parties
TPRM –Who It Is

Why Should We Do it?

Reduce likelihood of data breach costs
Reduce likelihood of costly operational failures
Reduce likelihood of vendor bankruptcy
Regulatory mandates may require it
Prudent due diligence – ethical obligation
Audit where the risk is
Enterprise risk portfolio may expose the organization to most risk here
Business Justifications

Office of the Comptroller of the Currency (OCC)
US Department of Health & Human Services
(HHS)
State data breach laws
Regulatory Guidance

Strongest language so far is for financial institutions regulated by the Office
of the Comptroller of the Currency
If precedents hold true, this will likely “migrate” to other financial entities,
healthcare entities, and government contractors
Consumer Financial Protection Bureau (CFPB)
Since 2012, imposed over $1 billion USD in fines
Was partially in response to 2008 financial crisis. Banks did not manage risk
well.
Regulatory Requirements

Very comprehensive guidance requiring banks to proactively evaluate ALL
risks associated with ALL third parties
Issued in October, 2013, governing all financial institutions regulated by the
OCC
Closest thing we currently have to a generally accepted framework
“…. A third-party relationship is any business arrangement between a bank
and another entity, by contract or otherwise”
“The Office of the Comptroller of the Currency (OCC) expects a bank to
practice effective risk management regardless of whether the bank performs
the activity internally or through a third party. A bank’s use of third parties
does not diminish the responsibility of its board of directors and senior
management to ensure that the activity is performed in a safe and sound
manner and in compliance with applicable laws.”
OCC 2013-29

An effective risk management process throughout the life
cycle of the relationship includes:
• Plans that outline the bank’s strategy, identify the inherent risks of the
activity, and detail how the bank selects, assesses, and oversees the third
party.
• Proper due diligence in selecting a third party.
• Written contracts that outline the rights and responsibilities of all parties.
• Ongoing monitoring of the third party’s activities and performance.
• Clear roles and responsibilities for overseeing and managing the
relationship and risk management process.
• Documentation and reporting that facilitates oversight, accountability,
monitoring, and risk management.
• Independent reviews that allow bank management to determine that
the bank’s process aligns with its strategy and effectively manages risks.
OCC 2013-29

In 2009, the HITECH Act extended compliance requirements explicitly to
“Business Associates”
Business Associates are persons or entities using PHI to perform services for
a covered entity.
PHI – Medical-related PII
Many third parties in healthcare have access – very difficult to perform
substantive activities without access to PHI
Can impose fines on Covered Entity (insurer, hospital, etc.) for actions of a
delegate
HIPAA - HITECH

Massachusetts General Employee – took some work home
Accidentally left 192 patient billing records on subway
HHS imposed $1,000,000 fine
HHS imposed three-year corrective action plan
What would have happened had this been vendor?
• Would there be a difference depending on due diligence?
• Fines seem to be directly related to how lackadaisical oversight was
HIPAA Example

Many different laws
Almost all laws have provisions requiring notification within certain period
after detection
Detection by whom?
Most appear to make no distinction between losses caused by an entity and
losses caused by an entity’s vendor
Penalties
• Up to $500,000 in civil penalties per breach for failure to notify timely
(Florida)
• $5,000 “per violation” if not received within 10 days. Every subsequent
day “not received” is a separate violation (Louisiana)
State Data Breach Laws

What Does It Look Like?

1. Initial Risk Review
1. Based on risk tier
2. Documentation review
3. On-site review
4. Business process documentation
5. Inherent risk/residual risk
6. Remediation plan
2. Ongoing Monitoring
1. Both for changed risks and for changes at vendor
3. Recurring Reviews
1. Based on risk tier
WhatTPRM Looks Like - Process

“The Four RMs”
1. Risk Measurement
1. Linked to ERM
2. Measures the risk of both the activity itself and of the vendor in particular
2. Risk Management
1. Standard mechanisms for dealing with risk: accept, decline, transfer, modify
3. Risk Monitoring
1. New/evolving risks
2. Vendor changes
4. Response Management
1. Incident response, both on your part and the vendor’s
WhatTPRM Looks Like - Elements

Using OCC 2013-29 as framework – “Banks should consider the following:”
Legal and regulatory compliance
Financial condition
Qualifications, backgrounds and reputations of company principals
Risk management
Information security and management (including physical and logical
security)
Incident reporting and management
Reliance on subcontractors
Contract language, including right to audit and metrics
WhatTPRM Looks Like - Assessment

RandomCo – 300 employee, midsized, technology-oriented company
Specialized in document management and OCR
Being considered for an engagement that required high levels of data
security, operational reliability, and performance
Would be subject to HIPAA requirements
Case Study

Reviewed SAS 70 (Type 1)
Reviewed architectural documentation
Reviewed online reputation
Reviewed legal entanglements
Reviewed summary financials
Nothing significantly negative was found
Stage I – Case Study

Glass-sided stand-alone office building, surrounded by
public, ungated parking lot
Scanned for wireless networks.They had
“RandomCoProd” SSID
• WEP encryption
Unlocked front door
No security cameras
“Netgear” wireless router bolted to wall in stairwell
Unlocked server room and networking closet
RandomCo– Case Study

Data center served by single internet feed
“Some” systems were RAID 5
Some “servers” were recycled desktops running Linux
Disaster Recovery Plan never tested
Backup Plan
• Network admin drove to data center
• Network admin took tapes out of servers
• Network admin threw the tapes in his trunk
• Network admin drove tapes home
RandomCo – Case Study

Not because particularly bad
• In fact, not the worst
Many smaller vendors lack controls
• Many vendors will be 25-200 person companies (28M small bus.)
• No full-time IT, let alone IT Security
Never would have known without on-site
“Vendor Development”
Why this story?

Vendor tiering or stratification
Tier 1 – Critical vendors (10%) – PII + critical systems
Tier 2 – Major vendors (40%) – PII OR critical systems
Tier 3 – Vendors (50%) – commodities/low risk purchases
Workflow tools
Capability Maturity Model
Vendor scorecards (maintained by business owner of vendor)
Tools

Shared Assessment Group (Santa Fe Group) – Shared Information Gathering
Tool (SIG)
Current version costs $5000
Version 6.0 freely available, but dated
Lite and full versions – provides flexibility
Vendor research tools
Dunn & Bradstreet Supplier Risk Manager
Lexis Nexis
Research and monitoring tools
Variety of checklists available online
Contracting language – right to audit, required reporting, standards
Tools

Level 0
•No processes
exist
Level 1
Initial
•Processes exist, but are ad hoc
and unpredictable
Level 2
Managed
•Processes are reactive,
“hero driven” and project
specific
Level 3
Defined
Level 4
Quantitative
Level 5
Optimized
Risk Capability Maturity Model
• Processes are organized,
formalized and
documented
• Processes are formalized,
measured empirically and
controlled
• Processes are highly
mature, and emphasize
system feedback and
improvement
Are the vendor’s risk
management processes:
• Defined?
• Comprehensive?
• Repeatable?
• Measured?
• Reliable?

Very cost-effective way to manage risk
One day on-site often is all that is required
Complete review (including on-site) can cost less than $1,000
Lots of “low-hanging fruit”
Emphasis area: Test data
Emphasis area: Data retention & lifespan management
Emphasis area: Physical security
Emphasis area: Cloud reliance and architecture
Often you get more pushback from internal parties. Many vendors
appreciate the “free consulting”
Personal Observations

70% of companies do not adequately do this now, yet over 90% say they will
INCREASE their use of third parties.
Data breaches caused by third parties cost $43 per record more than other
breaches, yet account for over 40% of all breaches.
EffectiveTPRM involves combination of oversight and review of the external
partner AND implementation of internal controls and processes.
Given the risk exposure and costs involved,TPRM can be the single most
cost-effective risk management program that a company can implement,
and Internal Audit and InfoSec can contribute in many significant ways.
Summary

Third-party risk management failures contributed to attacks
Vendor used FREE Malwarebytes Anti-Malware software
The free version is only an on-demand scanner. No real-time scanning.
Target did not require vendors to use multi-factor authentication
If vendor used free anti-malware, what is probability that it required users to
take security training? Or implement enterprise email system that might
have caught phishing attack?
But Target also left vast amounts of sensitive data about vendors on
unsecured systems. This is also about vendor management.
Ariba is vendor too. Was testing/scanning for SQL injection and architecture
reviewed?
How was Ariba monitoring for unusual activity?
Target Breach -TPRM

1. http://compliance.med.nyu.edu/news/documenting-inpatient-
admissions
2. http://www.grantthornton.com/~/media/content-page-files/health-
care/pdfs/2013/HC-2013-AIHA-wp-HIPAA-rule-data-control-
concerns.ashx
3. http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-
29.html
4. http://www.computerweekly.com/news/2240178104/Bad-outsourcing-
decisions-cause-63-of-data-breaches
5. http://www.experian.com/assets/data-breach/brochures/ponemon-
aftermath-study.pdf
6. http://www.fierceitsecurity.com/story/third-party-vendor-behind-
possible-lowes-data-breach/2014-05-26
References

1. http://www.navexglobal.com/company/press-room/navex-global-survey-7-
10-us-companies-neglect-third-party-risk
2. http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-
data-breach-global-analysis
3. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1986461
4. http://listserv.educause.edu/cgi-
bin/wa.exe?A3=ind1112&L=SECURITY&E=base64&P=1183182&B=--
_003_BF662A4EE06D844081EA3B2DB8CCF22B1FDD3423B4SSUMPEXCLU
S01_&T=application%2Fvnd.ms-
excel;%20name=%22SIGv6.2.xls%22&N=SIGv6.2.xls&attachment=q
5. http://www.privacyrights.org/data-breach
6. http://www.ejise.com/issue/download.html?idArticle=858
7. http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-
breach-at-target/
8. http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/
References

Third Party Risk Management

More Related Content

What's hot

Similar to Third Party Risk Management

More from banerjeerohit

Recently uploaded

Third Party Risk Management