E-Guide HOW TO AVOID THE DANGER OF WEAK CONTROLS IN THIRD-PARTY RISK MANAGEMENT SearchSecurity
S ecurity expert Michael Cobb explains how to put in place additional safeguards to protect the system and data access of trusted partners. PAGE 2 OF 8
HOW TO AVOID THE DANGER OF WEAK CONTROLS IN THIRD-PARTY RISK MANAGEMENT Michael Cobb Closer relationships with third-party vendors can improve and streamline business operations. But when service providers and contractors are given access to systems containing protected information or handle sensitive data sets, such as customer records, is paramount. Due diligence in assessment is crucial because an indemnity agreement can t realistically cover an organization s strategic, operations or reputational risks. And if the activities of a business partner or service provider put your data security efforts at risk of non-compliance, it s your company that s held accountable. REVIEW THE RISKS A assessment helps you detect identity and access issues and locate the necessary controls to include in a contractual requirement. This review process covers risk identification, assessment, measurement and PAGE 3 OF 8
monitoring procedures. It should be completed prior to engaging the thirdparty vendor, not treated as a formality after the fact. Business partners or contractors with greater privileges or autonomy to access internal resources and systems merit a more in-depth review than those with limited rights. The assessment should involve personnel from various teams, such as internal audit, procurement, compliance, legal counsel, and IT administration and security. To speed and simplify the process of assessing tens, if not hundreds, of thirdparty vendors, it s best to have them complete standardized documentation. Thankfully, there s no need to develop these from scratch: The Shared Assessments Program (SAP), a paid membership organization founded in 2005 by financial institutions and accounting firms, offers numerous tools. These are available for purchase or free with membership and include documents used by companies of all sizes for consistency and cost efficiency in vetting third parties. Large service providers routinely complete these assessments, which are based on a trust, but verify model. By using SAP s Standard Information Gathering (SIG) questionnaire, your organization can obtain all of the information necessary to conduct an initial assessment of a service provider s IT, privacy and data security controls. PAGE 4 OF 8
You can filter the questionnaire for service types provided by different thirdparty vendors. A how-to guide is available to help with this process. (There are also guides that can help service providers respond to client-issued SIG questionnaires.) The SAP Tools are based on international, federal, and industry standards such as ISO-27001/27002, PCI DSS and HIPAA. And they are constantly updated -- cloud security, mobile devices, fourth-party risk and software security were recently added, according to the organization s website. Of course, self-assessments need verifying: The Shared Assessments Agreed Upon Procedures (AUP) allow answers provided by a third party in the SIG questionnaire to be validated by your organization or an independent assessment firm. They also set out the risk control areas to be evaluated as part of an onsite assessment and include a report template for collecting and reporting the results. As part of any third-party review, it s important to establish whether security has true boardroom-level support. A good indicator of how genuine a third-party vendor is about security is the quality of its privacy practices and training programs. Are employees required to participate in data privacy and security awareness training? How frequently are they required to take refresher PAGE 5 OF 8
courses? A well-rehearsed security incident response plan and annual external security assessments are other signs that security is taken seriously. EVALUATE THE PROVIDERS Management should use the assessment to evaluate the controls of a prospective service provider to protect systems and data. The assessment can also serve as a negotiating tool when discussing contractual obligations. Knowing where risk points exist means additional safeguards can be requested to ensure sensitive data is properly protected. Documentation covering the risk assessment, details of controls in place to mitigate risks and agreed-upon compliance monitoring should be signed by the board and retained as a benchmark for future audits. Always ask for proof that remediation actions that resulted from vulnerabilities identified in the security audit have been carried out. Assign an owner for each vendor relationship to oversee the monitoring process and check its adherence to the data protection and security standards set out in the contract. Tools such as the Brinqa Vendor Risk Management, a risk modeling and analytics framework, and Rsam, which is Web-based GRC software, support SIG questionnaire content, making the review process more PAGE 6 OF 8
manageable. EMC s RSA Archer Vendor Management Software also automates the oversight of third-party relationships and supports NIST Open Checklist Interactive Language 2.0 (OCIL), a framework for interpreting responses to IT security checklists. Finally, remember that assessing third-party vendors is not a onetime event. Managing is a complex and time-consuming task, but with the right tools many aspects can be automated. Third-party risk assessment is an area of information security that needs greater focus; it reduces the chances of a data breach and improves the overall security of identity and access on today s interconnected systems. MICHAEL COBB, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He co-authored the book IIS Security and has written many technical articles for SearchSecurity.com and other leading IT publications. He was formerly a Microsoft Certified Database Manager and a registered consultant with the CESG Listed Advisor Scheme (CLAS). PAGE 7 OF 8
FREE RESOURCES FOR TECHNOLOGY PROFESSIONALS TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. WHAT MAKES TECHTARGET UNIQUE? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. PAGE 8 OF 8