Vendor Risk Management Data Privacy & Security - Panel

Transcription

1 Vendor Risk Management Data Privacy & Security - Panel Sherry Ryan, CISO, Juniper Tanya O Connor, Director, Information Security, Arcadia Healthcare Solutions Gary Roboff, Senior Advisor, Santa Fe Group - Shared Assessments Rick Olin, Shareholder, CIPP/US, GTC Law Group (Moderator) 1

2 Vendor Risk Management Data Privacy & Security (Panel) Sherry Ryan, Chief Information Security Officer, Juniper Networks previously established and led information security programs at Blue Shield of California, Hewlett-Packard, Safeway and Levi Strauss Certifications: Certified Information Security Manager (CISM) from ISACA and Certified Information Systems Security Professional (CISSP) from ISC2 member of High Tech Crime Investigation Association (HTCIA) and Information Systems Security Association (ISSA) Tanya O Connor, Director, Information Security, Arcadia Healthcare Solutions responsible for strategic security and privacy planning and implementation, contract review, continuous monitoring, HIPAA/HITECH compliance, and responding to customer privacy/security assessments Oracle Corporation - Compliance Manager and Security Lead U.S. Department of the Treasury - Information Systems Security Manager U.S. Navy - Information Security Business Analyst and Information Assurance Governance Analyst 2

3 Vendor Risk Management Data Privacy & Security (Panel) Gary Roboff, Senior Advisor, Santa Fe Group Shared Assessments focuses on payments, risk management, mobile financial services, and information management JPMorgan served 25 years; retired as Senior Vice President of Electronic Commerce; led effort to return to merchant services business with the founding of Chase Merchant Services LLC (now Chase Paymentech) International Security Trust and Privacy Alliance (ISTPA) Founder Chemical and Manufacturers Hanover - led development of pinned debit services served on various Boards of Directors, including: ISTPA, the NYCE network, and the Electronic Funds Transfer Association Rick Olin, Shareholder, CIPP/US, GTC Law Group focuses on transactional matters, including: M&A and technology transfer; compliance areas such as data privacy and security, and information management matters; as well as general business counseling to GTC s technology and media clients TechTarget, Inc. (NASDAQ, TTGT) - Vice President, General Counsel and Secretary Workscape, Inc. (acquired by ADP, Inc.) - Senior Vice President of Corporate Development, General Counsel and Secretary SpeechWorks International, Inc. (acquired by ScanSoft, Inc. and now Nuance Communications, Inc.) - Vice President, General Counsel and Secretary 3

4 Vendor Risk Management Panel November 3, 2017 Sherry Ryan, VP/CISO

5 Why third-party cybersecurity matters CSO Cybersecurity Insights, December 7, % of breaches in recent years were traced to third-party vendors Cross industry: restaurants, chain stores, pharmacies, construction companies, hotels and medical centers Financial impact of breach response plus revenue and share price impact Reputational impacts, regulatory exposure, and lawsuits plus job loss for executives, directors and others

6

7 Key Findings The Third Party Ecosystem Managing Third Party Risk Third Party Governance Technology and Delivery Models As dependence on third parties becomes increasingly critical, organizations are being compelled to rapidly catch up in enhancing the maturity of their third party governance and risk management processes The drivers for third party engagement are progressively shifting from a focus upon cost to a focus upon value Third party risk incidents are on the increase Increased monitoring and assurance activity over third parties is believed to significantly reduce third party risk Organizational commitment to third party risk management is not supported by confidence in the related technology and processes Third party risk is starting to feature consistently on Board agendas Visits to third party locations are considered the most effective assurance method Most organizations are mandating consistent third party governance Existing technology platforms for managing third parties are considered inadequate Organizations are in the process of deciding between centralized inhouse models and external service-provider based models for third party monitoring Deloitte: Third Party Governance and Risk Management, Global Survey 2016

8 Due Diligence Tools On-site reviews Assessments and questionnaires Attestations Documentation review Review assessments and certifications Security risk rating scores Contractual

9 Risk-Based Approach Risk Factors Vendor Prioritization Level of Due Diligence and Monitoring Service risks: Customer and financial impact Data sensitivity Compliance and regulatory Transaction volume Vendor risks: Geographic location Financial health Prior breaches Performance record Extent of work performed Organize into high, medium and low risk categories Prioritize high risk vendors for greater scrutiny Higher risk On-site reviews and more frequent monitoring Moderate risk telephone reviews and periodic monitoring Lower risk vendor self assessments follow up as required

10 Trust But Verify Assessment Model

11 Thank you

12 VENDOR RISK MANAGEMENT PANEL PRESENTED BY TANYA O CONNOR DIRECTOR, INFORMATION SECURITY November, ARCADIA HEALTHCARE SOLUTIONS NOT FOR REDISTRIBUTION. 12

13 ARCADIA OVERVIEW ABOUT ARCADIA ARCADIA IS AN EHR DATA AGGREGATION AND ANALYTICS COMPANY FOCUSED ON ENABLING OUR PARTNERS TO SUCCEED IN SHARED RISK USING INTEGRATED AMBULATORY, INPATIENT & ADMINISTRATIVE DATA. ARCADIA HAS ANALYZED OVER 35 MILLION PATIENTS NATIONALLY 35M 50K PATIENTS MEASURED PROVIDERS MEASURED SEATTLE th Ave. #925 Seattle, WA PITTSBURGH 29 West Main Street Carnegie, PA BOSTON 20 Blanchard Rd. #10 Burlington, MA PRACTICES 3000 IMPACTED 30+ EHR VENDORS CONNECTED CHICAGO 630 E Jefferson St. Rockford, IL 2002 YEAR FOUNDED 250 AWESOME EMPLOYEES 2017 ARCADIA HEALTHCARE SOLUTIONS NOT FOR REDISTRIBUTION. 13

14 ARCADIA OVERVIEW EXAMPLE CUSTOMERS PROVIDERS HEALTH PLANS 2017 ARCADIA HEALTHCARE SOLUTIONS NOT FOR REDISTRIBUTION. 14

15 BECOMING A TRUSTED BUSINESS PARTNER (FROM THE VENDOR PERSPECTIVE) ALIGNMENT OF INTERESTS ØSame rules/liabilities apply to vendors (business associates) and customers (covered entities) ØRequires a partnership approach to securing data ØDriven by HIPAA/HITECH compliance for both parties DUE DILIGENCE/TRUST BUT VERIFY MODEL Ø1-5 written assessments monthly ØSubmission of artifacts ØFollow-up questionnaires ØOnsite visits ØProving downstream vendor compliance 2017 ARCADIA HEALTHCARE SOLUTIONS NOT FOR REDISTRIBUTION. 15

16 BECOMING A TRUSTED BUSINESS PARTNER - CHALLENGES PRIVACY & SECURITY ASSESSMENTS ARE TIME/RESOURCE INTENSIVE Ø Steady stream of written and on-site assessments (no two are ever alike!) Ø Often times not relevant to our business model (CAIQ for example) Ø Existing culture shifts burden onto vendor (except large companies like Amazon) to fill out assessment rather than review existing security controls and submit follow-up questions MANAGING CLIENT EXPECTATIONS Ø Resolving differing interpretations of HIPAA requirements, for example: v HIPAA/HITECH doesn t specific a time frame for audit log retention ` v HIPAA/HITECH does not provide specific guidance regarding what content must be logged 2017 ARCADIA HEALTHCARE SOLUTIONS NOT FOR REDISTRIBUTION. 16

17 BECOMING A TRUSTED BUSINESS PARTNER CHALLENGES (CONT) PROVING DOWNSTREAM VENDOR COMPLIANCE Ø Responsible for articulating downstream vendor security & compliance v For AWS, we use ISO Certification, HIPAA security configurations, SOC 3 report, security control mappings, whitepapers, published information, and more Ø Verification of downstream vendor security controls v Done through research, assessments, contractual clauses, etc ARCADIA HEALTHCARE SOLUTIONS NOT FOR REDISTRIBUTION. 17

18 ADDRESSING THE CHALLENGES MOVING TOWARDS AN INDUSTRY-ACCEPTED UNIFIED FRAMEWORK Ø Dramatically reduces the number of assessments, eliminates the multitudes of unique artifacts collected on a yearly basis, and shifts the burden of oversight to Certification body Ø Defines control parameters (such as audit log retention timeframe and content) based on best practices so that there is less conflict when it comes to interpreting grey areas of the law Ø Certification affirms security & compliance of both vendor and downstream vendors v Arcadia has chosen HITRUST and its common security framework (CSF)* and are working towards certification by next year. *The HITRUST CSF is a certifiable framework that encompasses and harmonizes several other compliance frameworks and standards including HIPAA, HITECH, PCI, ISO/IEC, COBIT, NIST RMF and varying state requirements ARCADIA HEALTHCARE SOLUTIONS NOT FOR REDISTRIBUTION. 18

19 VENDOR RISK MANAGEMENT PANEL Gary S. Roboff, Senior Advisor November 3, 2017

20 The Shared Assessments Program Thought Leadership Training and Certification ü Industry Agnostic ü Member-driven ü Annual Third Party Risk Management Summit ü More than 650 third party risk professionals trained since 2015 (CTPRP) Resources Research Studies White Papers Webinars Workshops Assessment Tools ü Actionable, enterprise-wide solution-building ü Industry and technology specific peer working groups ü Examine the entire TPRM Landscape ü Assessment Tools up-to-date with regulations and threat landscape ü Licensees incorporate SA Program Tools to deliver effective ERM solutions to their clients 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 20

21 Outsourcing Risks 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 21

22 Assertion Statements SIG Privacy Tab Example: P.2 P.2.1 P.2.2 P.2.3 P.2.4 P.2.5 P.2.6 P.2.7 For Scoped Data, is personal information about individuals transmitted to or received from countries outside the United States? If yes, list the countries. Is information directly collected and used about individuals? Are notices provided (and where required, consents obtained) when information is directly collected from an individual? If yes, describe. Are there documented policies and operating procedures regarding limiting the personal data collected and its use? Are there policies and operating procedures for onward transfer of Scoped Data? If yes, describe. Is Safe Harbor /Privacy Shield status maintained with the Department of Commerce with respect to the data protection applicable to the European Union or other legitimizing method such as Model Contracts? If customer data is directly collected from individuals, does the customer have the ability to opt out? If customer data of individuals is retained, are there processes and procedures to enable individuals to access, correct, amend, or delete inaccurate information? P.2.8 Are there documented policies and procedures for cross border data flows of Scoped Data to the US from other countries. If yes, list the countries: 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 22

23 Virtual Assessments Emerging Alternative to On-Site Assessments Hosted by Third Parties, Either: Regularly, as scheduled by third party (e.g., quarterly) As defined by contract (often annually), typically outsourcer determines timing Remotely Connected to Third Party; Vendor Demonstrates Controls, Shows Evidence, etc. Assertion Statement Due Diligence/Control Test Results Most are Interactive by Design Significantly Less Expensive for Both Outsourcer and Vendor Yields Perhaps 80% Value Compared to an On-Site Visit May not be appropriate for all mission-critical situations 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 23

24 Onsite Control Testing AUP Privacy Test Procedure Example P.4 Third Party Privacy Agreements Objective: All entities that access, process or store client-scoped privacy data can be a risk to an organization or its clients. Management should ensure that all agreements with third parties contain specific clauses to ensure scoped privacy data is protected and that certain other privacy requirements are included. Risk Statement: The absence of privacy agreements with third parties where data is shared may lead to misunderstandings in protection, disclosure and compliance, as well as loss of legal standing, in case there is a disclosure or breach. Control: Privacy agreements detail privacy and protection requirements between the organization and its third parties that have access to scoped privacy data. Procedure: a. Using the sample of third parties from the list obtained in P.1 Scoped Privacy Data Inventory and Flows, obtain from the organization and selected third parties, via the organization, the privacy and security portions of the agreement with the organization in place for providing services and a representative sample of third party privacy and security sections of the agreements from each third party. b. Inspect each agreement chosen in the sample for evidence of the following attributes: 1. Third party requirement to protect all scoped privacy data and protected scoped privacy data. 2. Third party requirement to document the flow of scoped privacy data within its organization and to those third parties with whom it shares scoped privacy data. 3. Third party requirement to process scoped privacy data in accordance with the agreement. 4. Etc The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 24

25 Continuous Monitoring Continuous third party risk monitoring is a real-time (or close to real-time) risk management approach designed to improve organizational awareness related to third party risks and potential control weaknesses as they emerge. Area Activity Being Monitored Risk Addressed Information Technology Information Security Privacy Human Resources Change Management, Network Connectivity Cyber Hygiene, Patch Management Data Obfuscation Employee Due Diligence, Background Checks, Access Management Device Connectivity, Identity Management, Penetration Testing Confidentiality, Integrity, Availability, Data Leakage, Vulnerability Exposure Encryption, Data Protection, Cross Boarder Data Flows Insider Threats, Social Engineering, Unauthorized Access 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 25

26 Vendor Risk Management Model Maturity Levels Level 5 Continuous improvement - Organizations that strive toward operational excellence, understand best-in-class performance levels and implement program changes to achieve them through continuous improvement processes. Level 4 Fully implemented and operational Organizations in which vendor risk management activities are fully operational and all compliance measures (including metrics reporting and independent oversight) are in place. Level 3 Defined and established Organizations with fully defined, approved and established vendor risk management activity, where activities are not yet fully operational and where metrics reporting and enforcement are lacking. Level 2 Approved road map and ad hoc activity Organizations which perform third party risk activity on an ad hoc basis, but have a management approved plan to structure the activity as part an effort to achieve full implementation. Level 1 Initial visioning and ad hoc activity Organizations which perform third party risk management activities on an ad hoc basis, but are considering how to best structure third party risk activities as part of an effort to achieve full implementation. Level 0 Start-up or no TPRM activity New organizations beginning operations or organizations with no existing vendor risk management activities The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 26

27 Board Engagement Correlates With Practice Maturity, Yet Most Boards Are Not Highly Engaged How engaged is your board of directors with cybersecurity risks relating to your vendors? High level of board engagement/understanding 29% 26% Medium level of board engagement/understanding 39% 37% Low level of board engagement/understanding 25% 27% Practice Maturity Level High engagement/ understanding by the board Medium engagement/ understanding by the board Low engagement/ understanding by the board Eight Category Average Source: 2017 Vendor Risk Management Benchmark Study, forthcoming, 2017 by The Santa Fe Group, Shared Assessments Program, and Protiviti, Inc The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 27

28 De-risking: Exiting High Risk Relationships Over the next 12 months, what is the likelihood that your organization will move to exit or "de-risk" third-party relationships that are determined to have the highest risk? Extremely Likely 14% Somewhat Likely 39% Somewhat Unlikely 24% Not all all Likely 13% Don t Know 10% Which of the following are reasons why your organization may be more inclined to exit or "derisk" certain third-party relationships? (Multiple responses permitted.) It's become imperative from a risk and regulatory standpoint to also assess our 48% vendors' subcontractors The cost associated to access our vendors properly is becoming too high 29% We lack the internal support and/or skills for the required sophisticated forensic control 24% testing of our vendors We will not receive sufficient internal support to "de-risk" our third party relationships 18% We do not have the right technologies in place to access vendor risk properly 15% Source: 2017 Vendor Risk Management Benchmark Study, forthcoming, 2017 by The Santa Fe Group, Shared Assessments Program, and Protiviti, Inc The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 28

29 Hot Topics GDPR Fourth Parties IoT Open Source Software Cloud De-Risking Resources Assessment Costs New York State Cyber Regs 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 29

30 Questions 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 30

31 Vendor Risk Management: GDPR Implications for Vendor Management 31

32 GDPR Implications for Vendor Management GDPR requires implementing a comprehensive vendor management program Vendor due diligence and audits Controllers may only use processors providing sufficient guarantees of their abilities to implement technical and organizational measures necessary to meet GDPR requirements (Art. 28) Existing vendor agreements must also be reviewed Consider conducting a Data Protection Impact Assessment ( DPIA ) prior to engaging a vendor (Art. 35) Long list of mandatory data processing provisions (Art. 28) Restrictions on sub-contracting (only with controller s prior consent and on same terms) (Art. 28) GDPR s direct compliance obligations and enhanced liability force processors to change their approach to data privacy compliance 32

33 GDPR Implications for Vendor Management (cont.) Vendor contracts should include (Art. 28): Details of data processing (e.g., subject-matter, duration, nature and purpose of processing, types of data, categories of data subjects) Processing only on controller s documented instructions (including international data transfers) Individuals processing data must be subject to duty of confidentiality Requirements to implement adequate security for processing Assist controller to comply with data subject rights (e.g., right of access, data portability, right to erasure ( right to be forgotten ), etc.) Assist controller in reporting data breaches and performing DPIAs Requirement to return or delete data after processing/end of the agreement Requirement to respond to controller s information request and submit to controller s audits Restrictions on engaging sub-processors 33

34 Thank You 34