Agenda. Agenda. Why Audit Suppliers. Outsourcing / Offshoring. Supplier Risks. Minimum Security Standards. Audit Focus

Transcription

1 Agenda Outsourcing and the Need for Supplier Audits 1 Agenda Why Audit Suppliers Outsourcing / Offshoring Supplier Risks Minimum Security Standards Audit Focus 2 Outsourcing and the Need for Supplier Audits 2 Outsourcing and Supplier Audits 1

2 Definitions Third Party Any entity not under direct business control of an organization 3rd Party Risk Management Encompasses supplier risk management and is more broadly focused on understanding organizational risks 3rd Party Inventory Comprehensive list of 3 rd parties from across the enterprise Suppliers, business partners, marketing partners Understanding which risks can be affected by a third party, either + or - Should also include subsidiaries Outsourcing and the Need for Supplier Audits 3 3rd Party Third Party Supplier receiving and / or processing data from an organization Outsourced IT functions (whole or in part) Outsourcing and the Need for Supplier Audits 4 Outsourcing and Supplier Audits 2

3 High Level of Risk Access to / custody of vital information Critical to the success of the business 5 Outsourcing and the Need for Supplier Audits 5 Why? $50 billion estimated annual losses to business from data and identity theft 3 rd parties are a major source of data breaches of regulated data 74% of companies do not have a complete inventory of all 3 rd parties that handle personal data of its employees and customers (A) 73% of companies lack incident response processes to report and manage breaches to 3 rd parties that handle data (A) (A) PwC 2014 Global State of Information Security Survey Breaches and noncompliance can lead to brand reputation, fines, lost revenue and / or regulatory sanctions Financial impact could include investigations, legal fees, monitoring services for victims, reissuance of credit cards, government fines, etc. Outsourcing and the Need for Supplier Audits 6 Outsourcing and Supplier Audits 3

4 Why? Source: OCC Office of the Comptroller of the Currency Planning Termination Due Diligence & Supplier Selection 3 rd Party Ongoing Monitoring Contract Negotiation Oversight and Accountability Outsourcing and the Need for Supplier Audits 7 Regulatory Requirements GLBA ISO PCI FDIC REGS HIPAA FFIEC OCC Outsourcing and the Need for Supplier Audits 8 Outsourcing and Supplier Audits 4

5 Requirements Many public companies use the COSO framework as their criteria when attesting to their internal control over financial reporting (ICFR), as required by the Sarbanes-Oxley Act of 2002, P.L The framework clearly states that management is responsible for the design and operation of its ICFR, including the controls that are outsourced to service providers. Outsourcing and the Need for Supplier Audits 9 IT Service Providers A recent PwC report, companies usually have indirect entity-level controls to: Inventory existing outsourced providers and service-level arrangements that have a significant impact on the company s ICFR. Evaluate and select vendors with competencies in financial reporting and ICFR, such as the ability to satisfy the service requirements specified in a service-level agreement. Selection of a vendor depends on the completion of an initial assessment of financial reporting risks and determination of what s necessary to mitigate these risks. Periodically evaluate the performance of service providers with respect to service requirements relevant to ICFR. This control updates financial reporting risk assessments and responses in reporting periods after the initial assessment. Review a Service Organization Control (SOC) 1 and or SOC 2 report and determine whether follow-up actions are necessary. Outsourcing and the Need for Supplier Audits 10 Outsourcing and Supplier Audits 5

6 IT Service Providers Companies still have the ultimate responsibility for the accuracy of their financial reporting and should: First understand and monitor where third-party service providers are interacting with the system of internal control. Is it at the control activity level or at the overall entity level? Service-level agreements, protocols, standards, and expectations are set with regard to how those third parties are going to perform relative to the control environment. Companies monitor how the third parties are performing and verify the activities that third parties are undertaking to make sure controls are operating effectively. Companies address testing parameters upfront in the contracting for service-level agreements, and then monitor to ensure performance meets the expectations laid out in the agreements. Outsourcing and the Need for Supplier Audits 11 IT Service Provider Controls ENTITY LEVEL CONTROLS Control Environment Risk assessment Information and Communication Monitoring Information Security Policies Other HR and Subcontracting Specific Controls IT CONTROLS Logical access to programs, data, and operating system software is restricted to authorized personnel. Environmental controls are in place to protect the IT assets hosted at the data center/ controlled areas. Physical access to Data Centre/Controlled areas is restricted to authorised individuals Changes to the system software and network components are documented and approved IT CONTROLS System and network processing issues (once input into the incident and problem management tool) are resolved in a timely manner Backups are performed and securely stored. Recovery is periodically tested Timely refresh of IT systems and software of the production and disaster recovery supporting FIs Outsourcing and the Need for Supplier Audits 12 Outsourcing and Supplier Audits 6

7 Managing an IT Outsourcing Contract 1. Control your communication Identify one employee authorized to speak on behalf of the customer. IT service providers are savvy and will find the employee most likely to sign off changes. By designating one spokesperson you avoid having lower level people approve changes. It makes it clear up front and in writing who represents and can bind the customer. Designating a customer representative enables the organization to control messaging, better adhere to the contract, and avoid situations where the communications or conduct of less informed personnel create ambiguity and uncertainty. And when disputes arise, only have to review the of the one person whose communication has legal relevance versus dozens. Outsourcing and the Need for Supplier Audits 13 Managing an IT Outsourcing Contract 2. Require the provider to log requests and complaints In many outsourcing situations, the only obligation of the customer is to pay the supplier. Not so in IT, where engagements required the customer s contribution or collaboration. However, should the IT outsourcing provider have a request for the customer or raise an issue of customer performance that it says excuses one of its obligations, it s important to compel the provider to write the issue down and keep a log of all such problems. Require a log showing requests and responses on contractual matters. Outsourcing and the Need for Supplier Audits 14 Outsourcing and Supplier Audits 7

8 Managing an IT Outsourcing Contract 3. Clarify cloudy terms early Keep the written record of the engagement as clear, complete and accurate as possible. When there are projects or situations that the contract does not explicitly address, the customer should clarify them early on and in writing. If the details of a more granular project isn t specified in the main agreement, write down a summary of what each parties responsibilities are and have everyone sign off on that before embarking on their work. Outsourcing and the Need for Supplier Audits 15 Managing an IT Outsourcing Contract 4. Send breach notices right away Customer should send a written notice of breach or failure the very first time it occurs and every time thereafter. They need not be combative, but rather polite and factual. Without dedicated and ongoing governance, carefully negotiated and documented rights in an outsourcing contract run the risk of not being enforced, and the relationship that develops may look nothing like what you envisioned. All customer employees interacting with the service provider should be instructed to notify the designated customer representative if they think the service provider may have breached the contract. The designated representative can check with legal counsel to decide whether to send a breach notice. Without this written record, an organization can lose its rights to terminate for cause, for example. Outsourcing and the Need for Supplier Audits 16 Outsourcing and Supplier Audits 8

9 Managing an IT Outsourcing Contract 5. Never do the provider s work before demanding the provider do it When a project is faltering the customer may be tempted to jump in to get the job done. However, if a customer takes action without warning the service provider in writing that it intends to do so and charge for the resources, the customer is likely to be stuck with the bill. Company should never assign their personnel to perform work that ought to be completed by the service provider without sending a notice of breach and providing an opportunity for the service provider to fix the problem. The notice should state that if the supplier does not improve performance by a specified date, the customer will take steps to address the problem and will charge the provider or reduce its payment to cover the cost. Providing an estimate of those costs will support the case for reimbursement if the dispute is ever litigated. Outsourcing and the Need for Supplier Audits 17 Managing an IT Outsourcing Contract 6. Look for win-wins 7. Talk to legal counsels early and often An IT service provider at some point is likely to offer a waiver on a credit due for a breach and, in many cases, that is an opportunity for the relationship manager to trade that waiver for some future assurances. Creating a clear and written record of the engagement is important to preserving an IT organization s contract rights. Lawyers have an eye and ear for evidence and how documents will play in front of a judge or jury. They can be very helpful in essentially creating evidence helpful to the resolution of the matter through settlement or dispute resolution. Lawyers can find rights that are not apparent on the face of the contract and help the customer resolve issues. Outsourcing and the Need for Supplier Audits 18 Outsourcing and Supplier Audits 9

10 Key CEB Hot IT Spots Third Party Relationships Add to Audit Plan Externalization of application development, infrastructure operations and back office processing is continuing to rise Contract review Supplier contingency plan review Complex sourcing options and persistent economic volatility, poorly structured contracts, ineffective Supplier risk management and lower quality services Integrated end-to-end audit Third party privacy audit Outsourcing and the Need for Supplier Audits 19 Key 2016 CEB Hot IT Spots Key Risk Indicators Number of compliance violations attributed to 3 rd parties Number of 3 rd parties with access to sensitive company data Use of right to audit clause Number of 3 rd party contracts established outside the procurement function Frequency of business interruptions caused by 3 rd party control breakdowns Outsourcing and the Need for Supplier Audits 20 Outsourcing and Supplier Audits 10

11 Agenda Why Audit Suppliers Outsourcing / Offshoring Supplier Risks Minimum Security Standards Audit Focus 21 Outsourcing and the Need for Supplier Audits 21 Outsourcing Transform non-core business processes and ensure that maximum value from resources is focused on core processes Partnering with an outsourcer is a very effective means to build a company that is capable of meeting future needs and turning on a dime at a moments notice Delegate one or more business processes to an external provider who owns, administers or manages the processes based on performance metrics 22 Outsourcing and the Need for Supplier Audits 22 Outsourcing and Supplier Audits 11

12 Outsourcing Risks Handling and processing of data Security and access Retention of Data System availability Specific business factors Outsourcing and the Need for Supplier Audits 23 Offshoring Day-to-Day activities performed at a location not in the organization s country or origin May not be fully related to outsourcing Outsourcing and the Need for Supplier Audits 24 Outsourcing and Supplier Audits 12

13 Areas for Outsourcing IT Accounting Corporate Services Document Management Healthcare processing Call Centers SoX / MAR Compliance CRM Storage Facilities Printing Internal Audit Real Estate Product Development Outsourcing and the Need for Supplier Audits 25 Major Types of IT Outsourcing Application management Infrastructure management Help desk services Independent testing / validation services Data center management Systems integration R&D services Managed security 26 Outsourcing and the Need for Supplier Audits 26 Outsourcing and Supplier Audits 13

14 Outsourcing Life Cycle ALIGNMENT Validating the strategy Identifying options Preparing the business model Agreeing on sponsorship and building the team FEASIBILITY Building the business model and case Creating the baseline Understanding the market Assessing and benchmarking options Outsourcing and the Need for Supplier Audits 27 Outsourcing Life Cycle TRANSACTION Structuring the deal Agreeing on outsourced assets Negotiating the contract Delivering the deal and the business case TRANSITION Delivering the change Getting quick returns on investment Establishing the culture Managing people Outsourcing and the Need for Supplier Audits 28 Outsourcing and Supplier Audits 14

15 Outsourcing Life Cycle OPTIMIZATION & TRANSFORMATION Monitoring the contract and resolving disputes Transforming the business Reassessing the relationship Delivering the business case realizing the benefits TERMINATION / RENEGOTIATION Determine SLA adherence both parties Decide if agreement should continue or end If end, invoke termination process If continue, renegotiate contract Outsourcing and the Need for Supplier Audits 29 Agenda Why Audit Suppliers Outsourcing / Offshoring Supplier Risks Minimum Security Standards Audit Focus 30 Outsourcing and the Need for Supplier Audits 30 Outsourcing and Supplier Audits 15

16 Vendor Risk Problems Outsourcing and the Need for Supplier Audits 31 Highest Risk Industries Government Financial Services Healthcare Payroll Management Companies Banking Investment / Fund Managers Outsourcing and the Need for Supplier Audits 32 Outsourcing and Supplier Audits 16

17 Supplier Variables Location Size & strength Data sensitivity Access to data Type of sourcing On-shore / off-shore IBM vs. Mom & Pop PHI, SPI, other Via your systems, FTP files, etc. BPO, IPO, mix Outsourcing and the Need for Supplier Audits 33 Outsourcing Risks Alignment: Outsourcing strategy is not aligned with corporate objectives. Feasibility: Assumptions (e.g., payback period, customer and supplychain impacts, and cost savings) are wrong as the result of inadequate due diligence from suppliers and the organization's failure to assess relevant risks. Transaction: Procurement policies are not met; proper service-level agreements are not implemented; operational, human resources (HR), and regulatory implications are not considered; and contingency arrangements are not planned. 34 Outsourcing and the Need for Supplier Audits 34 Outsourcing and Supplier Audits 17

18 Outsourcing Risks Transition: There is a lack of formal transition planning, failure to plan for retention of appropriate skills, and an ineffective escalation and resolution of operational IT issues. Optimization and Transformation: The outsourcing contract is not managed effectively. Therefore, outsourcing benefits and efficiencies are not achieved. Termination and Renegotiation: There is an inadequate termination of outsourcing processes. 35 Outsourcing and the Need for Supplier Audits 35 Risk Management Supplier Risk Management The process of assessing, mitigating and remediating key areas of risk around the suppliers that provide services to an organization Suppliers Data Data The Enterprise Data Data Customers The process of responding to, mitigating and remediating key areas of risk identified by customers. This is both a proactive (self identified) and a reactive (customer identified) process Customer Risk Management Outsourcing and the Need for Supplier Audits 36 Outsourcing and Supplier Audits 18

19 TPRM What It Is Third Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties OTHER than your own company. Due Diligence is the investigative process by which a company or other third party is reviewed to determine its suitability for a given task. Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire vendor lifecycle. No universally-accepted framework like CobiT or COSO Outsourcing and the Need for Supplier Audits 37 Parties in Risk Management Business Operations IT Security Finance Legal Compliance Procurement Internal Audit Outsourcing and the Need for Supplier Audits 38 Outsourcing and Supplier Audits 19

20 Factors for Risk Assessment Risk Domain Strategic Reputational Regulatory Operational Financial Compliance Assessment Factors Level of importance of vendor to corporate operations Magnitude of potential loss if there are problems with the vendor relationship Level of vendor oversight/monitoring Reporting required by outside regulatory body Type of vendor nature of products/services provided Frequency of communication with vendor Magnitude of potential direct damages associated with a data breach Safeguards or controls designed to ensure compliance with relevant regulations and contract obligations Availability of audit reports and / or "right to audit" clause Outsourcing and the Need for Supplier Audits 39 TPRM - Process Initial Risk Review Based on risk tier Documentation review On-site review Business process documentation Inherent risk/residual risk Remediation plan Ongoing Monitoring Both for changed risks and for changes at third party Recurring Reviews Based on risk tier Outsourcing and the Need for Supplier Audits 40 Outsourcing and Supplier Audits 20

21 Elements of TPRM Risk Measurement Risk Management Risk Monitoring Response Management Linked to ERM Measures the risk of both the activity itself and of the 3 rd party in particular Standard mechanisms for dealing with risk: accept, decline, transfer, modify New / evolving risks 3 rd party changes Incident response, both on your part and the 3 rd party Outsourcing and the Need for Supplier Audits 41 Making the Transition Sourcing Strategy Define the organization strategy related to sourcing Analyze the risks Determine the benefits of sourcing Evaluation & Selection Define requirements (quality, cost) Identify partners who can meet the business needs Contract Development / Procurement Structure flexible partnership Defined service levels and payment models Transition Shift the control from in-house to external provider Monitor performance during the first few weeks Outsourcing and the Need for Supplier Audits 42 Outsourcing and Supplier Audits 21

22 Making the Transition Remediation Repairing relationships with serious problems Renewal / Exit Decide early on to renew, renegotiate or terminate the arrangement Decide early on to find a new partner or in-source the function Management Monitor the relationship Review metrics, service levels and periodic auditing 43 Outsourcing and the Need for Supplier Audits 43 Classes of Data Suppliers Handle 21 Outsourcing and the Need for Supplier Audits 44 Outsourcing and Supplier Audits 22

23 Making the Transition Types of Data Suppliers Handle Classification of Data Handled by Supplier Confidential Restricted Internal Public Examples of Type of Data Handled by Supplier Protected health information Medical records Patient /member information Treatment & condition information Credit card information Payroll information Employee performance data HR and personnel records Proprietary and trade secrets Proprietary code & business logic Reports / Assessments Findings and recommendations Strategy /roadmap documents Internal company memoranda Marketing and promotional materials Mailings and solicitations Public relations Campaigns and outreach Member address Phone number Biometric info address Date of birth Investigations Tax information Employee info Highly sensitive reports Budgets Financial data Projections Telemarketing Surveys Advertising material Web and media Example of Supplier Business Relationship Outsourced software development Outsourced software maintenance and support Customer/Member helpdesk Claims processing Mail/Envelope stuffing and fulfillment Payroll and check printing services Benefits administration services Tax compliance services HR consulting and outsourcing services Mission critical consultants and contractors Professional services firms Consultants and advisory firms Professional service contractors Advertising agency Event marketing firm Web-design and digital media services Printing and graphics design Marketing and survey companies 45 Outsourcing and the Need for Supplier Audits 45 Risk Levels by Types of Data R High I S K Medium L E V E Low L Public Internal Restricted Confidential Classification of Data Handled by Supplier 46 Outsourcing and the Need for Supplier Audits 46 Outsourcing and Supplier Audits 23

24 Supplier Risks Contract language not clear / missing critical component Cannot meet contract due to financial issues Security issues / data breaches affect company brand Adherence to employment requirements Not able to provide services to match SLA s Inadequate recovery processes Outsourcing and the Need for Supplier Audits 47 Supplier Risks Country specific laws and regulations hinder performance Access data outside of the business arrangements Subcontractors not adhere to main contract provisions Cost reductions not met Loss of business knowledge Customer restrictions Outsourcing and the Need for Supplier Audits 48 Outsourcing and Supplier Audits 24

25 Supplier Risks Process discipline Scope creep Turnover of key personnel Knowledge transfer Internal control structure Culture 49 Outsourcing and the Need for Supplier Audits 49 Supplier Landscape Considerations On-shore versus offshore Suppliers IS sees risks in both Sensitivity with many customers about the availability of their data to off-shore personnel Volume & sensitivity of data Increased reliance on Supplier solutions to work with your most sensitive data requires you are cognizant of the shared risk How data is accessed, stored, transmitted & viewed More control when Suppliers access the data via your network More risk when data leaves your network Maturity of Supplier & Supplier s security program Understand the Supplier s commitment to security & reducing risk - a stolen unencrypted laptop can harm company reputation if data is exposed Outsourcing and the Need for Supplier Audits 50 Outsourcing and Supplier Audits 25

26 Suppler Contracting Privacy Business Supplier Contracting Audit Security Legal 51 Outsourcing and the Need for Supplier Audits 51 RFP Deal Breakers Does a program exist to ensure compliance with applicable regulations and/or industry standards (e.g. HIPAA and HITECH, PCI, Gramm-Leach Bliley) for you and your third parties that will access, use or disclose data? Is an annual security assessment conducted (e.g. SOC1, internal review) to identify, security risk to data accessed, processed, transmitted, and/or stored on behalf of XYZ? Do security policies and procedures exist to prevent, detect, contain and correct security violations, as well as to document the administrative, technical and physical controls in place to protect XYZ data? 52 Outsourcing and the Need for Supplier Audits 52 Outsourcing and Supplier Audits 26

27 RFP Deal Breakers Are you aware of your new role and the compliance necessary by the new HIPAA HITECH Omnibus rule? If electronic PHI/SPI will be transmitted or exchanged, does your company comply with National Institute of Standards and Technology (NIST) Federal Information Processing Security Requirements for Cryptographic Modules as it relates to encryption of XYZ data? Does a data security awareness and training program exist for all members of its workforce, including management? 53 Outsourcing and the Need for Supplier Audits 53 Challenges for IS Information Security (IS) is faced with increasing demands when the company is a vendor to accounts and a customer to other third-parties When a vendor, IS must: Respond to RFPs (many request very specific responses) Review customer contracts to determine if company can operationally meet the demands Prepare for and participate in an increasing number of security reviews or assessments over and above normal audits When a customer, IS must: Prepare, grade and participate in vendor RFPs Review contracts to determine if vendor can meet security expectations Review nature of the relationship & provide security requirements 32 Outsourcing and the Need for Supplier Audits 54 Outsourcing and Supplier Audits 27

28 Lack of IS Involvement Pre-qualify Supplier Issue RFIs/RFPs to Suppliers who cannot meet basic security requirements - waste time & energy during the RFI/RFP process RFI / RFP Select a Supplier without the appropriate security capabilities - impact compliance with various laws & regulations Contract Without formal security requirements built into the contract, may not be able to enforce remediation if an issue arises Implement Implement a solution with a Supplier that has security vulnerabilities that could be exploited 55 Outsourcing and the Need for Supplier Audits 55 Lack of IS Involvement Review & Evaluate Without periodic review, the Supplier could introduce new risks or stray from the security requirements in the contract Remediate May be subject to regulatory penalties if the Supplier does not correct identified vulnerabilities De-commission Connectivity and data access for a Supplier remains in place 56 Outsourcing and the Need for Supplier Audits 56 Outsourcing and Supplier Audits 28

29 Supplier Security Controls Life Cycle Phase Considerations Strategy & Planning Privacy, Audit, Legal & Security requirements RFP Contracting Implementation Monitoring Contract Termination Supplier ability and method to meet contractual requirements Supplier security controls questionnaire Business Associate Agreements Minimum Security Requirements Requirements for data access, connectivity, data transfer, etc. Understanding the process for incident notification Supplier security controls questionnaire Supplier assessments / audits Protocols over data when relationship no longer exists Outsourcing and the Need for Supplier Audits 57 Agenda Why Audit Suppliers Outsourcing / Offshoring Supplier Risks Minimum Security Standards Audit Focus 58 Outsourcing and the Need for Supplier Audits 58 Outsourcing and Supplier Audits 29

30 Due Diligence Audited Financial Statements Experience & Capabilities Business Reputation Qualifications & Experience Scope of internal controls, systems, data security and audit coverage Existence of significant complaints, litigation or regulatory actions Business resumption strategy & contingency plans Use of other parties or subcontractors Adequacy of management information systems Insurance Coverage Outsourcing and the Need for Supplier Audits 59 Contract Risks Understanding your needs Establishing stakeholders and defining roles Defining business and technical requirements Defining supplier requirements Supplier outsourcing 60 Outsourcing and the Need for Supplier Audits 60 Outsourcing and Supplier Audits 30

31 Key Contract Components Scope Data protection, privacy, and intellectual property Price protections Third-party assignments Ownership of assets used or created by partnership Conflicts among different legal systems Contingency planning and change management Right to audit Termination Dispute Resolution Confidentiality & Security 61 Outsourcing and the Need for Supplier Audits 61 Contract Requirements Include required security language in contracts Leverage information obtained during Supplier selection for contract language Track exceptions to pre-defined contract language Align contract language with regulatory or other authoritative requirements 62 Outsourcing and the Need for Supplier Audits 62 Outsourcing and Supplier Audits 31

32 Key Items to Understand How is contract structure for Suppliers: Standard, Master Service Agreement, Amendments, Exhibits, Appendices, etc. Do you have a right to audit clause in the contract? Are services detailed? Are locations identified and addresses provided? Are resources assigned? Is system access identified? Are minimum security requirements included? 63 Outsourcing and the Need for Supplier Audits 63 Minimum Security Requirements Security Assessment Security Officer Implement Security Policies and Procedures Conduct an annual security assessment Appoint a person who is either the Security Officer and/or is responsible for compliance Document the administrative, technical and physical controls to protect data Identified gaps - remediation plans Include appropriate disciplinary provisions for data security violations Outsourcing and the Need for Supplier Audits 64 Outsourcing and Supplier Audits 32

33 Minimum Security Requirements Awareness & Training Security Monitoring Incidence Response Have data security awareness and training Continuously monitor security events / conduct periodic reviews of activity Timely notification of suspected / actual data compromise Receive training prior to contact with data Implement hardware, software and procedural audit control mechanisms Steps to prevent further damage and corrective action steps to stop incident from recurring 65 Outsourcing and the Need for Supplier Audits 65 Minimum Security Requirements Monitor building exterior and all entrances Process for logging and escorting visitors Deploy / monitor cameras 24 x 7 Deploy and use electronic access control system Have solid floor-to-ceiling walls Provide alternate power sources Not display any information about Company Data received in paper or portable media stored in locked containers, etc. Physical Security 66 Outsourcing and the Need for Supplier Audits 66 Outsourcing and Supplier Audits 33

34 Minimum Security Requirements Be enclosed by a compound wall with entry/exit gate attended by security guard 24x7 Restricted access parking requires: vehicle identifiers, vehicle examination prior to entrance (visual inspection of undercarriage, interior of vehicle, interior of trunk, etc.), presentation of employee identification badge prior to entrance Physical Security outside the US - additional requirements 67 Outsourcing and the Need for Supplier Audits 67 Minimum Security Requirements Workstation Security Workstations shall be positioned so that XYZ data is not visible outside of the designated XYZ production area Workstations shall lock after no more than 10 minutes of inactivity. Supplier personnel shall be instructed to lock their workstations when they shall be away from their desks. Laptops shall not be used to access, process, transmit or store data 68 Outsourcing and the Need for Supplier Audits 68 Outsourcing and Supplier Audits 34

35 Minimum Security Requirements Workstation Security Print capability shall be disabled Access to applications shall be limited. Applications not required for processing data shall be disabled. USB and CD/DVD drives shall be disabled End-point firewalls installed on all Supplier workstations and be configured to prevent unauthorized network access attempts 69 Outsourcing and the Need for Supplier Audits 69 Minimum Security Requirements Subcontractors Not employ subcontractors unless express written permission granted prior to implementing the arrangement Monitor activities of subcontractors for compliance with the Agreement Encryption Comply with standards provided by the National Institute of Standards and Technology (NIST). For data in transit, must use encryption technologies that comply with NIST applicable state and federal regulations ( Approved Encryption ). Implement technical security measures to guard against unauthorized access to data that is being transmitted over an electronic communications network. Encryption shall be the primary means of securing the data while in transit. Outsourcing and the Need for Supplier Audits 70 Outsourcing and Supplier Audits 35

36 Other Security Requirements Hard Copy Documentation Remote Access / Network Security Asset Tracking, Disposal & Destruction Security Safeguards for Data in Transit Anti-Malware Patch Management Logical Separation of Data Access to Data Development & Testing Business Continuity/Disaster Recovery 71 Outsourcing and the Need for Supplier Audits 71 Why Lax Supplier Management No formal program or owner No formal framework or guidance, so people don't know where to start Time consuming Too many vendors to assess OR lack of vendor inventory to know who to assess Manual process spreadsheet driven Vendors may be brought in as personal referral Outsourcing and the Need for Supplier Audits 72 Outsourcing and Supplier Audits 36

37 Supplier Governance Framework Align every IT outsourcing contract with the organization s key business objectives Set up a monitoring mechanism Manage changes in IT projects and services across complex portfolios Define well-integrated IT management processes for the client and service provider Define specific ownership of key contract terms Establish direct and visible accountability for IT performance 73 Outsourcing and the Need for Supplier Audits 73 Monitoring Which suppliers require monitoring What should be monitored Who should conduct the monitoring How frequently When to do on site versus remote 74 Outsourcing and the Need for Supplier Audits 74 Outsourcing and Supplier Audits 37

38 Supplier Monitoring Life Cycle Supplier Inventory Supplier Remediation Supplier Sample Supplier Audits 75 Outsourcing and the Need for Supplier Audits 75 Supplier Monitoring Challenges The RED Flags Weak security controls Lack of independent Weak oversight incident response Failure to respond to requests No recovery plans 76 Outsourcing and the Need for Supplier Audits Outsourcing and Supplier Audits 38

39 Pitfalls Disconnect between client expectations and supplier delivery Unrealistic cost savings estimates Half baked contracts and SLAs Communication gap Internal employee morale 77 Outsourcing and the Need for Supplier Audits 77 Compliance Elements Legal and Regulatory Compliance Financial Condition Business Reputation Compliance/Risk Management Subcontracting Is the supplier compliant with regulators and selfregulatory organizations? In addition to the vendor s current financial condition, assess third-party suppliers growth, earnings, pending litigations and any other factors that may affect the supplier s overall stability. Does the supplier have a history of complaints performing the activities the company is planning to outsource? Only work with third-party suppliers that have processes in place for ensuring compliance with contractual and regulatory requirements and following industry best practices. Assessments should include validation that the supplier is in compliance with contractual provisions concerning supplier outsourcing. Outsourcing and the Need for Supplier Audits 78 Outsourcing and Supplier Audits 39

40 Compliance Elements Business Continuity Physical and IT Security The Right to Audit and Require Remediation Termination A third-party supplier should have a plan in place to respond to service disruptions ranging from Internet outages to cyber-attacks or natural disasters. The vendor should have controls in place to ensure its IT systems are protected from external and internal attacks and that its computers and servers are protected from theft. Before entering into an agreement, establish their right to audit the third-party and to require remediation when issues are identified. Procedures should also be spelled out in some level of detail should the third party be unwilling or unable to fulfill its compliance and performance obligations. Outsourcing and the Need for Supplier Audits 79 Agenda Why Audit Suppliers Outsourcing / Offshoring Supplier Risks Minimum Security Standards Audit Focus 80 Outsourcing and the Need for Supplier Audits 80 Outsourcing and Supplier Audits 40

41 Audit Focus IA needs to be independent and determine if TPRM controls are designed properly and operating as designed. TPRM is the second line of defense and the operational aspects of the program should be reviewed with key stakeholders IA is the 3 rd line of defense and should focus on 3 rd party on-site activities required by the program. Depending on who owns the controls, IA will need to review that area for sustainability. IA should be reviewing the compensating controls that help minimize risks and monitor all remediations needed Outsourcing and the Need for Supplier Audits 81 Audit Focus Have 1 person facing off with 3 rd party management Sets the audit standard for 3 rd party audit programs Acts as SME on 3 rd party risk management within audit Conducts reviews and identifies potential risks and required remediation. Develops an opinion of the overall design and effectiveness of the TPRM Outsourcing and the Need for Supplier Audits 82 Outsourcing and Supplier Audits 41

42 Audit Planning Key Questions Who are your key suppliers? Who maintains the supplier inventory and how is it updated? What can the supplier provide in terms of assurance (SOC2, HITRUST certification)? Do you have a right to audit clause in the contract? How clear is it? Do you exercise your right to audit clause? Does your company have a centralized supplier management program? 83 Outsourcing and the Need for Supplier Audits 83 Supplier Reviews PALS: Privacy, Audit, Legal, Security Reviews all initiatives where data is leaving the company Requires the Supplier to complete a questionnaire IT: Supplier Information Security (SIS) On-shore suppliers Risk assessment questionnaires Site visit - If critical issues, engage IT Audit IT Audit: Offshore assessments Site Visits (sometimes use of co-source) Questionnaires Detailed audits based on SIS 84 Outsourcing and the Need for Supplier Audits 84 Outsourcing and Supplier Audits 42

43 Key Audit Focus Audit Focus Supplier selection / governance Supplier security Supplier management procedures 85 Outsourcing and the Need for Supplier Audits 85 Key Controls Supplier Operations Overall control environment Security considerations Data protection Network, physical, environment, personal and logical access security SDLC Controls Change management controls HR policies and Procedures Outsourcing and the Need for Supplier Audits 86 Outsourcing and Supplier Audits 43

44 Top 10 Questions CAE Should Ask 1 Are the services outsourced significant to the company? 2 Does the company have a well-defined outsourcing strategy? 3 What is the governance structure relating to outsourced operations? 4 Was a detailed risk analysis performed at the time of outsourcing, and is a regular risk analysis being done? 5 Do formal contracts or SLAs exist for the outsourced activities? 87 Outsourcing and the Need for Supplier Audits 87 Top 10 Questions CAE Should Ask 6 Does the SLA clearly define KPIs for monitoring Supplier performance? 7 How is compliance with the contract or SLA monitored? 8 What is the mechanism used to address noncompliance with the SLA? 9 Are responsibilities of ownership of data clearly defined and agreed upon with the supplier? 10 What is the process to gain assurance on the operating effectiveness of the internal controls at the supplier? 88 Outsourcing and the Need for Supplier Audits 88 Outsourcing and Supplier Audits 44

45 What Should Audit Do? Supplier Selection Supplier Audits Supplier Oversight Supplier Termination Audit Reports Obtain list of all Suppliers Who is approved to update the list Statistics on spend Criticality to core business functions Questionnaires Rank results Follow-up calls with Suppliers Site visits Reporting Meetings Site visits KPIs Assess vendor termination control environment Ensure data and material properly returned or destroyed Review contract termination controls Identify gaps Follow-up on remediation 89 Outsourcing and the Need for Supplier Audits 89 Audit Approach Identify the Services Provided Identify the Potential Risks Document Security and Privacy Controls Document Gaps Recommend Enhancements 90 Outsourcing and the Need for Supplier Audits 90 Outsourcing and Supplier Audits 45

46 Audit Approach Identify the Services Provided Identify the Potential Risks Document Security and Privacy Controls Document Gaps Recommend Enhancement What information is accessed, managed or handled? Does the supplier store any critical information Does the supplier have access to the information via connection to network? Does the supplier provide access to critical data? 91 Outsourcing and the Need for Supplier Audits 91 Audit Approach Identify the Services Provided Identify the Potential Risks Document Security and Privacy Controls Document Gaps Recommend Enhancement Based on services provides, identify the areas of potential risks Use COBIT, ISO 27001, NIST or you own questionnaire If data is not confidential, do you need to audit this supplier? Document the risk for each service activity 92 Outsourcing and the Need for Supplier Audits 92 Outsourcing and Supplier Audits 46

47 Audit Approach Identify the Services Provided Identify the Potential Risks Document Security and Privacy Controls Document Gaps Recommend Enhancement Identify security controls for each risk identified in step 2 For each control refer to documentation or evidence of the effectiveness of the control Request SOC-1, or SOC-2 or Pen Test reports 93 Outsourcing and the Need for Supplier Audits 93 Audit Approach Identify the Services Provided Identify the Potential Risks Document Security and Privacy Controls Document Gaps Recommend Enhancement Compare the controls of the supplier with industry best practices Identify areas where controls are missing or substandard Focus on areas that could impact confidential data and brand image 94 Outsourcing and the Need for Supplier Audits 94 Outsourcing and Supplier Audits 47

48 Audit Approach Identify the Services Provided Identify the Potential Risks Document Security and Privacy Controls Document Gaps Recommend Enhancement Prioritize risks associated with the gaps Recommend solutions to bridge the gaps Prioritize the timing of the enhancements Determine if the report will be an advisory or an audit based on the risk raking Identify follow-up items and personnel responsible 95 Outsourcing and the Need for Supplier Audits 95 Audit Audit Offshore Approach Supplier Audit Strategy Risk Assessment Executed year 3+ May be based on changes to relationship/services Determine if onsite or remote audit selected Audit Plan Onsite Audit Post Implementation Executed within 1 year of supplier services operation (Go Live) Performed in region (onsite) Detailed testing performed Remote Audit Executed after an onsite audit has been performed Performed remotely Includes: o IT Security Assessment Questionnaire o Management Attestation o User List Review 67 Outsourcing and the Need for Supplier Audits 96 Outsourcing and Supplier Audits 48

49 Offshore Reviews Remote Audit Procedures Performed remotely Performed by AS resources Audit Approach: o Inquiry/Observation o 40 hrs (approximate) Includes the following: o Review of SOC 1 / SOC 2 and industry certifications if available o Use of control questionnaire and/or management certification to provide: Review of physical, administrative and technical controls Remote testing performed where possible Identify if significant changes (location Supplier, processes, data, etc.) have been made that require additional review Review contractual requirements as needed Performed onsite Performed by AS or EA resources Audit Approach: o Detailed testing o 88 hrs (approximate) Includes the following: Onsite Audit o Review of SOC 1 / SOC 2 and industry certifications if available o Use of audit to provide: Audit of physical, administrative and technical controls Physically observe operations and controls in place Review contractual requirements as needed Coordinated with business visits when possible 97 Outsourcing and the Need for Supplier Audits 97 Audit Domains Organizational Network and Server Security Physical Security and Environmental Change Management Workstation Security Corporate Continuity Logical/Data Access Supplier Governance Outsourcing and the Need for Supplier Audits 98 Outsourcing and Supplier Audits 49

50 Audit Domain Coverage Control Domains Control Objectives Control Activities Test Procedures Organizational Physical Security + Environmental Workstation Security Logical Access Network + Server Security Change Management Corporate Continuity Supplier Governance TOTAL Outsourcing and the Need for Supplier Audits 99 Audit Domain Coverage Organization Controls in place to ensure that audit risks are identified and mitigated properly Personnel policies in place regarding employee hiring, candidate background checks as permitted by applicable local laws, orientation, and training Physical Security and Environmental Controls Building exterior and physical access security controls are in place to prevent unauthorized access (on and offshore) Identification badge controls Environmental safeguards Safeguards surrounding the destruction and disposal of sensitive information Physical access to production area is restricted to prevent unauthorized access Materials allowed to be brought into workspace are limited based on Supplier services provided 100 Outsourcing and the Need for Supplier Audits 100 Outsourcing and Supplier Audits 50

51 Audit Domain Coverage Workstation Security Controls are in place to: secure sensitive data on computer workstations (on shore and off shore locations) secure workstation assets and data protect mobile computing assets such as tablet computers and mobile phones Logical/Data Access General controls are in place to prevent unauthorized access to: information resources (Internal) computer resources (External) 101 Outsourcing and the Need for Supplier Audits 101 Audit Domain Coverage Network and Server Security Controls are in place to: detect and prevent network threats apply security updates and to harden settings for application and database servers identify, escalate, and track security incidents until resolution ensure that remote or wireless access to the network is disabled or securely controlled Technical safeguards are in place for data in transit and data at offshore Supplier locations Change Management and Regulatory Compliance Change Management controls are in place to ensure that only authorized, tested, and documented changes are made to the system Organizational controls are in place to monitor and track compliance HIPAA and Security awareness training is communicated to employees 102 Outsourcing and the Need for Supplier Audits 102 Outsourcing and Supplier Audits 51

52 Audit Domain Coverage Corporate Continuity Controls (BC/DR) Business Continuity/Disaster Recovery (BC/DR) plans are established and in place Data storage and backup activities occur on a scheduled basis and are available for file recovery and disaster recovery events Controls are in place to ensure that computer equipment is disposed and recycled securely Supplier Governance Controls are in place to ensure that Third Parties who the Supplier has contracted with are adequately managed 103 Outsourcing and the Need for Supplier Audits 103 Supplier Testing Control Objective 1.1 Organizational controls are in place to ensure that enterprise risks are identified and mitigated Control Activity A general and IT organizational chart exists and can be provided. A dedicated Security Officer (SO), Chief Information Security Officer (CISO), or similar role exists The organization performs an annual external audit (SOC1, SOC2, SOC3, HITRUST, etc.) and a copy of the report can be provided. All exceptions noted contain a management response and remediation is tracked and reported to management An independent audit department exists, completes control testing, and reports findings to management. A dedicated Chief Audit Executive (CAE) or similar role exists. Test Procedure Inquiry & Observation 1. Obtain copies of general and IT organizational charts. 2. Review charts to verify existence of SO/CISO roles and document the level of the role within the organization 3. Document the size of the organization (total number of dedicated FTE s) 1. Confirm if external audits reports exist and obtain copies. 2. Perform a walkthrough of management response and remediation processes. 3. Obtain supporting documentation where available. 1. Confirm/verify the existence of an independent audit department. 2. Review role/responsibilities of department. Outsourcing and the Need for Supplier Audits Outsourcing and Supplier Audits 52

53 Supplier Testing Control Objective 1.2 Personnel policies are in place regarding employee (temporary, contractors, etc.) hiring, candidate background checks as permitted by applicable local laws, orientation, and training Policies and procedures exist to ensure employee hiring and termination practices are followed Background Checks Pre-employment screening / background investigations are carried out for employees. This will consist of verification of the following: - Personal reference: Credit, Education, Employment verification for at least the past 5 years, - Gaps in employment history, - Place of residence verification for the past 7 years - Passport and visa checks and Criminal checks / Drug Screening For offshore resources additional verification of the following is required (where applicable): - National Skills Registry (NSR) Photographs, fingerprints, academic qualifications, professional certifications. Inquiry & Observation 1.Obtain and review copies of policies and procedures supporting this control. 2.Perform a walkthrough of the hiring and termination practices. 3.Obtain current listing of active employees. Examination 1.Select a sample of employees (10% population or min 5/max 25). 2.For sample, confirm that hiring and termination practices are followed and documented. Inquiry & Observation 1.Obtain copies of policies and procedures supporting this control. 2.Perform a walkthrough of the hiring processes for employee. Examination Select a sample of employees (10% population or min 5/max 25). Note: Sample criteria for offshore Suppliers may vary. 1.For sample, confirm the required background checks are performed prior to deployment on the project. 2.Obtain the copies of the respective background check documentation and evidence. Examine background verification report to verify required components are done. 3.Verify if there are delays in performing the background check (i.e. between dates of joining the project to the date of obtaining of background check report). 105 Outsourcing and the Need for Supplier Audits 105 Audit Implications Service level management Contractual requirements Data transmission controls Data security / privacy Continuity / availability of systems Operational controls Availability of SOC-1, SOC-2, ISO17799 Supplier Internal Audit Function 106 Outsourcing and the Need for Supplier Audits 106 Outsourcing and Supplier Audits 53