vendor risk management. cover the basics of a good … county/iia oc presentation...vendor risk...
TRANSCRIPT
Vendor Risk Management. Cover the basics of a good VRM
program, standards, frameworks, pitfall
and best outcomes.
OC Chapter
Why Assess a Vendor?
� You don’t want to be a Target for hackers via your vendors weak IT
controls
� You may have to comply with various ever increasing regulatory and other
compliance frameworks
� HIPAA
� PCI
� FFIEC
� Many others
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
2
FFIEC Announcement
� The appendix highlights that a financial institution’s reliance on third-party service providers to perform or support critical operations does not relieve a financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner. An effective third-party management program should provide the framework for financial institution management to identify, measure, monitor, and mitigate the risks associated with outsourcing. Specifically, a financial institution should ensure that its third-party service providers do not negatively affect its ability to appropriately recover IT systems and return critical functions to normal operations in a timely manner:
� Third-Party Management
� Third-Party Capacity
� Testing with Third-Party Technology Service Providers
� Cyber Resilience
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
3
Assessment Approch
� Three Key Types of Assessment Approach
1. Spreadsheets and Word Documents
2. GRC (tools such as Evantix, Archer, MetricStream)
3. Onsite Interview and Observation
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
4
B U S I N E S S C O N T I N U I T Y P L A N N I N G (BCP)
C O N T R O L F I N D I N G S C O N T R O L E V A L U A T I O N M A N A G E M E N T R E S P O N S E
DOI
Questionnaire
Ref #
DOI Questionnaire
Question
Management
ResponseControl Activity Findings Supporting Evidence
Other Audit
Documentation
Used?
Control AssessmentPrevious Audit
Recommendations
Remediation
RecommendationComments Evaluation of Response
E1
Is the business
contingency plan a)
current, b) based on
a business impact
analysis, c) has it
been tested, and d)
address all significant
business activities,
including financial
functions,
telecommunication
services, data
processing services
and network
services?
Y Based on inquiry, and review of company documentation, it
appears that:
1a) Current Business Continuity Plans are maintained and
saved on an internal portal - PaceMaker (PaceMaker Initial
Screen.pdf). They cover both business and technical/IT
aspects of disaster recovery and business continuity. The
samples selected (Claims, IT, and Financial Reporting) include
sections for Maintenance Phase - Mandatory Update As
Required, Quarterly & Semi-Annual Review of Critical
Information, Testing, Recovery Phase - Pre-Activation,
Activation, Critical Operations, Full Recovery, Post Recovery
and Reference Attachments for applicable locations. (Claims
BCP.pdf, Financial Reporting BCP.pdf, IT BCP General.pdf, IT
BCP Hot-Site Implementation Team.pdf, IT BCP Alternative
Office Support Team.pdf, IT BCP Telecommunication Recovery
Team.pdf) A Confidential Crisis Management Plan also exists
and was examined with management. Hard-copy binders
are kept by key executives at off site locations. The IT
department also maintains BCPs for significant
systems/applications and databases on the company's
Sharepoint portal (BCP System Recovery
Procedures.Sharepoint Folder.pdf, BCP Zeus Recovery
Procedures Folder.pdf, BCP Oracle Financials Recovery
Procedures Folder.pdf). The system BCPs outline specific
procedures for recovering the system after a disaster (Control
Procedures IT - BRP Zeus Checks.doc, DBA BCP
Procedures.doc, Forms_10_BCP_Documentation-v3.doc, R12
OAP BCP Process.doc).
PaceMaker Initial Screen.pdf
Claims BCP.pdf
Financial Reporting BCP.pdf
IT BCP General.pdf
IT BCP Hot-Site
Implementation Team.pdf
IT BCP Alternative Office
Support Team.pdf
IT BCP Telecommunication
Recovery Team.pdf
BCP System Recovery
Procedures.Sharepoint
Folder.pdf
BCP Zeus Recovery
Procedures Folder.pdf
BCP Oracle Financials
Recovery Procedures
Folder.pdf
N Based on the information
provided, this control
appears to be at CobiT
Maturity Model Level 4 -
Managed and Measurable.
None None
N/A N/A N/A 1b) Management indicates that a comprehensive business
impact analysis (BIA) has been performed for significant
business areas and are maintained and saved to Pacemaker
(PaceMaker Initial Screen.pdf). The documented BIA examins
areas such as: Background Information - General, Process
Description, Operating Locations, Peak Operating Times &
Cycle Time, Annualized Return, Annualized production Output;
Resource Requirements - General Resource Requirements,
Notes, Key Records, Data, Intellectual Property &
Documentation and Records Management Process, Disaster
Preparedness/Work From Home Capabilities, Dependencies -
Key Customers, Service Level Agreements w/ Customers,
Process Dependencies, Product Dependencies, Technology
Dependencies, Vendor/External Dependencies, Regulatory
Requirements - Regulatory Considerations, Reporting
Requirements and BIA - Recovery Objectives, Reputation
Impairment - Customer and Stakeholder Considerations,
Employees, Cash Flow Interruption, Financial Control and
Reporting Exposure and Contractual Noncompliance (Claims
BIA.pdf, Financial Reporting BIA.pdf). BCP-System RTOs.xls
documents the Recovery Time Objectives for IT Supported
Business Applications per Department/Functional area.
Control Procedures IT - BRP
Zeus Checks.doc
DBA BCP Procedures.doc
Forms_10_BCP_Documentati
on-v3.doc
R12 OAP BCP Process.doc
PaceMaker Initial Screen.pdf
Claims BIA.pdf
Financial Reporting BIA.pdf
Claims BIA.pdf
Financial Reporting BIA.pdf
N/A N/A N/A N/A
Frameworks and Standards
� ISO Version 2013
� Not a Assessment tool more a ISMS but some have changed it to fit VRM
� NIST
� PCI Version 3.1
� HIPAA update 2014
� Shared Assessment
� Licensed version 2015
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
5
Ques NumSIG Question Text Response Additional Information
AUP 2015
Relevance
ISO
27002:2
013
Relevan
ce
COBIT
4.0
Relevan
ce PCI 3.0 FFIEC
COBIT 4.1
Relevance
Shared Assessments Program Cloud Computing White
Paper Description
SIG Lite
A. Risk Assessment and Treatment
SL.1
Is there a risk assessment program that has
been approved by management,
communicated to appropriate constituents
and an owner to maintain and review the
program?
A.1 IT &
Infrastructure Risk
Governance and
Context
5.1
6.1.2
Leadership &
Commitment,
Information Security Risk
Assessment 12.2
IS.1.3.1
BCP.1.2.1
BCP.1.3.5
MGMT.1.6.1.1
OPS.1.3 PO9.4
B. Security Policy
SL.2
Is there an information security policy that
has been approved by management,
communicated to appropriate constituents
and an owner to maintain and review the
policy?
B.1 Information
Security Policy
Content &
Maintenance 5.1.1
Policies for information
security PO6.1
IT policy and control
environment 5.4, 12.1 IS.1.4.1
PO6.1, PO6.2,
PO6.3, PO6.5,
DS5.2, DS5.3,
ME2.1
SL.3
Have the policies been reviewed in the last
12 months? B.1 Procedure: d 5.1.2
Review of the policies for
information security PO3.1
Technological direction
planning 12.2.b IS.1.4.2.7
PO3.1, PO5.3,
PO5.4, PO6.3,
PO9.4, DS5.2,
DS5.3, ME2.2,
ME2.5, ME2.7,
ME4.7
SL.4 Is there a vendor management program? 12.8N/A N/A
C. Organizational Security
SL.5
Is there a respondent information security
function responsible for security initiatives?
C.3 Security
Organization
Roles/Responsibiliti
es 6.1.1
Information Security Roles
and Responsibilities PO3.3
Monitoring of future trends
and regulations 12.5
IS.1.7.4
MGMT.1.6.1.6
PO3.3, PO3.5,
PO4.3, PO4.4,
PO4.5, PO4.8,
PO6.3, PO6.4,
PO6.5, DS5.1
SL.6
Do external parties have access to Scoped
Systems and Data or processing facilities? 15Supplier relationships 12.8N/A
PO6.4, DS5.5,
ME2.2, ME2.5,
ME4.7
D. Asset Management
SL.7
Is there an asset management policy or
program that has been approved by
management, communicated to appropriate
constituents and an owner to maintain and
review the policy?
D. Assessment
Management 8.1Responsibility For Assets N/A N/A
PO4.14, PO6.4,
PO8.3, AI5.2,
DS2.2, DS2.3,
DS2.4, DS5.1,
ME2.6
SL.8 Are information assets classified? D.1.c.6 8.2.1
Classification of
Information PO2.3 Data classification scheme 9.6.1 N/A PO2, AI2, DS9
E. Human Resource Security
SL.9
Are security roles and responsibilities of
constituents defined and documented in
accordance with the respondent’s
information security policy?
C.3 Security
Organization
Roles/Responsibiliti
es 6.1.1
Information security roles
and responsibilities PO4.6 Roles and responsibilities 12.1
IS.2.M.15.1
MGMT.1.6.1.2
WPS.2.2.1.3.1
PO4.6, PO4.8,
PO6.3, PO7.1,
PO7.2, PO7.3,
DS5.4
Value of a Remote Assessment
� Audit Trail
� Sales or CSO completing the assessment
� Delegation Functionally
� Vendors Vendor!
� Procurement Contract
� RFI
� Provides Attachments
� Questions Scored
� Questions and Sections Weighted
� Cheaper to perform over 100s of Vendors
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
6
Onsite Assessment
� Interview
� Observation
� Data collection
� Immediate Remediation suggestions
� Ability to gage the honesty of the Vendor management
� Overall Risk Assessment more accurate
� Why note do both !
� Remote followed by Onsite for sub set of overall Vendor pool
� A bit less of Him !
� And more of this !
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
7
VRM Assessment Process
� Relationship Assessment
� Profile Assessment
� Control Assessment
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
8
Relationship Assessment
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
9
High Risk
Med Risk
Low Risk
Profile Assessment
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
10
Source•D&B
• Experian
• Thompson Reuters
Value•RFP Selector
• Fraud Indicator
Result•Go No-Go
•Onsite
• Reserves against loses
Control Assessment
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
11
SaaS Assessment
Assess ISO
Result Low Risk Score
Move to Annual Assessment Status
Onsite Assessment
Interview and Observation
Med Risk Score
Move to Remediation Status
Remediation
Opt for 30 / 60 / 90 day plan for remediation of gaps
Re-Assess
Assessment Frequency
� Annual Assessment
� First Year
� Small number of Vendors
� Assessing High Risk Vendors only
� 2 and 3 Year Rotational Plan
� Med and Low Risk Vendors
� To many Vendors to Assess
� Vendor change is service and or supply type
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
12
VRM Team
� ITS or Security Team
� VRM (Vendor Risk Management) Team
� Procurement
� Out Sourced Professional Services
� Internal Audit
� Independent Review of VRM Results
� CPA Firms
� FDIC
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
13
Vendors Risks
� Don’t be a Target
� No Contract over your Vendors Vendors
� IP
� Customer DB
� Employee DB
� Out Sourced IT
� GEO
� FCPA
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
14
� Bankruptcy
� No longer able to
support your need
� Disappearing hardware
and IP
� Risk
� Reputational
� Financial
� Regulatory
Questions
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
15
Regents & Park VRM Blog
� LinkedIn Blog on VRM
� www.linkedin.com/in/jasonnjames
� https://www.linkedin.com/today/author/381038
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
16
Regents & Park
� Jason James
� President
� +1 (949) 903-2524
� LinkedIn Blog on VRM
� www.linkedin.com/in/jasonnjames
� https://www.linkedin.com/today/author/381038
Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved
17