iia chicago chapter 53rd annual seminar - … seminar presentations/e1... · iia chicago chapter...
TRANSCRIPT
IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013, Donald E. Stephens Convention Center
@IIAChicago
#IIACHI
CONCERNED ABOUT VENDOR MANAGEMENT?
Understanding third-party risk for technology companies
Michael Allen
Information Security Officer
Morningstar, Inc.
Vincent Concialdi
Managing Director
Grant Thornton LLP
2
About Morningstar, Inc.
Morningstar, Inc. is a leading provider of independent investment research in North
America, Europe, Australia, and Asia. Our mission is to create great products that
help investors reach their financial goals. We offer an extensive line of products and
services for individual investors, professional financial advisors, and institutional
clients.
Morningstar is a trusted source for insightful information on stocks, mutual funds,
variable annuities, closed-end funds, exchange-traded funds, hedge funds, separate
accounts, and 529 college savings plans.
#IIACHI
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 3
• Examine the roles and responsibilities of risk management in finance, legal, procurement and business operations areas
• Identify a framework for assessing third-party risk
• Understand tools that can be used to provide comfort that proper controls are in place
LEARNING
OBJECTIVES
4
DEFININGTHIRD PARTIES
• Businesses that are not under direct business control of the organization that engages them
• Third parties may include:• Vendors
• Distributors
• Suppliers
• Franchisees/licensees
• Joint venture or alliance partners
• Technology outsourcing providers
5
REAL RISKREAL IMPACT
Huawei Threat: Real or Overblown?
Hacktivist’s target U.S. banks in
DDoS attacks
Amazon EC2 service goes offline affecting
thousands of websites
1.5M credit cards stolen in Global Payments breach
6
WHY IS THIRD PARTY RISK IMPORTANT?
ComplianceReputational
Financial
Strategic
Regulatory / Contractual
Operational
SECTORS WITH HIGHER RISK
Technology providers
• Data centers
• Companies hosting IT
applications
• Third party logistics
companies
• Cloud or Software as a
Service providers
• Telecom providers
• Any outsourcing company
that manages information
on behalf of others
Relevant industries
• Government
• Health care
• Banking
• Investment/fund
managers
• Payroll management
companies
• Financial Services
8
RESPONSIBILITY FOR THIRD PARTY RISK
MANAGEMENT
Internal audit
Finance
Legal
Business operations/ IT
Compliance
ProcurementVendor Oversight Function
9
WHERE DO YOU BEGINPROJECT OBJECTIVE
• Risk Assessment & Appeals Processes
– Customized the vendor due diligence process depending on the
company’s specific risks
– Rule-based point values assigned
– Cumulative score will dictate level of additional investigation if required
10
FACTORS TO CONSIDER WHEN ASSESSING RISK
Risk Domain Assessment Factors
Strategic • Level of importance of vendor to corporate operations
Reputational • Magnitude of potential loss if there are problems with the vendor relationship
Regulatory • Level of vendor oversight/monitoring• Reporting required by outside
regulatory body
11
FACTORS TO CONSIDER WHEN ASSESSING RISK
Risk Domain Assessment Factors
Operational • Type of vendor – nature of products/services provided
• Frequency of communication with vendor
Financial • Magnitude of potential direct damages associated with a data breach
Compliance • Safeguards or controls designed to ensure compliance with relevant regulations and contract obligations
• Availability of audit reports or existence of "right to audit" clause
12
EXAMPLE OF HOW TO DEFINE THE RISK
UNIVERSEVendorName
Vendor Type
Nature of service being provided
Contractualdetails
Geographical/global consideration
Applicable regulatory requirements (e.g., HIPAA, FCPA)
Primary relationshipowner within organization (e.g., IT, finance, marketing)
Provides an audit report such as SOC 1
Right to audit clause
PaymentCard Gateway
Credit
card
service
provider
Credit card
processor
Three-year
agreement
Credit card
data
processed in
small town
USA
PCI-DSS Bob,
Subscription
Management
Yes, SOC 2
and PCI
ROC
No
HR System HR
system
provider
HR support
portal
One-year
auto-
renewing
contract
Global
workforce
Privacy laws,
Safe Harbor
Larry,
Human
Resource
Director
No, Shared
assessment
(BITS) only
Yes
Quick Print Printing/
service
provider
Prints/mails
statements
and
marketing
materials
Five-year
agreement,
approved by
Legal
department
Big City N/A Sally,
Business
Unit
Yes, SOC 2 Yes
13
Business Requirements
On-Site Review
Vulnerability Assessment
Reports
Shared Assessment / BITS
questionnaire
SOC Reports
Security Policy Review
Conduct Risk Assessment
WEIGHTING RISK FACTORS
14
WEIGHTING RISK FACTORS
Source: NIST SP 800-30
Identify Threat Sources
Identify Vulnerabilities
Quantify Likelihood and Impact
Determine Residual Risk
Examine Compensating Controls (if any)
15
WEIGHTING RISK IMPACT SCALE
Impact Scale
3 – High Impact Financial: Severe and un-recoverable financial loss
Reputation: Global, long term impact to brand. Negative press expected
Regulatory: Serious regulatory violation that will result in fines
2 – Medium Impact Financial: Costly loss (can be recovered from)
Reputation: Serious short term or moderate long term impact to brand
Regulatory: Potential regulatory violation that may result in fines. Compensating controls possible.
1 – Low impact Financial: Insignificant financial loss, fully recoverable
Reputation: Limited, short-term inconvenience. Little to no negative press
Regulatory: No regulatory violation
16
WEIGHTING RISK FACTORS
Source: NIST SP 800-30
Likelihood
Impact
1- Low
(10)
2 - Medium
(50)
3 - High
(100)
3 - High (1.0)Low
10 X 1.0 = 10
Medium
50 X 1.0 = 50
High
100 X 1.0 = 100
2 - Possible (0.5)Low
10 X 0.5 = 5
Medium
50 X 0.5 = 25
High
100 X 0.5 = 50
1 - Unlikely (0.1)Low
10 X 0.1 = 1
Medium
50 X 0.1 = 5
High
100 X 0.1 = 10
Risk Scale: High (>50 to 100); Medium (>10 to 50); Low (1 to 10)
17
WEIGHTING RISK FACTORS
Source: NIST SP 800-30
Information Security – Risk Assessment
Threat Source Un-authorized users, hackers, criminals, terminated / disgruntled employees
Vulnerability Sensitive production data is copied into QA environments for test purposes and is accessible by development and QA personnel
Compensating Controls
None
Likelihood Rating 2 – Possible
Impact Rating 3 – High
Residual Risk HIGH (50)
Recommendation Scrub all sensitive data prior to it being placed in a non-production environment
18
WEIGHTING RISK SIGN-OFF PROCESS
Signature of Business Owner
I accept the risks identified in this assessment and understand that the acceptance of these risks may pose a significant security risk to my application, the company and/or the our customers.
Signature: Title: Date:
Set Remediation Deadline and Follow Up With Owner!
19
RISK MITIGATION TECHNIQUES
• Transaction monitoring
• Increased data analysis and reporting
• Contract renegotiation
• Independent reviews
• Audits
• Site visits
• Questionnaire
20
AUDITOPTIONS
21
USE OF ATTESTATION REPORTS
SOC 1 SOC 2 AT 101
• provides vehicle for
reporting on a service
organization’s system
of internal control
relevant to a user
organization’s internal
control over financial
reporting.
• intended as auditor-to-
auditor communication,
with specific content
dependent on the
service organization’s
system.
• address controls
pertinent to the Trust
Services Principles of
security, availability,
processing integrity,
confidentiality and
privacy.
• includes many of the
same elements as a
SOC 1 report
• principles and criteria
developed by the
AICPA and the
Canadian Institute of
Chartered Accountants.
• allows service
organizations to
provide user
organizations and
other stakeholders
with a tailored
report on controls
that are relevant to
the services.
• highly flexible and
can be leveraged for
multiple industry
standards (e.g.,
NIST, ISO)
22
A FEW THINGS TO NOTE ABOUT SOC REPORTS
Consider the following when reviewing a SOC report:
• Time period covered
• Handling of subservice providers (carve-out vs. inclusive)
• In-scope and out-of-scope locations
• Construction of control objective and control activities
• Sampling and testing methodology
• Exceptions noted and management response
23
ADDING VALUECASE STUDY
Scenario
• A software as a service (SaaS) provider adds value to its customers by performing analytics on data received
from its customers. To make the analytics operations effective, customers are required to exchange sensitive
information with the SaaS provider.
Issue:
• In order for the customers to feel comfortable exchanging sensitive information with the SaaS provider,
transparency into the confidentiality and security controls the provider has implemented is required
• The SaaS provider spends a significant amount of time completing security questionnaires (e.g. BITS or
other proprietary questionnaires) to provide assurance that adequate security / confidentiality controls are in
place
• The customer must trust the SaaS provider’s response (no third party review)
Solution:
• Conduct a third party confidentiality and security review on the SaaS environment (SOC 2) and make the
report available to customers for review
Benefits Achieved
• Increased transparency into control environment
• Third party attesting to the effectiveness of security and confidentiality controls (SOC 2 – Type 2)
• Reduction in time spent on completing third party security / confidentiality questionnaires
• Single / standardized report format
24
KEY TAKEAWAYS
• Understand and evaluate your third party relationships
• Know your risks
• Take reasonable steps toward risk mitigation
25
QUESTIONS
26
FOR MORE INFORMATION,
CONTACT:
Michael Allen
Information Security Officer
Morningstar, Inc.
T 312.696.6302
Vincent Concialdi
Managing Director
Grant Thornton LLP
T 312.602.8731
What do you think?Share your thoughts about this presentation on Twitter using the hashtag #IIACHI
@IIAChicago
Visit our Social Media booth in the Exhibit Hall to join the conversation today!
Not on Twitter?
Follow us on Twitter