Third Party Risk Management:

How to Identify and Manage Data

Security Risks from your Vendors

Presenters:

Allie Russell, Conexxus

Kara Gunderson, DSSC Chair, CITGO Petroleum

Sam Pfanstiel, DSSC SME, Solution Principal, Coalfire

Agenda

• Housekeeping

• Presenters

• About Conexxus

• Presentation

• Q & A

HousekeepingThis webinar is being recorded and will be made available in approximately 30 days.

• YouTube (youtube.com/conexxusonline)

• Website Link (conexxus.org)

Slide Deck • Survey Link – Presentation provided at end

Participants• Ask questions via webinar interface

• Please, no vendor specific questions

Email: info@conexxus.org

Presenters Conexxus Host Moderator

Allie Russell Kara Gunderson

Conexxus Chair, Data Security Committee

arussell@conexxus.org POS Manager, CITGO Petroleum

kgunder@citgo.com

Speakers

Sam Pfanstiel

Solution Principal, PCI

Coalfire Systems, Inc.

sam.pfanstiel@coalfire.com

About Conexxus• We are an independent, non-profit, member driven

technology organization

• We set standards…– Data exchange

– Security

– Mobile commerce

• We provide vision– Identify emerging tech/trends

• We advocate for our industry– Technology is policy

2017 Conexxus Webinar Schedule*Month/Date Webinar Title Speaker Company

July 27, 2017Third Party Risk Management: How to

Identify and Manage Data Security Risks from your Vendors

Sam Pfanstiel Coalfire Systems

August 31, 2017Using the NIST Cybersecurity Framework

to Guide your Security ProgramChris Lietz Coalfire Systems

September 21, 2017Things & Impact of Bring Your Own Device

to the WorkplaceBradford Loewy

Jeff GibsonDover FuelingControlScan

November, 2017New Technologies for Addressing Payment

Risk: A Survey of Payments Security Landscape

Ravi RaghavanCoalfire Systems

(other DSSC member(s) TBD)

December 2017 Conexxus: EB2B White Paper Presentation TBD EB2B WG

2018 Conexxus Webinar Schedule*Month/Date Webinar Title Speaker Company

January 2018Securing and Penn Testing your Mobile

Payment AppDenis Sheridan Citigal

February 2018Unified threat management: What is it

and why is it important?Thomas Duncan Omega

March 2018Penetration Testing: How to Test What

Matters Most

Sam Pfanstiel & Coalfire Lab Personnel

Coalfire

May 2018 QIR Program Update Chris Bucolo ControlScan

8

At the NACS ShowOctober 17-20, 2017

Chicago, ILBooth 4384

SpeakerSam Pfanstiel

MBA, CISSP, CISM, QSA(P2PE), ETA CPP

Solution Principal, PCI

Coalfire Systems, Inc.

20 years in IT Management, Payments, and Security

Works directly with Coalfire payments teams across marketing, sales, product, and delivery to help demystify complex risk and compliance requirements, communicating effective cyber security solution strategies to stakeholders throughout the enterprise.

Former CEO, CIO, VP, and Director in charge of payment solutions

Part of team that built 1st North American PCI-P2PE solution (2014)

Part of team that built 1st S.N.A.P. EBT mobile POS terminal (2007)

Conexxus: Third Party Risk Management9

Third Party Risk Management

• Definitions

• Why TPRM matters to every enterprise

• Best Practices in TPRM

• TPRM and PCI DSS

• TPRM in Petroleum Retail

• Resources

Conexxus: Third Party Risk Management

Definitions

• TPRM – Third Party Risk Management

• TPRM vs. SRM vs. VRM

• TPSP – Third Party Service Provider

• 3rd Parties

• 4th Parties

Conexxus: Third Party Risk Management

Examples

• Oil Brand

• Retailers

• Distributors

• Service Providers

• Suppliers

• Fourth-Parties

• Gateway/Processor

• Backup Storage

• Managed Service Providers

• Web-Hosting

• Service Services

• Fraud Detection

12 Conexxus: Third Party Risk Management

WHY TPRM MATTERS

Conexxus: Third Party Risk Management13

Why TPRM Matters – RisksThird Parties are critical to all areas of business, handling core functions of business:

• Vendor Performance Standards– Disruption, SLAs

• Conflict of Interests– Ownership of Data

• Business Continuity

• Security / Data Protection

• Revenue Impact

Conexxus: Third Party Risk Management

Why TPRM MattersData Breaches Primary due to Vendor Security

• Major Big Box Retailer: HVAC vendor

• Major Home Improvement Store: Stolen vendor credentials

• Major Ecommerce Network: Stolen Vendor Credentials

• Snowden / NSA Leak

• Sweden Leak

• C-Stores are “most susceptible to data breach”1

Source: Risk Based Security, 2015

VRMMM Survey Results

The 2016 Vendor Risk Management Maturity

Model (VRMMM) Survey had the following

findings:

• Third Party Risk Management “front burner”

issue

• Board engagement on cybersecurity is

growing – but not with respect to vendor risk

• Vendor assessment maturity is growing

• Numerous areas were identified for

improvement

Source: Shared Assessments, Protiviti 2016

BEST PRACTICES

Conexxus: Third Party Risk Management17

TPRM Methodology Development

“The Four RMs”

1. Risk Measurement

– Linked to ERM

– Measures the risk of both the activity itself and of the vendor in particular

2. Risk Management

– Standard mechanisms for dealing with risk: accept, decline, transfer,

modify

3. Risk Monitoring

– New/evolving risks (including Vendor changes)

4. Response Management

– Incident response, both on your organization’s part and the vendor’s

Conexxus: Third Party Risk Management

TPRM Best Practices

TPRM program activities can be grouped into 3 categories:

• Governance

• Operationalization

• Program Management

Source: Coalfire, 2017

TPRM MethodologyGovernance

Program Management and Maintenance

Define ImplementDevelop

Current State Assessment

Policies and Procedures

Third Party Profiles

Third Party Screening

Risk Assessments

Audit and Validation

Tools/Technology Selection

Risk Scorecards/ Dashboards

Training and Awareness

Risk Measurement

Risk Monitoring

Risk Response

Source: Coalfire, 2017

Operations

TPRM Best Practices - Governance

• Set the Tone at the Top

• Formalized Governance Model

• Enterprise Risk Mgmt

• Established Roles

– Internal Audit

– Vendor Relationship Manager

Conexxus: Third Party Risk Management

TPRM Best Practices - Operations

• Full Vendor Inventory & Profiles

• Review Policies, Procedures, Processes

• Establish Standard Contract Template

– PCI DSS 12.8.2

Conexxus: Third Party Risk Management

TPRM Best Practices - Operations

• Develop a Third Party Risk Categorization Process

• Conduct

• Define Security Requirements for each Third Party

• Processes for Monitoring and Ensuring Security of

Vendors

Conexxus: Third Party Risk Management

TPRM Best Practices - Operations

• Phased Implementation, If Needed

• TPRM Risk Management Software Platform

• Establish Standard Contract Template

• Maintain Secure Repository for Contracts

Administration

Conexxus: Third Party Risk Management

TPRM Best Practices

Program Management and Maintenance

• TPRM Issue Management Software

• TPRM Training Materials

• Periodic Assessment

• Reporting and Review

Conexxus: Third Party Risk Management

TPRM Case Study

Background• Publicly-traded

• 1000s of TPSP

• Board involvement

• CISO maintained

standards, audited

handful of vendors

• Internal Audit engaged

to review

Findings• Many vendors outside

program

• Inconsistent standards

• Inadequate contract

provisions

• Insufficient vendor

security audits

• Vendors not held

accountable

Corrective Actions• Joined industry association for

access to TPRM best practices

• Rewrote policies to risk-rank

vendors and absorb previously

excluded vendors

• Standards updated for emerging

threats

• Vendor accountable for 4th party

• Contracts updated

Conexxus: Third Party Risk Management

TPRM IN PCI DSS

27 Conexxus: Third Party Risk Management

TPRM in PCI DSS

• Req 12.8 - Vendor Management

• Req 6 – Vendor Systems and Applications

• Req 8.1.5 & 12.3 - Vendor Remote Access

• Responsibility Matrix

• Vendor Documentation throughout

• Vendors are critical to all areas of PCI DSS

28 Conexxus: Third Party Risk Management

TPRM in PCI DSS – 12.8.1

29

• List of Vendors

• Description of Services

• Up-to-date

Conexxus: Third Party Risk Management

TPRM in PCI DSS – 12.8.2

30

• Agreement Acknowledges PCI Responsibility

Conexxus: Third Party Risk Management

TPRM in PCI DSS – 12.8.3

31

• Processes for Due Diligence

Conexxus: Third Party Risk Management

TPRM in PCI DSS – 12.8.4-5

32

• Monitoring Vendor Compliance and Controls

Conexxus: Third Party Risk Management

TPRM in PCI DSS – 6

33 Conexxus: Third Party Risk Management

TPRM in PCI DSS – 8.1.5, 12.3.9

34 Conexxus: Third Party Risk Management

Vendor Logging

• AFD Service Technicians (9.9)

• DSD (Direct Service Delivery) if they

enter the C-Store CDE or secured area

• Log everything (whether required or not)

35 Conexxus: Third Party Risk Management

TPRM in PCI DSS – Resp. Matrix

Source: Information Supplement: Third-Party Security Assurance and Shared Responsibilities36

• Clear Communication of Responsibility by Control

TPRM in PCI DSS – QSA Perspective

Typical Gaps

• Vendor inventory

• Incomplete vendor documentation

• Ambiguous responsibility assignment

• Missing AOCs, or services not covered on AOC

37 Conexxus: Third Party Risk Management

RESOURCES

38 Conexxus: Third Party Risk Management

Resources

• Information Supplement: Third-Party Security Assurance and Shared Responsibilities

• Shared Assessments

– Framework

– Shared Information Gathering (SIG)

• NIST CSF 1.1 – Cybersecurity Framework

• Contact Coalfire Cyber Risk Advisory or consultant to assist with TPRM / risk assessment

39 Conexxus: Third Party Risk Management

Conexxus: Third Party Risk Management

• Website: www.conexxus.org

• Email: info@conexxus.org

• LinkedIn Group: Conexxus Online

• Follow us on Twitter: @Conexxusonline

Conexxus: Third Party Risk Management