it vendor assessments
DESCRIPTION
How safe is your data after it leaves your control? Howard Haile Bill McSpadden. IT Vendor Assessments. Topics Covered. Why conduct a vendor audit? Organizing the internal processes Identifying who needs to be involved Get information about your vendors - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/1.jpg)
IT Vendor Assessments
How safe is your data after it leaves your control?
Howard Haile Bill McSpadden
![Page 2: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/2.jpg)
Topics Covered
• Why conduct a vendor audit?• Organizing the internal processes• Identifying who needs to be
involved• Get information about your
vendors• Survey and assess the vendors• Monitor and remediate
![Page 3: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/3.jpg)
Potential Problem Areas
• Industries– banking – healthcare
• Business Processes– Employee processes (Payroll, 401k)– Customer Service
• IT processes– Cloud computing– Backup/recovery – Help Desk
![Page 4: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/4.jpg)
Why Audit Your Vendor?• You can’t control information once
it leaves your control• You are putting a great deal of
control in the hands of your vendors
• Your vendor may pass your data to other people – who you don’t know and who have no obligation to you
![Page 5: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/5.jpg)
• A hack on your vendor may leave your organization as exposed as if you had been hacked.
![Page 6: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/6.jpg)
Why Not a SAS70?
• SAS70 does not specify a pre-determined set of control objectives or control activities that service organizations must achieve.
• SAS70 is used for financial reporting compliance – not other compliance requirements (HIPAA, GLB, etc.).
• May not cover some important areas like Disaster Recovery, etc.
• May not be available (too small, out of US)
![Page 7: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/7.jpg)
Other 3rd Party Reviews?
•You may be able to use results of other 3rd party reviews to reduce the burden of 1st party inspection.
•However, your organization should perform it’s own risk assessment!
•Shared Assessments – new organization which supports a standardized set of assessment criteria
![Page 8: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/8.jpg)
Other Types of Reviews
• ISO 17799 (info security)• ISO 9000 series (quality)• Trust Services (security oriented
including availability)
![Page 9: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/9.jpg)
Get Everyone On Board
Develop standards and procedures
surrounding data
Make sure it covers
Vendor management (purchasing, etc.)
IT
Field offices
Employee Awareness
![Page 10: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/10.jpg)
Purchasing
•Get 'right to audit' in contract•Spell out obligations
• Proactive (not just penalties for failure)• Prescribe necessary precautions
•Make the obligations part of the solicitation and scoring
• Include ‘claw-back’ provisions in the contract for expenses incurred as a result a breach.
![Page 11: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/11.jpg)
IT
• Information classification needs to be emphasized
• Heightened awareness required, particularly involving data repositories
• Strong change request process is very useful• Need heightened awareness involving
encryption• Direct access to your network heightens the
risk as it potentially exposes ALL of your data!!!
![Page 12: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/12.jpg)
Field Offices
• What is their ability to contract independently
• How de-centralized is IT?
![Page 13: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/13.jpg)
Employee Awareness
• Employees need to be aware of data sensitivity
• Reminder that email attachments (spreadsheets, cut/paste lists, etc.) are covered
• Provide a point of contact for questions
• Periodic reminders
![Page 14: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/14.jpg)
Data classification
• Sensitive data needs to be identified
• Remember combinations of data• Don't send unnecessary data, e.g.
account numbers
![Page 15: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/15.jpg)
Discussion Questions
1. Should you hold your vendors to the same information security specs as your own?
2. Do you hold your vendors to the same information security specs as your own?
3. What would it take to satisfy you of the vendors’ security over information?
4. What is your organization doing to satisfy themselves with regard to vendor security?
![Page 16: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/16.jpg)
Assessment Process
1. Rank the risk2. Identify the vendors (all or some?)3. Survey vendors4. Score the survey5. Identify weaknesses6. Decide on remediation process
![Page 17: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/17.jpg)
Pre-Survey Steps
Does the vendor know what is expected – in detail?
Do you have a good contact at the vendor, if permitted?
What sort of tracking system do you need?
Who is responsible for devising, administering and scoring the survey?
![Page 18: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/18.jpg)
Survey Process
• Develop the survey• Devise a scoring system (Keep it
simple!)• Design the questions to be ‘gradable’• Have all vendors complete a standard
questionnaire. • Review and score questionnaire – use
same criteria.• Use 'skepticism' when grading• Evaluate by predetermined score
![Page 19: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/19.jpg)
Survey Considerations
• Once high risks vendors are completed are you comfortable with results? If not, keep going until you begin to feel comfortable
• Evaluate risks against questionnaire score
• High risk data/processes necessitate high vendor score
• Determine if additional info, including site visit, is needed
![Page 20: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/20.jpg)
On-site inspections? High risk vendors may require on-
site inspection• High risk implies sensitive data
and/or questionable safeguards• Set up a schedule based on risk
assessment. The higher the risk, the greater the frequency.
• Might be a good opportunity for employing consultants whose presence overlaps your vendors
![Page 21: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/21.jpg)
Vendor - Background Info• Nature of service provided• Frequency that information is
supplied to vendor• List of date elements provided
(selection criteria is not essential)• How data is transported (transport
method and encryption technique)
![Page 22: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/22.jpg)
Vendor - Background (cont’d)
• Will any of the data reside outside of the US?
• Are any of the services provided further outsourced? (If so, more detailed information on nature, location, etc. is required)
![Page 23: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/23.jpg)
Vendor Oversight
• Regulatory or other Governance the vendor must follow (HIPAA, PCI, banking, SOX, SAS70, etc.)
• Is your data/processes covered by those compliance processes? If so, can those regulatory bodies affect your organization?
• Employee policies (confidentiality agreements, background checks, termination process within systems, etc.)
![Page 24: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/24.jpg)
Vendor – Process Inventory• Provide a specific list of servers,
databases, and networks where data will reside or be processed
• Provide information on each (location, operating systems, age, etc.)
![Page 25: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/25.jpg)
Vendor - Security Questions• Describe security policies• Provide data classification grid• How does your vendors’
classification match your data classification scheme
• Technical/logical system controls
![Page 26: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/26.jpg)
Vendor – Physical Risks
• Physical security of facilities (accessibility by public)
• Data Center• Off-site data storage – is your data
going to yet another vendor?• Call center services (if in scope) • Identity theft monitoring process
![Page 27: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/27.jpg)
Vendor Business Continuity• Business Continuity plans (may not be in
scope depending upon nature of the services provided)
• What is the recovery timeframe for your data and equipment?
• Does response time match your need?• Does the response time match your contract?• Has your data and equipment recovery been
specifically tested?
![Page 28: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/28.jpg)
Handling 3rd Parties
• What processes are further sub-contracted to a 3rd party? NOTE: same assessment process needs to be followed for the 3rd party
• What are your rights with regards to 3rd party inspections or ability to have primary vendor inspect?
![Page 29: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/29.jpg)
Vendor Documentation
• Any documentation from third party reviews (PCI, SAS-70, BITS)
• Organization chart (especially showing security responsibility and hierarchy)
• Outline or listing of security policies and procedures in place (an index or table of contents, etc.)
• Process documentation or results of any security risk assessment processes
![Page 30: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/30.jpg)
Vendor Doc (cont’d)
• Employee background check template to verify scope
• Floor plan diagram showing security devices (i.e. cameras, badge readers, etc)
• Access control list for the data center (if applicable)
• Account password settings (screen shot of settings for systems
![Page 31: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/31.jpg)
Vendor Doc (cont’d)
• Audit/logging policies for systems processing/protecting
• Data retention and secure purging related policies and procedures.
• eDiscovery program• Incident response plan – is your
organization notified promptly?• A sample of the change control process
sign off form or document recording approval for system/software changes
• Org chart
![Page 32: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/32.jpg)
Managing Deficiencies
• Prioritize the deficiencies• Ensure that purchasing and
business unit is aware of vendor deficiencies – and potential impact
• Work with vendor and purchasing to develop a reasonable timeline to fix
• If necessary, begin enforcing contractual penalties
![Page 33: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/33.jpg)
One More Thought (or so)If you are provide outsourced
services:• What are you doing to provide this
info?• Are you meeting your obligations?• What is the processes for keeping
your clients informed?• What do you outsource that might
create a problem?
![Page 34: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/34.jpg)
Call to Action
• Assess the process for managing information flow to outside parties
• Identify the risks for data residing outside your direct control
• Evaluate external organizations’ ability to secure your data
![Page 35: IT Vendor Assessments](https://reader035.vdocuments.us/reader035/viewer/2022070404/56813ad0550346895da2f765/html5/thumbnails/35.jpg)
More Information
Shared Assessmentshttp://sharedassessments.org/
• Agreed Upon Procedures• Standard Info Gathering
Questionnaire• Low/high risk questionnaire• Business Continuity questionnaire• Privacy Continuity questionnaire