091210 it vendor audit

7/30/2019 091210 IT Vendor Audit

1/36

IT Vendor Assessments

How safe is your data after it leavesyour control?

Howard HaileBill McSpadden


2/36

Topics Covered

Why conduct a vendor audit?

Organizing the internal processes

Identifying who needs to be involved

Get information about your vendors

Survey and assess the vendors

Monitor and remediate


3/36

Potential Problem Areas

Industries

banking

healthcare

Business Processes Employee processes (Payroll, 401k)

Customer Service

IT processes Cloud computing

Backup/recovery

Help Desk


4/36

Why Audit Your Vendor?

You cant control information once it

leaves your control

You are putting a great deal of control

in the hands of your vendors

Your vendor may pass your data to

other peoplewho you dont know and

who have no obligation to you


5/36

A hack on your vendor may leave your

organization as exposed as if you had

been hacked.


6/36

Why Not a SAS70?

SAS70 does not specify a pre-

determined set of control objectives or

control activities that service

organizations must achieve. SAS70 is used for financial reporting

compliance not other compliance

requirements (HIPAA, GLB, etc.). May not cover some important areas

like Disaster Recovery, etc.

May not be available (too small, out of


7/36

Other 3rd Party Reviews?

You may be able to use results of other

3rd party reviews to reduce the burden of

1st party inspection.

However, your organization shouldperform its own risk assessment!

Shared Assessments new organization

which supports a standardized set ofassessment criteria


8/36

Other Types of Reviews

ISO 17799 (info security)

ISO 9000 series (quality)

Trust Services (security oriented

including availability)


9/36

Get Everyone On Board

Develop standards and procedures surrounding

data

Make sure it covers

Vendormanagement (purchasing, etc.)

IT

Field offices

Employee Awareness


10/36

Purchasing

Get 'right to audit' in contract

Spell out obligations Proactive (not just penalties for failure)

Prescribe necessary precautions

Make the obligations part of the solicitationand scoring

Include claw-back provisions in thecontract for expenses incurred as a resulta breach.


11/36

IT

Information classification needs to be

emphasized

Heightened awareness required,particularly involving data repositories

Strong change request process is very

useful Need heightened awareness involving

encryption

Direct access to your network heightens


12/36

Field Offices

What is their ability to contract

independently

How de-centralized is IT?


13/36

Employee Awareness

Employees need to be aware of data

sensitivity

Reminder that email attachments

(spreadsheets, cut/paste lists, etc.) arecovered

Provide a point of contact for questions

Periodic reminders


14/36

Data classification

Sensitive data needs to be identified

Remember combinations of data

Don't send unnecessary data, e.g.account numbers


15/36

Discussion Questions

1. Should you hold your vendors to the

same information security specs as

your own?

2. Do you hold your vendors to the sameinformation security specs as your

own?

3. What would it take to satisfy you of thevendors security over information?

4. What is your organization doing to

satisfy themselves with regard to


16/36

Assessment Process

1. Rank the risk

2. Identify the vendors (all or some?)

3. Survey vendors

4. Score the survey

5. Identify weaknesses

6. Decide on remediation process


17/36

Pre-Survey Steps

Does the vendor know what is expectedin detail?

Do you have a good contact at the vendor,if permitted?

What sort of tracking system do youneed?

Who is responsible for devising,administering and scoring the survey?


18/36

Survey Process

Develop the survey

Devise a scoring system (Keep it simple!)

Design the questions to be gradable

Have all vendors complete a standardquestionnaire.

Review and score questionnaire use

same criteria. Use 'skepticism' when grading

Evaluate by predetermined score


19/36

Survey Considerations

Once high risks vendors are completedare you comfortable with results? If not,keep going until you begin to feel

comfortable Evaluate risks against questionnaire

score

High risk data/processes necessitatehigh vendor score

Determine if additional info, including sitevisit, is needed


20/36

On-site inspections?

High risk vendors may require on-siteinspection

High risk implies sensitive data and/orquestionable safeguards

Set up a schedule based on riskassessment. The higher the risk, thegreater the frequency.

Might be a good opportunity for

employing consultants whose presenceoverlaps your vendors


21/36

Vendor - Background Info

Nature of service provided Frequency that information is supplied to

vendor

List of date elements provided (selectioncriteria is not essential)

How data is transported (transport

method and encryption technique)


22/36

Vendor - Background (contd)

Will any of the data reside outside of the

US?

Are any of the services provided furtheroutsourced? (If so, more detailed

information on nature, location, etc. is

required)


23/36

Vendor Oversight

Regulatory or other Governance thevendor must follow (HIPAA, PCI,banking, SOX, SAS70, etc.)

Is your data/processes covered by thosecompliance processes? If so, can thoseregulatory bodies affect yourorganization?

Employee policies (confidentialityagreements, background checks,termination process within systems,

etc.)


24/36

Vendor Process Inventory

Provide a specific list of servers,databases, and networks where data

will reside or be processed

Provide information on each (location,operating systems, age, etc.)


25/36

Vendor - Security Questions

Describe security policies

Provide data classification grid

How does your vendors classification

match your data classification scheme

Technical/logical system controls


26/36

Vendor Physical Risks

Physical security of facilities(accessibility by public)

Data Center

Off-site data storageis your datagoing to yet another vendor?

Call center services (if in scope)

Identity theft monitoring process


27/36

Vendor Business Continuity

Business Continuity plans (may not be inscope depending upon nature of the

services provided)

What is the recovery timeframe for yourdata and equipment?

Does response time match your need?

Does the response time match yourcontract?

Has your data and equipment recovery

been specifically tested?


28/36

Handling 3rd Parties

What processes are further sub-contracted to a 3rd party?

NOTE: same assessment process

needs to be followed for the 3rd party What are your rights with regards to 3rd

party inspections or ability to have

primary vendor inspect?


29/36

Vendor Documentation

Any documentation from third partyreviews (PCI, SAS-70, BITS)

Organization chart (especially showing

security responsibility and hierarchy) Outline or listing of security policies and

procedures in place (an index or table of

contents, etc.) Process documentation or results of any

security risk assessment processes


30/36

Vendor Doc (contd)

Employee background check template toverify scope

Floor plan diagram showing security

devices (i.e. cameras, badge readers,etc)

Access control list for the data center (if

applicable) Account password settings (screen shot

of settings for systems


31/36

Vendor Doc (contd)

Audit/logging policies for systemsprocessing/protecting

Data retention and secure purgingrelated policies and procedures.

eDiscovery program

Incident response planis yourorganization notified promptly?

A sample of the change control processsign off form or document recordingapproval for system/software changes

Org chart

f


32/36

Managing Deficiencies

Prioritize the deficiencies

Ensure that purchasing and business unit

is aware of vendor deficiencies and

potential impact Work with vendor and purchasing to

develop a reasonable timeline to fix

If necessary, begin enforcing contractualpenalties

O M Th ht ( )


33/36

One More Thought (or so)

If you are provide outsourced services:

What are you doing to provide this info?

Are you meeting your obligations?

What is the processes for keeping your

clients informed?

What do you outsource that might

create a problem?

C ll t A ti


34/36

Call to Action

Assess the process for managinginformation flow to outside parties

Identify the risks for data residing

outside your direct control Evaluate external organizations ability

to secure your data

M I f ti


35/36

More Information

Shared Assessmentshttp://sharedassessments.org/

Agreed Upon Procedures Standard Info Gathering Questionnaire

Low/high risk questionnaire

Business Continuity questionnaire Privacy Continuity questionnaire

Q ti & C t t I f


36/36

Questions & Contact Info

Bill McSpadden([email protected])

Howard Haile

([email protected])

091210 it vendor audit

Documents