Third Party Risk Management: How to Identify and Manage Data Security Risks from your Vendors

Size: px

Start display at page:

Download "Third Party Risk Management: How to Identify and Manage Data Security Risks from your Vendors"

Willis Camron Wilkerson
5 years ago
Views:

1 Third Party Risk Management: How to Identify and Manage Data Security Risks from your Vendors Presenters: Allie Russell, Conexxus Kara Gunderson, DSSC Chair, CITGO Petroleum Sam Pfanstiel, DSSC SME, Solution Principal, Coalfire

2 Housekeeping Presenters About Conexxus Presentation Q & A Agenda

3 Housekeeping This webinar is being recorded and will be made available in approximately 30 days. YouTube (youtube.com/conexxusonline) Website Link (conexxus.org) Slide Deck Survey Link Presentation provided at end Participants Ask questions via webinar interface Please, no vendor specific questions

4 Conexxus Host Allie Russell Conexxus Speakers Sam Pfanstiel Solution Principal, PCI Coalfire Systems, Inc. Presenters Moderator Kara Gunderson Chair, Data Security Committee POS Manager, CITGO Petroleum

5 About Conexxus We are an independent, non-profit, member driven technology organization We set standards Data exchange Security Mobile commerce We provide vision Identify emerging tech/trends We advocate for our industry Technology is policy

6 2017 Conexxus Webinar Schedule* Month/Date Webinar Title Speaker Company July 27, 2017 Third Party Risk Management: How to Identify and Manage Data Security Risks from your Vendors Sam Pfanstiel Coalfire Systems August 31, 2017 Using the NIST Cybersecurity Framework to Guide your Security Program Chris Lietz Coalfire Systems September 21, 2017 Things & Impact of Bring Your Own Device to the Workplace Bradford Loewy Jeff Gibson Dover Fueling ControlScan November, 2017 New Technologies for Addressing Payment Risk: A Survey of Payments Security Landscape Ravi Raghavan Coalfire Systems (other DSSC member(s) TBD) December 2017 Conexxus: EB2B White Paper Presentation TBD EB2B WG

7 2018 Conexxus Webinar Schedule* Month/Date Webinar Title Speaker Company January 2018 Securing and Penn Testing your Mobile Payment App Denis Sheridan Citigal February 2018 Unified threat management: What is it and why is it important? Thomas Duncan Omega March 2018 Penetration Testing: How to Test What Matters Most Sam Pfanstiel & Coalfire Lab Personnel Coalfire May 2018 QIR Program Update Chris Bucolo ControlScan

8 At the NACS Show October 17-20, 2017 Chicago, IL Booth

9 Speaker Sam Pfanstiel MBA, CISSP, CISM, QSA(P2PE), ETA CPP Solution Principal, PCI Coalfire Systems, Inc. 20 years in IT Management, Payments, and Security Works directly with Coalfire payments teams across marketing, sales, product, and delivery to help demystify complex risk and compliance requirements, communicating effective cyber security solution strategies to stakeholders throughout the enterprise. Former CEO, CIO, VP, and Director in charge of payment solutions Part of team that built 1 st North American PCI-P2PE solution (2014) Part of team that built 1 st S.N.A.P. EBT mobile POS terminal (2007) 9 Conexxus: Third Party Risk Management

10 Third Party Risk Management Definitions Why TPRM matters to every enterprise Best Practices in TPRM TPRM and PCI DSS TPRM in Petroleum Retail Resources Conexxus: Third Party Risk Management

11 Definitions TPRM Third Party Risk Management TPRM vs. SRM vs. VRM TPSP Third Party Service Provider 3rd Parties 4th Parties Conexxus: Third Party Risk Management

12 Examples Oil Brand Retailers Distributors Service Providers Suppliers Fourth-Parties Gateway/Processor Backup Storage Managed Service Providers Web-Hosting Service Services Fraud Detection 12 Conexxus: Third Party Risk Management

13 WHY TPRM MATTERS 13 Conexxus: Third Party Risk Management

Why TPRM Matters Risks Third Parties are critical to all areas of business, handling core functions of business: Vendor Performance Standards

14 Why TPRM Matters Risks Third Parties are critical to all areas of business, handling core functions of business: Vendor Performance Standards Disruption, SLAs Conflict of Interests Ownership of Data Business Continuity Security / Data Protection Revenue Impact Conexxus: Third Party Risk Management

Why TPRM Matters Data Breaches Primary due to Vendor Security Major Big Box Retailer: HVAC vendor Major Home Improvement Store: Stolen vendor credentials

15 Why TPRM Matters Data Breaches Primary due to Vendor Security Major Big Box Retailer: HVAC vendor Major Home Improvement Store: Stolen vendor credentials Major Ecommerce Network: Stolen Vendor Credentials Snowden / NSA Leak Sweden Leak C-Stores are most susceptible to data breach 1 Source: Risk Based Security, 2015

cybersecurity is growing but not with respect to vendor risk Vendor assessment maturity is

16 VRMMM Survey Results The 2016 Vendor Risk Management Maturity Model (VRMMM) Survey had the following findings: Third Party Risk Management front burner issue Board engagement on cybersecurity is growing but not with respect to vendor risk Vendor assessment maturity is growing Numerous areas were identified for improvement Source: Shared Assessments, Protiviti 2016

17 BEST PRACTICES 17 Conexxus: Third Party Risk Management

18 TPRM Methodology Development The Four RMs 1. Risk Measurement Linked to ERM Measures the risk of both the activity itself and of the vendor in particular 2. Risk Management Standard mechanisms for dealing with risk: accept, decline, transfer, modify 3. Risk Monitoring New/evolving risks (including Vendor changes) 4. Response Management Incident response, both on your organization s part and the vendor s Conexxus: Third Party Risk Management

19 TPRM Best Practices TPRM program activities can be grouped into 3 categories: Governance Operationalization Program Management Source: Coalfire, 2017

20 TPRM Methodology Governance Operations Define Current State Assessment Policies and Procedures Third Party Profiles Develop Third Party Screening Risk Assessments Risk Measurement Risk Monitoring Risk Response Audit and Validation Implement Tools/Technology Selection Risk Scorecards/ Dashboards Training and Awareness Source: Coalfire, 2017 Program Management and Maintenance

21 TPRM Best Practices - Governance Set the Tone at the Top Formalized Governance Model Enterprise Risk Mgmt Established Roles Internal Audit Vendor Relationship Manager Conexxus: Third Party Risk Management

22 TPRM Best Practices - Operations Full Vendor Inventory & Profiles Review Policies, Procedures, Processes Establish Standard Contract Template PCI DSS Conexxus: Third Party Risk Management

23 TPRM Best Practices - Operations Develop a Third Party Risk Categorization Process Conduct Define Security Requirements for each Third Party Processes for Monitoring and Ensuring Security of Vendors Conexxus: Third Party Risk Management

24 TPRM Best Practices - Operations Phased Implementation, If Needed TPRM Risk Management Software Platform Establish Standard Contract Template Maintain Secure Repository for Contracts Administration Conexxus: Third Party Risk Management

25 TPRM Best Practices Program Management and Maintenance TPRM Issue Management Software TPRM Training Materials Periodic Assessment Reporting and Review Conexxus: Third Party Risk Management

TPRM Case Study Background Publicly-traded 1000s of TPSP Board involvement CISO maintained standards, audited handful of vendors Internal Audit engaged to review Findings Many vendors outside program

26 TPRM Case Study Background Publicly-traded 1000s of TPSP Board involvement CISO maintained standards, audited handful of vendors Internal Audit engaged to review Findings Many vendors outside program Inconsistent standards Inadequate contract provisions Insufficient vendor security audits Vendors not held accountable Corrective Actions Joined industry association for access to TPRM best practices Rewrote policies to risk-rank vendors and absorb previously excluded vendors Standards updated for emerging threats Vendor accountable for 4 th party Contracts updated Conexxus: Third Party Risk Management

27 TPRM IN PCI DSS 27 Conexxus: Third Party Risk Management

28 TPRM in PCI DSS Req Vendor Management Req 6 Vendor Systems and Applications Req & Vendor Remote Access Responsibility Matrix Vendor Documentation throughout Vendors are critical to all areas of PCI DSS 28 Conexxus: Third Party Risk Management

29 TPRM in PCI DSS List of Vendors Description of Services Up-to-date 29 Conexxus: Third Party Risk Management

30 TPRM in PCI DSS Agreement Acknowledges PCI Responsibility 30 Conexxus: Third Party Risk Management

31 TPRM in PCI DSS Processes for Due Diligence 31 Conexxus: Third Party Risk Management

32 TPRM in PCI DSS Monitoring Vendor Compliance and Controls 32 Conexxus: Third Party Risk Management

33 TPRM in PCI DSS 6 33 Conexxus: Third Party Risk Management

34 TPRM in PCI DSS 8.1.5, Conexxus: Third Party Risk Management

35 Vendor Logging AFD Service Technicians (9.9) DSD (Direct Service Delivery) if they enter the C-Store CDE or secured area Log everything (whether required or not) 35 Conexxus: Third Party Risk Management

36 TPRM in PCI DSS Resp. Matrix Clear Communication of Responsibility by Control 36 Source: Information Supplement: Third-Party Security Assurance and Shared Responsibilities

37 TPRM in PCI DSS QSA Perspective Typical Gaps Vendor inventory Incomplete vendor documentation Ambiguous responsibility assignment Missing AOCs, or services not covered on AOC 37 Conexxus: Third Party Risk Management

38 RESOURCES 38 Conexxus: Third Party Risk Management

39 Resources Information Supplement: Third-Party Security Assurance and Shared Responsibilities Shared Assessments Framework Shared Information Gathering (SIG) NIST CSF 1.1 Cybersecurity Framework Contact Coalfire Cyber Risk Advisory or consultant to assist with TPRM / risk assessment 39 Conexxus: Third Party Risk Management

40 Conexxus: Third Party Risk Management

41 Website: LinkedIn Group: Conexxus Online Follow us on Conexxus: Third Party Risk Management