Strengthening Vendor Risk Management Program ACUIA Region 5 Fall Meeting Portsmouth, N.H. October 2017
PKF O Connor Davies Risk Advisory Services Governance & Regulations Cyber-Security Risk Management & IT Strategy COSO 2013 Implementation Co-source or Outsource Internal Audit Data Governance and Data Analytics Enterprise Risk Management and Internal Control Reviews (Operations and IT) IIA Quality Assessment Reviews / Internal Audit Transformation Business and IT Policy Development Attest Engagements and Agreed-Upon Procedures HIPAA and PCI-DSS Gap Analysis IT Governance and Best Practices Review DMZ or Network Architecture Review / Firewall, Router and Switches Hardening Review DRP/ BCP Assessment IT Security Vulnerability Assessments and Penetration Testing (Network and Web Application) Malware Analysis Wireless Network Assessment Privacy Assessments General Source Code Review (Java,.NET, PHP, Python, C, C++, Objective- C) Social Engineering (includes phishing) Business Continuity Assessments Project Management Service Organization Control (SOC 1) Reporting (SSAE 16 and ISAE 3402) Readiness Reviews and Attestations SOC 2 and 3 Readiness Reviews and Attestations (Trust Services Principles) IT Strategy (Including IT and Business Strategic Alignment) Third Party Risk, Social Media and Cloud Risk Assessment
Learning Objectives Why you need a vendor risk management program Discuss the steps of a vendor risk management program Compare the intended uses of Service Organization Control reports and what to look for during the review.
Vendor Risk Management A process for assessing and managing risk associated with third party relationships. A third party relationship is any business arrangement between a financial institution and another entity, by contract or otherwise. The relationship includes activities that involve outsourced products and services, use of independent consultants, networking arrangements, merchant payment processing services, joint ventures, and other business arrangements where the financial institution has an ongoing relationship or may have responsibility for associated records.
Intertwining Risks Operational Technology Compliance Business Continuity 3 rd Party Risk Reputational Financial Strategic
Cloud Responsibility Source: http://pen-testing.sans.org/blog/2012/07/05/pentesting-in-the-cloud
Discussion with a Cloud Hosting Provider The client needs to communicate the organization s regulatory requirements Assigning responsibilities to internal IT who have the technical knowledge Robust access management Not relying on service providers policies and procedures Managing the data is the organization s responsibility
Discussion with a Cloud Hosting Provider (cont.) Clients should discuss network design with the provider Inquire whether standard or custom API s are used to prevent vendor lock-out Inquire whether contract terms can be modified based on current and future needs Being responsive when a collaborative effort is need to address an incident Reviewing and addressing the SLA before going live
Who Should Be Involved in a Vendor Risk Management Program Procurement & Accounts Payable Information Technology Legal and Regulatory Compliance Risk Management Internal Audit (advisory role)
Continuous Vendor Risk Management Due Diligence / Planning Risk Management Contract Management Monitoring Termination Governance Manage & remediate vendor risk Evaluate vendor risk Report on vendor risk Identify & manage evidence Provide a risk rating for each vendor Create a schedule for review Identify triggers that would escalate the review
Governance Governance Define the goals and appoint champion Define organization structure & assign responsibilities Develop vendor management policy Taking a risk-based approach Vendor due diligence and monitoring process Escalation process Provide training
Elements of a Vendor Risk Management Policy Should outline staff responsibilities and authorities for vendor relationships and program oversight. Should distinguish what is required for critical relationships versus non-critical relationships Should stipulate which employee(s) are authorized to sign contracts Outline expectation and limitations of the vendor relationship
Initial Risk Assessment / Planning Ensuring that the vendor relationship is consistent with the strategy and overall business needs Determine the short and long term goals, which should be measurable Creating the criticality levels Assess the vendor based on the risk criteria Appoint a person to be responsible for the relationship Review all documentation (e.g. financials) and vendor responses Identify controls (i.e. reports, insurance, etc) Establish exit Strategy / Contingency Plans
Risk Management Risk Management Determine risk factors Conduct risk assessment Establish risk levels Collection of data Address results with management Develop a remediation steps and communication back to the vendor
Risk Factors In Evaluating Vendors New service to the credit union Material impact to revenue or expenses Impact to reputation Significant operations functions Sensitivity of the data Compliance and regulatory risk Impact to members
Contract Management Contract Management Getting key stakeholders and Legal involved (drafting, reviewing) Keeping abreast of regulatory requirements or industry standards Maintaining position on key contract requirements and language Establishing KPI and SLA Process in place to modify and approve changes to contracts
Monitoring Vendor Monitoring Tracking incidents and complaints Manage vendor inventory Evaluate vendor onboarding and off-boarding Evaluate vendor value Process in place to notify incidents (security breach, insolvency)
Monitoring Third Parties with a SOC Report Service Organization Control 1 (SOC 1) Service Organization Control 2 (SOC 2) Service Organization Control 3 (SOC 3) Restricted Use Report (Type I or II report) Generally a Restricted Use Report (Type I or II report) General Use Report (with a public seal) Purpose: Reports on controls for financial statement audits Purpose: Reports on controls related to compliance or operations Purpose: Reports on controls related to compliance or operations Trust Services Principles & Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy
Monitoring Third Parties with a SOC Report Is this the right report? Is our location and service covered? Is it the correct period? What are the results of the Independent Auditor s Report opinion? Did they use any subservice providers? Does the department have the appropriate internal controls to address the User Considerations section? Did they cover all the control objectives? Were the test steps sufficient? Evaluate the deviations.
Contact Info: Mark Bednarz, MS, CPA, CISA, CFE PKF O Connor Davies, LLP Partner, Head of Risk Advisory P: 646-449-6376 E: mbednarz@pkfod.com