Outsourcing and the Need for Supplier Audits

Transcription

1 Outsourcing and the Need for Supplier Audits John A. Gatto Retired April 3, 2017 Agenda Why Audit Suppliers Outsourcing Supplier Risks Minimum Security Standards Audit Focus 2 1

2 Definitions Third Party Any entity not under direct business control of an organization 3rd Party Risk Management Encompasses supplier risk management and is more broadly focused on understanding organizational risks 3rd Party Inventory Comprehensive list of 3 rd parties from across the enterprise Suppliers, business partners, marketing partners Understanding which risks can be affected by a third party, either + or - Should also include subsidiaries 3 High Level of Risk Access to / custody of vital information Critical to the success of the business 4 2

3 Why? $50 billion estimated annual losses to business from data and identity theft 3 rd parties are a major source of data breaches of regulated data 5 (A) PwC 2014 Global State of Information Security Survey 74% of companies do not have a complete inventory of all 3 rd parties that handle personal data of its employees and customers (A) Breaches and noncompliance can lead to brand reputation, fines, lost revenue and / or regulatory sanctions 73% of companies lack incident response processes to report and manage breaches to 3 rd parties that handle data (A) Financial impact: investigations, legal fees, monitoring services for victims, reissuance of credit cards, government fines, etc. Regulatory Requirements GLBA ISO PCI FDIC REGS HIPAA FFIEC OCC 6 3

4 Key 2016 CEB Hot IT Spots Third Party Relationships Add to Audit Plan Externalization of application development, infrastructure operations and back office processing is continuing to rise 3 rd Party Contract Evaluation 3 rd Party Compliance Review Complex sourcing options and persistent economic volatility, poorly structured contracts, ineffective Supplier risk management and lower quality services Supply Chain Management Assessment Third party information security audit 7 Key 2016 CEB Hot IT Spots Key Risk Indicators Number of compliance violations attributed to 3 rd parties Number of 3 rd parties with access to sensitive company data Use of right to audit clause Number of 3 rd party contracts established outside the procurement function Frequency of business interruptions caused by 3 rd party control breakdowns 8 4

5 Agenda Why Audit Suppliers Outsourcing Supplier Risks Minimum Security Standards Audit Focus 9 Outsourcing Transform non-core business processes and ensure that maximum value from resources is focused on core processes Partnering with an outsourcer is a very effective means to build a company that is capable of meeting future needs and turning on a dime at a moments notice Delegate one or more business processes to an external provider who owns, administers or manages the processes based on performance metrics 10 5

6 Outsourcing Risks Handling and processing of data Security and access Retention of Data System availability Specific business factors 11 Areas for Outsourcing IT Accounting Corporate Services Document Management Healthcare processing Call Centers SoX / MAR Compliance CRM Storage Facilities Printing Internal Audit Real Estate Product Development 12 6

7 Major Types of IT Outsourcing Application management Infrastructure management Help desk services Independent testing / validation services Data center management Systems integration R&D services Managed security 13 Outsourcing Life Cycle ALIGNMENT Validating the strategy Identifying options Preparing the business model Agreeing on sponsorship and building the team FEASIBILITY Building the business model and case Creating the baseline Understanding the market Assessing and benchmarking options 14 7

8 Outsourcing Life Cycle TRANSACTION Structuring the deal Agreeing on outsourced assets Negotiating the contract Delivering the deal and the business case TRANSITION Delivering the change Getting quick returns on investment Establishing the culture Managing people 15 Outsourcing Life Cycle OPTIMIZATION & TRANSFORMATION Monitoring the contract and resolving disputes Transforming the business Reassessing the relationship Delivering the business case realizing the benefits TERMINATION / RENEGOTIATION Determine SLA adherence both parties Decide if agreement should continue or end If end, invoke termination process If continue, renegotiate contract 16 8

9 Agenda Why Audit Suppliers Outsourcing Supplier Risks Minimum Security Standards Audit Focus 17 Supplier Risk Problems What types of data do my suppliers have access to? How are my suppliers protecting my data? 18 9

10 Highest Risk Industries Government Financial Services Healthcare Payroll Management Companies Banking 19 Investment / Fund Managers Outsourcing Life Cycle - Risks Alignment Outsourcing strategy is not aligned with corporate objectives. Feasibility Transaction Transition Optimization and Transformation Termination and Renegotiation Assumptions (payback period and savings) are wrong - inadequate due diligence from suppliers and the organization's failure to assess relevant risks Procurement policies not met; proper service-level agreements not implemented; regulatory implications not considered; contingency arrangements not planned. Lack of formal transition planning, failure to plan for retention of appropriate skills, and ineffective escalation and resolution of operational IT issues. Outsourcing contract is not managed effectively - outsourcing benefits and efficiencies are not achieved. Inadequate termination of outsourcing processes

11 Risk Management Supplier Risk Management The process of assessing, mitigating and remediating key areas of risk around the suppliers that provide services to an organization Suppliers Data Data The Enterprise Data Data Customers The process of responding to, mitigating and remediating key areas of risk identified by customers. This is both a proactive (self identified) and a reactive (customer identified) process Customer Risk Management TPRM What It Is Third Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties OTHER than your own company. Due Diligence is the investigative process by which a company or other third party is reviewed to determine its suitability for a given task. Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire vendor lifecycle. No universally-accepted framework like CobiT or COSO 22 11

12 Parties in Risk Management Business Operations IT Security Finance Legal Compliance Procurement Internal Audit 23 TPRM - Process Initial Risk Review Based on risk tier Documentation review On-site review Business process documentation Inherent risk/residual risk Remediation plan Ongoing Monitoring Both for changed risks and for changes at third party Recurring Reviews Based on risk tier 24 12

13 Classes of Data Suppliers Handle Public Confidential Internal Restricted Types of Data Suppliers Handle Classification of Data Handled by Supplier Confidential Restricted Internal Public Examples of Type of Data Handled by Supplier Protected health information Medical records Patient /member information Treatment & condition information Credit card information Payroll information Employee performance data HR and personnel records Proprietary and trade secrets Proprietary code & business logic Reports / Assessments Findings and recommendations Strategy /roadmap documents Internal company memoranda Marketing and promotional materials Mailings and solicitations Public relations Campaigns and outreach Member address Phone number Biometric info address Date of birth Investigations Tax information Employee info Highly sensitive reports Budgets Financial data Projections Telemarketing Surveys Advertising material Web and media Example of Supplier Business Relationship Outsourced software development Outsourced software maintenance and support Customer/Member helpdesk Claims processing Mail/Envelope stuffing and fulfillment Payroll and check printing services Benefits administration services Tax compliance services HR consulting and outsourcing services Mission critical consultants and contractors Professional services firms Consultants and advisory firms Professional service contractors Advertising agency Event marketing firm Web-design and digital media services Printing and graphics design Marketing and survey companies

14 Risk Levels by Types of Data R High I S K Medium L E V E Low L Public Internal Restricted Confidential Classification of Data Handled by Supplier Supplier Risks Contract language not clear / missing critical component Cannot meet contract due to financial issues Security issues / data breaches affect company brand Adherence to employment requirements Not able to provide services to match SLA s Inadequate recovery processes 28 14

15 Supplier Risks Country specific laws and regulations hinder performance Access data outside of the business arrangements Subcontractors not adhere to main contract provisions Cost reductions not met Loss of business knowledge Customer restrictions 29 Supplier Risks Process discipline Scope creep Turnover of key personnel Knowledge transfer Internal control structure Culture

16 Supplier Landscape Considerations On-shore versus offshore Suppliers Risks in both Sensitivity with many customers about the availability of their data to off-shore personnel Volume & sensitivity of data Increased reliance on Supplier solutions to work with your most sensitive data requires you are cognizant of the shared risk How data is accessed, stored, transmitted & viewed More control when Suppliers access the data via your network More risk when data leaves your network Maturity of Supplier & Supplier s security program Understand the Supplier s commitment to security & reducing risk - a stolen unencrypted laptop can harm company reputation if data is exposed 31 Suppler Contracting Privacy Business Supplier Contracting Audit Security Legal

17 Supplier Security Controls Life Cycle Phase Considerations Strategy & Planning Privacy, Audit, Legal & Security requirements RFP Contracting Implementation Monitoring Contract Termination Supplier ability and method to meet contractual requirements Supplier security controls questionnaire Business Associate Agreements Minimum Security Requirements Requirements for data access, connectivity, data transfer, etc. Understanding the process for incident notification Supplier security controls questionnaire Supplier assessments / audits Protocols over data when relationship no longer exists Agenda Why Audit Suppliers Outsourcing Supplier Risks Minimum Security Standards Audit Focus

18 Due Diligence Audited Financial Statements Experience & Capabilities Business Reputation Qualifications & Experience Scope of internal controls, systems, data security and audit coverage Existence of significant complaints, litigation or regulatory actions Business resumption strategy & contingency plans Use of other parties or subcontractors Adequacy of management information systems Supplier Management Processes Insurance Coverage 35 Contract Risks Understanding your needs Establishing stakeholders and defining roles Defining business and technical requirements Defining supplier requirements Supplier outsourcing

19 Key Contract Components Scope Data protection, privacy, and intellectual property Price protections Third-party assignments Ownership of assets used or created by partnership Conflicts among different legal systems Contingency planning and change management Right to audit Termination Dispute Resolution Confidentiality & Security Key Items to Understand How is contract structure for Suppliers: Standard, Master Service Agreement, Amendments, Exhibits, Appendices, etc. Do you have a right to audit clause in the contract? Are services detailed? Are locations identified and addresses provided? Are resources assigned? Is system access identified? Are minimum security requirements included?

20 Minimum Security Requirements Security Assessment Security Officer Implement Security Policies and Procedures Conduct an annual security assessment Identified gaps - remediation plans Appoint a person who is either the Security Officer and/or is responsible for compliance Document the administrative, technical and physical controls to protect data Include appropriate disciplinary provisions for data security violations 39 Minimum Security Requirements Awareness & Training Security Monitoring Incidence Response Have data security awareness and training Continuously monitor security events / conduct periodic reviews of activity Timely notification of suspected / actual data compromise Receive training prior to contact with data Implement hardware, software and procedural audit control mechanisms Steps to prevent further damage and corrective action steps to stop incident from recurring

21 Minimum Security Requirements Monitor building exterior and all entrances Process for logging and escorting visitors Deploy / monitor cameras 24 x 7 Deploy and use electronic access control system Have solid floor-to-ceiling walls Provide alternate power sources Not display any information about Company Data received in paper or portable media stored in locked containers, etc. Physical Security Minimum Security Requirements Be enclosed by a compound wall with entry/exit gate attended by security guard 24x7 Restricted access parking requires: vehicle identifiers, vehicle examination prior to entrance (visual inspection of undercarriage, interior of vehicle, interior of trunk, etc.), presentation of employee identification badge prior to entrance Physical Security outside the US - additional requirements

22 Minimum Security Requirements Workstation Security Workstations shall be positioned so that XYZ data is not visible outside of the designated XYZ production area Workstations shall lock after no more than 10 minutes of inactivity. Supplier personnel shall be instructed to lock their workstations when they shall be away from their desks. Laptops shall not be used to access, process, transmit or store data Minimum Security Requirements Workstation Security Print capability is disabled Access to applications is limited. Applications not required for processing data are disabled. USB and CD/DVD drives are disabled End-point firewalls installed on all Supplier workstations and be configured to prevent unauthorized network access attempts

23 Minimum Security Requirements Subcontractors Not employ subcontractors unless express written permission granted prior to implementing the arrangement Monitor activities of subcontractors for compliance with the Agreement Encryption Comply with standards provided by the National Institute of Standards and Technology (NIST). For data in transit, must use encryption technologies that comply with NIST applicable state and federal regulations ( Approved Encryption ). Implement technical security measures to guard against unauthorized access to data that is being transmitted over an electronic communications network. Encryption shall be the primary means of securing the data while in transit. 45 Other Security Requirements Hard Copy Documentation Remote Access / Network Security Asset Tracking, Disposal & Destruction Security Safeguards for Data in Transit Anti-Malware Patch Management Logical Separation of Data Access to Data Development & Testing Business Continuity/Disaster Recovery

24 Why Lax Supplier Management No formal program or owner No formal framework or guidance, so people don't know where to start Time consuming Too many vendors to assess OR lack of vendor inventory to know who to assess Manual process spreadsheet driven Vendors may be brought in as personal referral 47 Supplier Governance Framework Align every IT outsourcing contract with the organization s key business objectives Set up a monitoring mechanism Manage changes in IT projects and services across complex portfolios Define wellintegrated IT management processes for the client and service provider Define specific ownership of key contract terms Establish direct and visible accountability for IT performance

25 Monitoring Which suppliers require monitoring What should be monitored Who should conduct the monitoring How frequently When to do on site versus remote Compliance Elements Legal and Regulatory Compliance Financial Condition Business Reputation Compliance/Risk Management Subcontracting Is the supplier compliant with regulators and selfregulatory organizations? In addition to the vendor s current financial condition, assess third-party suppliers growth, earnings, pending litigations and any other factors that may affect the supplier s overall stability. Does the supplier have a history of complaints performing the activities the company is planning to outsource? Only work with third-party suppliers that have processes in place for ensuring compliance with contractual and regulatory requirements and following industry best practices. Assessments should include validation that the supplier is in compliance with contractual provisions concerning supplier outsourcing

26 Compliance Elements Business Continuity Physical and IT Security The Right to Audit and Require Remediation Termination A third-party supplier should have a plan in place to respond to service disruptions ranging from Internet outages to cyber-attacks or natural disasters. The vendor should have controls in place to ensure its IT systems are protected from external and internal attacks and that its computers and servers are protected from theft. Before entering into an agreement, establish their right to audit the third-party and to require remediation when issues are identified. Procedures should also be spelled out in some level of detail should the third party be unwilling or unable to fulfill its compliance and performance obligations. 51 Agenda Why Audit Suppliers Outsourcing Supplier Risks Minimum Security Standards Audit Focus

27 Audit Planning Key Questions Who are your key suppliers? Who maintains the supplier inventory and how is it updated? What can the supplier provide in terms of assurance (SOC2, HITRUST certification)? Do you have a right to audit clause in the contract? How clear is it? Do you exercise your right to audit clause? Does your company have a centralized supplier management program? Audit Focus IA needs to be independent and determine if TPRM controls are designed properly and operating as designed TPRM is the second line of defense and the operational aspects of the program should be reviewed with key stakeholders IA is the 3 rd line of defense and should focus on 3 rd party on-site activities required by the program Depending on who owns the controls, IA will need to review that area for sustainability The supplier owner must be in compliance with the contract IA needs to audit that area also IA should be reviewing the compensating controls that help minimize risks and monitor all remediations needed 54 27

28 Audit Focus Have 1 person facing off with 3 rd party management Sets the audit standard for 3 rd party audit programs Acts as SME on 3 rd party risk management within audit Conducts reviews and identifies potential risks and required remediation. Develops an opinion of the overall design and effectiveness of the TPRM 55 Key Audit Focus Audit Focus Supplier selection / governance Supplier security Supplier management procedures

29 Key Controls Supplier Operations Overall control environment Security considerations Data protection Network, physical, environment, personal and logical access security SDLC Controls Change management controls HR policies and Procedures 57 What Should Audit Do? Supplier Selection Obtain list of all Suppliers Who is approved to update the list Statistics on spend Criticality to core business functions Supplier Audits Questionnaire Rank results Follow-up calls with Suppliers Site visits Supplier Oversight Reporting Meetings Site visits KPIs Supplier Termination Assess vendor termination control environment Ensure data properly returned or destroyed Review contract termination controls Audit Reports Identify gaps Follow-up on remediation

30 Audit Approach Identify the Services Provided Identify the Potential Risks Document Security and Privacy Controls Document Gaps Recommend Enhancements Audit Approach Identify the Services Provided Identify the Potential Risks Document Security and Privacy Controls What information is accessed, managed or handled? Does the supplier store any critical information Does the supplier have access to the information via connection to network? Does the supplier provide access to critical data? Based on services provides, identify the areas of potential risks Use COBIT, ISO 27001, NIST or you own questionnaire If data is not confidential, do you need to audit this supplier? Document the risk for each service activity Identify security controls for each risk identified in step 2 For each control refer to documentation or evidence of the effectiveness of the control Request SOC-1, or SOC-2 or Pen Test reports

31 Audit Approach Document Gaps Compare the controls of the supplier with industry best practices Identify areas where controls are missing or substandard Focus on areas that could impact confidential data and brand image Recommend Enhancement Prioritize risks associated with the gaps Recommend solutions to bridge the gaps Prioritize the timing of the enhancements Determine if the report will be an advisory or an audit based on the risk raking Identify follow-up items and personnel responsible Audit Domains Organizational Network and Server Security Physical Security and Environmental Change Management Workstation Security Corporate Continuity Logical/Data Access Supplier Governance 62 31

32 Audit Domain Coverage Organization Controls in place to ensure that audit risks are identified and mitigated properly Personnel policies in place regarding employee hiring, candidate background checks as permitted by applicable local laws, orientation, and training Physical Security and Environmental Controls Building exterior and physical access security controls are in place to prevent unauthorized access (on and offshore) Identification badge controls Environmental safeguards Safeguards surrounding the destruction and disposal of sensitive information Physical access to production area is restricted to prevent unauthorized access Materials allowed to be brought into workspace are limited based on Supplier services provided Audit Domain Coverage Workstation Security Controls are in place to: secure sensitive data on computer workstations (on shore and off shore locations) secure workstation assets and data protect mobile computing assets such as tablet computers and mobile phones Logical/Data Access General controls are in place to prevent unauthorized access to: information resources (Internal) computer resources (External)

33 Audit Domain Coverage Network and Server Security Controls are in place to: detect and prevent network threats apply security updates and to harden settings for application and database servers identify, escalate, and track security incidents until resolution ensure that remote or wireless access to the network is disabled or securely controlled Technical safeguards are in place for data in transit and data at offshore Supplier locations Change Management and Regulatory Compliance Change Management controls are in place to ensure that only authorized, tested, and documented changes are made to the system Organizational controls are in place to monitor and track compliance HIPAA and Security awareness training is communicated to employees Audit Domain Coverage Corporate Continuity Controls (BC/DR) Business Continuity/Disaster Recovery (BC/DR) plans are established and in place Data storage and backup activities occur on a scheduled basis and are available for file recovery and disaster recovery events Controls are in place to ensure that computer equipment is disposed and recycled securely Supplier Governance Controls are in place to ensure that Third Parties who the Supplier has contracted with are adequately managed

34 Audit Implications Service level management Contractual requirements Data transmission controls Data security / privacy Continuity / availability of systems Operational controls Availability of SOC-1, SOC-2, ISO17799 Supplier Internal Audit Function As companies focus on core business practice, they outsource more functions to specialized Suppliers Suppliers differ based by industry: Retailers, Manufacturers, Insurance, etc. Key Take Aways 2 Most companies struggle with managing their Suppliers No one does it perfectly 3 Solution requires enterprise effort Required + increased focus by customers and regulatory agencies across all disciplines 68 34

35 End of Presentation Any questions? 69 Join #IIAChi Institute of Internal Auditors