a holistic view of management · 2019-11-20 · holistic view of tprm // 5 benefits of using third...

A Holistic View ofThird Party RiskManagement

November 4, 2019

HOLISTIC VIEW OF TPRM // 2

Presenter

• Steve leads the Third Party Risk Management consulting business for Fortress, working with clients in several critical infrastructure industries, including energy, oil & gas, transportation/logistics, entertainment, and financial services

• 25+ years IT experience, 15 years audit/risk/security covering Energy, Financial Services, Healthcare, Government, Public Accounting

• Previous gigs:• Head of IT audit and cybersecurity for Central Ohio market with Schneider Downs• Head of IT operations for a secure web collaboration service with Adobe, serving over 1 million DoD

users globally• Chief Information Security Officer for a large state government agency, Information Security Officer for

two major credit card-issuing banks• Founder of his own risk and security consulting business

• Commander (Ret.), U.S. Navy: specialized in information assurance and cyber intelligence

Steve Earley M.S., CISA, CISSP, CRISC, CTPRP, CFSA, ITILv3, MCPVice President, Third Party Risk OperationsFortress Information Security


ABOUT FORTRESS

Fortress Information Security enables the digital transformation by managing emerging cyber risks.

Fortress is the only company offering services and a customized platform to manage Infosec, 3rd Party & OT security risk in a full end-to-end solution.

We have the trusted expertise — not just in security — but in the critical operational domains where emerging cyber risks are the biggest threats.


Agenda: Third Party Risk Management

§ Need for Third Party Risk ManagementØ Benefits, risks, challenges of using third parties

§ Risk Management Life CycleØ Due diligenceØ Contract negotiationØ Ongoing monitoringØ Termination of contract

§ Conducting Vendor Assessments§ Documentation and Reporting Standards

Ø Service Organization Control (SOC) ReportsØ SIG / SIG LiteØ Others


Benefits of Using Third Parties

• Speed to market: Third parties are specialists in their field, who typically have turn-key solutions to get your business up and running quickly.

• Control capital costs: Particularly on technology/cloud outsourcing agreements, significant capital costs can be avoided on hardware and software. These costs move to variable expenses instead.

• Reduce labor costs: Hiring and training staff for short-term or peripheral projects can be very expensive, and temporary employees don’t always live up to your expectations. Outsourcing lets you focus your human resources where you need them most.

• Focus on core business: Keep your limited resources focused on profitable, customer-centric work.

• “Level the playing field:” Through outsourcing, smaller organizations can enjoy many of the same economies of scale, efficiency, and expertise that large organizations enjoy.

• Reduce/mitigate risk: Markets, competition, regulations, and technology can all change rapidly. Third parties can help assume and manage some of this risk for you, and they generally are much better at deciding how to avoid risk in their areas of expertise.

However, YOU still own the risk!


Risks of Using Third Parties

• Selecting the wrong vendor• Unclear goals and objectives• Not establishing baseline/metrics• International/political climate• Inadequate security controls / regulatory compliance• Insufficient due diligence• No flexibility built into agreements• Poorly written RFPs/contracts• Insufficient knowledge of vendor’s limitations (e.g., storage

capacity, speed, scalability)• Not involving the right internal resources in the selection process• Making selection a personal – rather than business – decision


Biggest Challenges Using Third Parties

• Writing/negotiating the contracto If you don’t have a good attorney, get one!o Terms can (and should) be negotiated/modified, even if on vendor’s “paper”o Don’t let the marketing department sign your contracts!o Define roles/responsibilities explicitly

• Define baseline/metricso You won’t get what you can’t measureo Include provisions for when metrics are exceeded or underachieved (i.e.,

bonuses/penalties)• Regulatory/legal concerns

o You are still responsible for your own regulatory complianceo Make sure vendor can comply and provide proper reports/evidence

• Inadequate security controlso If there is a breach, your customers won’t go after your vendors…

• Insufficient due diligenceo Similar to KYC in banking… KYTP!


Need For Third Party Risk Management

• Continuing trend for organizations to use more third parties and establish complex relationships to support and grow their business

• Complex vendor relationships bring additional risk• Mismanaged third parties can negatively impact your company:

o Business interruptionso Costs associated with non-compliance with regulationso Data breaches, information leakage or processing integrity issueso Loss of reputation

• Organizations must adopt a formalized process for managing risks associated with third-party relationships commensurate with the level of risk and complexity


PROTECTING YOUR CONNECTED ASSET ECOSYSTEM

• The world for modern organizations is one of ongoing digital transformation in a Connected Asset Ecosystem of third parties, industrial technology and traditional IT networks and applications.

• All these assets are tied together with high connectivity and complex supply chain interdependencies.

• A typical Fortune 500 company can have over 100,000 external relationships.


Taking a Holistic Approach

• TPRM requires a holistic Data, Analytics, People and Processes (DAPP) approach —combined with domain expertise and the ability to tie risks to actual business impacts and decisions.

• It’s the difference between tactical survival and strategic mastery in the organization as the entire landscape shifts around you.


Need to consider the complete picture, including:• Inherent Risk and business impact of

vendor population• Assessments:

– Questionnaire/remote assessments– Onsite assessments– Contract reviews

• Continuous monitoring• Remediation of findings related to

assessments and continuous monitoring / vulnerabilities

• Intuitive, powerful dashboards for analyst, operations & executive-level reporting

A Closer Look at the Holistic Approach

So… Why is TPRM Important?


2019 Breaches Involving Third Parties

• Topps.com: baseball/sports card manufacturero Magecart attacks against shopping cart vendoro Also impacted Ticketmaster, British Airways, NewEgg, others

• American Medical Collection Agency (AMCA)o Medical billing providero Impacted Quest Diagnostics, LabCorp, BioReference Laboratories

• Wiproo Large IT service providero Major breach initiated through phishing attacks on Wipro employees

• Eviteo Typically viewed as a “low risk” service providero Breach of personal and business information of up to 100 MILLION entities

• US Customs and Border Protectiono Contractor breach led to photos of individuals, license plate numbers, and

other information being leakedo Contractor allegedly was “in compliance” with FISMA security requirements

https://securityboulevard.com/2019/07/the-5-most-notable-third-party-data-breaches-of-2019-so-far/


Risk Management

Life Cycle


Risk Management Life Cycle

*Office of the Comptroller of the Currency (OCC)


Risk Management Life Cycle Phases

An effective third party risk management process follows a continuous life cycle for all relationships and incorporates the following phases:

• Planning• Due Diligence and Third Party Selection• Contract Negotiation• Ongoing Monitoring• Termination


Planning Phase

Prior to entering into a third-party relationship, management should develop its plan to manage the relationship commensurate with the respective risk and complexity of the service:• Understand the risks inherent in the activity(ies) being sourced• Outline strategic purposes and legal/compliance aspects of

the relationship with the service provider(s)• Assess the complexity of the arrangement, such as the volume of

activity, use of subcontractors, technology needed, access to sensitive data, etc.

• Determine how the organization will select, assess, and oversee the third party, including monitoring the third party’s compliance with the contract.

• Consider contingency plans in the event the organization needs to transition the activity to another third party or bring it in-house.


Due Diligence and Selection Phase: Business Risks

Due diligence must align with the level of risk/complexity of the relationship. Extensive due diligence when relationship involves critical activities and accessing sensitive data. Steps in the process include:• Conduct on-site visits• Review third party’s overall business strategy and goals• Consider strategic business arrangements (e.g., M&A, joint

ventures, new product launches)• Understand vendor’s ability to comply with applicable

laws/regulations for your business• Assess financial condition; review audited financial

statements


Due Diligence and Selection Phase: Risks and Controls

• Assess the vendor’s reputation in the industry• Conduct reference checks. Use social media!• Evaluate the depth of resources and experience

providing the specific activity • Ensure the third party performs background checks on key

managers, employees, and subcontractors who will have access to your information

• Evaluate the effectiveness of the third party’s risk management program, including policies, processes, and internal controls

• Determine whether the third party’s internal audit function effectively tests and reports on the state of internal controls


Due Diligence and Selection Phase: Technology Risks

• Review Service Organization Control (SOC) reports. Consider whether these reports contain sufficient information to assess the third party’s risk or whether additional scrutiny is required through an audit.

• Review information systems and infrastructure to identify gaps in service-level expectations, technology or interoperability issues

• Assess the ability to respond to service disruptions or degradations

• Review incident response and reporting procedures• Evaluate subcontracted activities (i.e., “Fourth Parties”). If

necessary, conduct similar due diligence on the third party’s critical subcontractors.


Due Diligence and Selection Phase: Security Risks

• Information Security Policy• Employee Practices• Physical Security• Network Infrastructure• Logical Access• Encryption• Disaster Recovery and Backups• Anti-virus and Intrusion Protection• Security Log Monitoring and Retention


Contract Negotiation Phase

Negotiate a contract that clearly specifies the rights and responsibilities of each party, and obtain necessary approvals prior to execution. Contracts should generally address:• Nature and scope of the arrangement• Terms governing the use of your organization’s

information, facilities, personnel, systems, and equipment• Specify performance measures, service level agreements

(SLAs), and compliance with regulatory standards and privacy laws

• Require third party to provide and retain timely, accurate, and comprehensive records and reports that allow management to monitor performance, service levels, and risks



• Include a Right to Audit clause, including ability to conduct onsite visits of third party and relevant subcontractors

• Specify types/frequency of audit reports expected to receive from the third party (e.g., financials, SOC 1/2/3 reports, security reviews)

• Indicate which records generated by the third party become your organization’s property à very important for Termination phase

• Include appropriate Nondisclosure Agreements (NDAs) to prohibit the third party and subcontractors from disclosing sensitive information

• Specify how third party will disclose, in a timely manner, security incidents or breaches that have resulted in unauthorized access or disclosure of your organization’s information



• Consider including indemnification clauses for claims that cite failures of the third party

• Stipulate that the third party is required to maintain adequate insurance, including fidelity bond coverage, liability coverage, hazard insurance, and intellectual property insurance

• If third party is responsible for responding to customer complaints, establish SLAs to ensure that the third party responds appropriately/ timely, and forwards each complaint and response to your organization.

• Stipulate if, when, and how the third party may use subcontractors. Define activities that cannot be subcontracted, or if specific subcontractors are prohibited. Hold the third party liable for the actions of all subcontractors.


Ongoing Monitoring Phase

Management should regularly assess existing third-party relationships, to determine viability, contractual compliance, and effective controls.• Dedicate staff with necessary expertise and authority to

oversee and monitor third parties (or outsource if necessary to meet bandwidth/headcount requirements!)

• Assign vendors to High/Med/Low Risk tiers. Vary frequency and depth of reviews for each tier. Consider onsite visits for high-risk vendors.

• Consider Continuous Monitoring for changes in cyber risk, business risk, reputational issues, change in ownership, etc.

• Monitoring outcomes will help drive decisions whether to continue/modify/terminate the relationship.


DATA & ANALYTICS

Discovery Data sources Assess Fortress Platform Transformation Presentation and Action

Darkweb

Web and social

Domains and Subdomains

Score

Intelligence

Risk Scores and Rankings

Custom Reporting

Workflow Management

Remediation Recommendations

Vulnerabilities

Weaknesses

IP Addresses

Historicaldata

Findings

New & Effective Approaches to Old Monitoring Challenges


Use Data to Identify Your Vendor Population You need a holistic view of risk in your organization. Data will help.

• Start with your large population of vendors, for example 40,000

• Utilize combination of automated data collection and analysis to reduce the number to the riskiest 10 percent (4,000)

• Sort by impact and dig even deeper for more intelligence on the top tier of vendors. Perform assessments only on those vendors with the greatest impact.

• Automation drives continuous monitoring activities, looking for signs of potential risk or vulnerability that might get missed in traditional vendor audits or self-reporting.

1. VENDOR

RISK RANK

2. APPLY DATA

THRESHOLDS

3. SORT BY IMPACT

Determine vendor risk rating with

data and analytics

Determine required level of

due dilligence

Determine groupings of risk factors

I have 10K (20K, 30K, 40K) vendors! How do I manage the chaos?


Termination Phase

Management should ensure that relationships terminate in an efficient manner, whether the activities are moved to another third party, brought in-house, or discontinued. This plan should cover:• Amount of notice required (from either party).• Resources and timeframe required to transition the activity while still

managing legal, regulatory, customer, and other impacts.• Risks associated with data retention and destruction, access control issues,

or other concerns that require additional risk management after the end of the third-party relationship.

• Handling of any joint intellectual property developed during the course of the relationship.

• Reputation risks if the termination happens as a result of the third party’s inability to meet expectations.

• Ownership of data following termination of the relationship.


Termination Phase – Other Thoughts

• Get the terms in writing during the Contract Negotiation phase! Once the relationship is terminated, there is very little incentive (short of a lawsuit) for a vendor to give you what you want/need.

• Data transfer: Ensure you’re going to get data returned to you in a format that will be compatible with your systems.

• Escrow agreements: Very important if a vendor has developed custom software for you. Source code is stored in a “vault” by an independent third party, and released to you in the event the vendor goes out of business.


Performing Vendor

Assessments


Risk Assessment

• Assess vendor’s risk assessment program, maturity, and operating effectiveness

• Gives insight into management’s commitment to security and compliance, and ability to make risk-based decisions.

• Should include:o Risk scoping (i.e., “risk universe”)o Evaluation criteriao Risk scenarioso Controls to mitigate key risks


Information Security Policy (ISP)

• Key document; describes management’s internal controls around security. Sets “tone at the top.”

• Typically includes Administrative Controls (e.g., policies, HR practices, data classification) as well as Technical Controls (e.g., network access, server patching, firewall controls, anti-virus/malware)

• ISP should be:o Reviewed regularly (at least annually)o Approved by senior management / BODo Communicated to all personnel (parts that are applicable)


Organizational Security

• Sufficient staff with appropriate security training and certifications

• (Additional) background checks for security staff based on type of services

• Adequate resources to support segregation of duties• Roles/responsibilities defined (job descriptions)• Adequate oversight over security functions


Asset Management

• Formal classification structure for assets based on sensitivity/risk:o Hardwareo Softwareo Datao Physical facilities/spaces

• Inventory management:o Ensure vendor knows what they have, and where it iso Forms basis for retiring assets that are no longer supported

(which means they are not getting patched!)


Human Resources Security

• Often part of the Information Security Policy• Verify employee background checks are being conducted,

as well as any additional screening based on security/risk (e.g., drug screening, psychological screening, polygraph)

• Review employee “acceptable use” and confidentiality agreements to ensure employees are informed of security responsibilities upon hire and annually thereafter

• Ensure security awareness training conducted annually• Review ethics / code of conduct training completion


Physical and Environmental Security

• Perimeter/building access• Video surveillance: check for retention of video/logs (90

days)• Roving security forces• Environmental controls:

o Data center cooling/HVACo Fire suppressiono Uninterruptible Power Supply (UPS)o Generatorso Monitoring/alarms


Communications/Operations Management

• Data transmission/encryption (especially if third party is handling PII, PHI, etc.)oLook at standards employed (e.g., SSL vs TLS)

• System operations (e.g., job scheduling, data backup)• System hardening (e.g., patching, configuration)• Security operations• Log review and management• Remote access (VPN) – is multi-factor authentication

(MFA) required?


Access Control

• Password requirements• Identity management

o Unique IDs for each individual; no “shared” IDso Access based on “need to know” and user’s role

• Privileged access (i.e., administrators)• Software developer access (DEV – TEST – PROD

environments)• Don’t forget about the DBAs!• Segregation of duties• Remote access: multi-factor authentication is two of:

o What you HAVE (token, smart card, cell phone)o What you KNOW (username, password, security questions)o Who you ARE (fingerprint, retina scan)


Systems Acquisition, Development & Maintenance

• Application development (SDLC)• Patch management

o Serverso Applicationso Middlewareo Infrastructure

• Vulnerability scanning• Penetration testing• Secure website development (OWASP “Top Ten”)

o Cross-site scriptingo SQL injection


Incident Response

• Look at third party’s incident response plan for how they handle:o Unauthorized access to systems/applications/datao Active network/system attackso Degradation/loss of service (i.e., outage)o Detection/response to data breach event

• Know who at the vendor is responsible for notifying YOU if your data is breached, and how quickly they must notify

• Define who is going to notify your customers – the vendor or you?


Business Continuity / Disaster Recovery

• Trend toward “Business Resiliency”• Plan should cover likely scenarios, and how the vendor

will handle them• Should be tested annually:

o Walk-throughs / “table-top” exerciseso Partial system transferso Full system transfers (e.g., mass casualty drill)

• Results from tests should feed back into revisions to plan

• Includes People, Process, and Technology (all three!)• Know where backup/alternate sites are!


Compliance

• Third party should have internal audit, risk management, and/or compliance function in place

• Audits should be performed to ensure compliance with:o Corporate requirementso Legal requirementso Regulatory requirements

• Ensure vendor can comply with your specific regulatory requirements, and provide reporting to prove it


Mobile Technology

• Mobile policies should be in place to define:o Device/data ownership (e.g., BYOD)o Actions to take when devices are lost/stoleno Permitted mobile applicationso Connections to corporate networko Access to YOUR data

• Mobile Device Management (MDM) in place:o Remote wipe capabilityo Password/passcode enforcemento Mobile device encryption


Privacy

• Assess third party’s privacy program, particularly when handling your customers’ PII/PHI/CHD/TLA:o Data collection and handlingo Sharing of data with other partieso Transferring/encryptiono Storageo Retentiono Destructiono Breach notification

• Extremely important to know if/where data crosses international borders (e.g., GDPR implications)


Software Application Security

• Assess third party’s process for developing software in a secure environment, including:o Code reviewo Application penetration testingo Secure coding standardso Use of “dummy” or scrambled data in development/test

environmentso Group dedicated to software security (separate from

developers)


Cloud Security – Service Models

• Infrastructure as a Service (IaaS)o Service provider owns the hardware, storage, wiring, data

connections, etc., but not the applicationso Classic data center hosting

• Platform as a Service (PaaS)o Service provider provides infrastructure, as well as a development

platform (i.e., language and tools)o AWS Elastic Beanstalk, Google Apps Engine, Microsoft Azure

• Software as a Service (SaaS)o Application (with underlying infrastructure) delivered via web

browser. Basically network and device-independent.o Office 365, Salesforce.com, Oracle OnDemand


Cloud Security – Deployment Models

• Private Cloudo Infrastructure managed and operated exclusively for one company, for a

consistent level of security/privacy/governance.• Community Cloud

o Infrastructure managed and operated for multiple organizations with similar requirements.

• Public Cloudo Resources dynamically provisioned on a self-service basis, and billed

based on a granular utility computing model. Available to the general public or large industry group.

• Hybrid Cloudo Combination of multiple clouds (private, community, and/or public). Very

common.


Cloud Security – Considerations

• Similar to other service providers, need to understand who is responsible for what aspects of the system.

• Private cloud typically considered more “secure” than public cloud, mainly because it can be configured to specific organization’s needs.

• Where possible, request (require) an independent audit/attestation report:o SOC 1, 2, 3o HIPAA / HITRUSTo Payment Card Industry (PCI) Attestation of Compliance

(AOC)


Bringing it all Home


Remediation Activities

• Once findings are identified, present these to the Third Party and to business leadership

• Obtain agreement on course(s) of action to remediate the issues, along with timing/milestones

• Enforce the timing to close the loop, and retest• “Accept the Risk” is an option, however:

o Make sure business really understands what this meanso Reserve it as a last resort à always press to get the vendor

to remediate first… even if it’s only a partial remediationo Get the business to implement compensating controls where

possible to help close the gap


Starting the Cycle Over

• Have a plan for how often you will assess each vendoro Some may be annual reviewo Others may be never (but do CM instead!)o Make sure you are meeting your own corporate and regulatory

guidelines• Let Continuous Monitoring help guide timing

o If results indicate a problem, start the cycle earlier if necessary• Certain events could/should automatically trigger

assessmentso Breach (known or suspected)o Change in ownershipo Other significant events


Ongoing Monitoring Phase – Sample Review Scheme

High Risk Med Risk Low Risk

Characteristics > $1M contractSensitive PII/CC

$100K - $99KNon-sensitive PII

< $100KNo PII

Review Frequency Annually Every 2 years Every 3 years

Type of Review Onsite Alternate between onsite/offsite

Offsite

Who Performs Review

External assessment firm

Mixture, depending on criticality of service

In-house TPRM review team

Require Assessment Report (e.g., SOC 1 or SOC 2 Type II)

Yes Depends on type of service

No

Continuous Monitoring

Yes Yes Yes


Reporting Example


Documentation and Reporting

Standards


AICPA Service Organization Control (SOC) Reports

• SOC 1: Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting

• SOC 2: Report on Controls at a Service Organization that focuses on one or more of the following Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and/or Privacy. Restricted use report.

• SOC 3: Trust Services Report similar in scope to the SOC 2, but the report does not contain a description of the auditor’s tests and results. General use report; can be freely distributed or posted on a website.


SOC Report Terminology

• Service Organization (Third Party Provider): Entity that provides services that are part of a user organization's information system:üData CentersüTransaction/Claims Processing CentersüApplication Service ProvidersüBank Processing CentersüDatabase Administration Services üPayroll Processors

• User Organization: Clients who have outsourced one or more business processes to the service organization


SOC Report Terminology (cont.)

• Service Auditor: The auditor who reports on controls of a service organization that may be relevant to a user organization's internal control as it relates to an audit of financial statements. The Service Auditor issues an opinion on a service organization's description of the system.

• User Auditor: The auditor who reports on the financial statements of the user organization

• Report on Controls Placed in Operation and Tests of Operating Effectiveness: A service auditor's report on a service organization's description of its controls that may be relevant to a user organization's internal control as it relates to an audit of financial statements


Type I and II Reports (SOC 1 and SOC 2 only)

• Type Iü Reports on controls placed in operation (as of a point in time)ü Looks at the design and implementation of controls only; used for

informational purposesü Often performed only in the 1st year a client has a SOC report done

• Type IIü Reports on the design, implementation and operating

effectiveness over a period of time (generally not less than six months)

ü Includes tests of operating effectiveness and resultsü More comprehensiveü More emphasis on evidential matter


SOC 2: Trust Services Principles & Criteria

Five Principles of a system are defined as follows:§ Criteria Common to All Principles [Security, Availability,

Processing Integrity, and Confidentiality]§ Security - The system is protected against unauthorized access

(both physical and logical).§ Availability - The system is available for operation and use as

committed or agreed.§ Processing Integrity - System processing is complete, accurate,

timely, and authorized.§ Confidentiality - Information designated as confidential is

protected as committed or agreed.§ Privacy - Personal information is collected, used, retained,

disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles (GAPP).


Security versus Privacy

• These terms are often confused!• Security relates to the authorization of transactions and protection of the

integrity of those transactions throughout the system and also protecting personal and other information from unauthorized use or disclosure from the time it is collected until the time it is disposed of. [CIA Triad]

• Security may also relate to the protection of the system from interruptions in processing availability.

• Privacy encompasses a much broader set of activities beyond security that contribute to the effectiveness of a privacy program, including, for example, providing users with the following: o Notice of the service organization’s privacy commitments and practices o Choice regarding the use and disclosure of their personal information

(PII) o Access to their personal information for review and update o An inquiry, complaint, and dispute resolution process


SOC Reports: Things I’m Looking For

• Report period needs to be current (duh…)• Service description needs to include scope of services being provided

for the client• Report needs to be for the Third Party, not for the Fourth Party!• Auditor’s opinion: Unqualified, Qualified, Adverse• Testing exceptions and management’s comments regarding

remediation• Management Assertion: look for anything out of the ordinary• Complementary End User Controls / Client Control Considerations:

Make sure client is aware and performing these controls• Other Information Provided by the Service Organization: Read to

understand key events, upcoming changes not reflected in report, responses to testing exceptions


Standard Information Gathering (SIG) Questionnaire

• Created and licensed by Shared Assessments (Santa Fe Group)

• Intended to simplify and speed up the process of gathering information to assess the controls used by your vendor to protect your company’s data, comply with the terms of your agreement, and to provide an operationally stable, protected and recoverable service.

• Can be customized and scoped to fit the service being provided

• Addresses the main sections covered earlier under “Conducting Vendor Assessments”


SIG (continued)

• Based on referenced industry standards (FFIEC, ISO, COBIT and PCI)

• Uses a “Trust but Verify” model:o SIG = “Trust.” Allow vendors to attest to questions without

actually assessing the controls in placeo Assessment = “Verify.” Select key controls/risks to request

additional information, perform audits, etc.o May also augment with onsite assessment, contract review,

continuous monitoring and data analysis• SIG Lite: Stripped-down version of SIG, for lower-risk

vendors. SIG now allows you to scope entire sections in/out easily.


Other Reporting Standards

• PCI (Payment Card Industry)o If service provider is handling credit card transactions on your

behalf, you should request a copy of the vendor’s Attestation of Compliance (AOC)

• Cloud Security Alliance (CSA)o Questionnaire to dig deeper into cloud service providers

• Internal Audito Work with Internal Audit department (or external audit firm) to

perform specific reviews of vendor controls under the Right to Audit clause

• Internally-Generated Questionnaireso If you are running an enterprise risk platform (e.g., Archer), you

may have the ability to generate your own questionnaires based on the risks identified within the platform


Summary: Third Party Risk Management

§ Need for Third Party Risk ManagementØ Benefits, risks, challenges of using third parties

§ Risk Management Life CycleØ Due diligenceØ Contract negotiationØ Ongoing monitoringØ Termination of contract

§ Conducting Vendor Assessments (SIG)§ Documentation and Reporting Standards

Ø Service Organization Control (SOC) ReportsØ SIG / SIG LiteØ PCI, Internal Audit, Internally-Generated Questionnaires

Questions?

STEVE EARLEYVice President, Third Party Risk OperationsFortress Information SecurityDirect 614.204.9166 • Main 855.367.8737189 S. Orange Ave., Suite 1950, Orlando, FL [email protected]

http://fortressinfosec.com/

http://fortressinfosec.com/

a holistic view of management · 2019-11-20 · holistic view of tprm // 5 benefits of using third...

Documents