vendor due diligence: digging beneath the surface · • banks must maintain adequate risk...
TRANSCRIPT
Copyright © 2016 by Paul D. Witman
Vendor Due D i l i gence:D igg ing Beneath the
Sur face
for SecureTheVillage Financial Services CyberSecurity Roundtable
October 14, 2016
Paul Witman
Professor, Information Technology Management
School of Management
Copyright © 2016 by Paul D. Witman
Introductions
• Paul Witman, Professor, IT Management
• Formerly with Citibank (technology ops), and Digital Insight
– Six acquisition due diligences (both sides)
– Numerous vendor due diligences – ATMs, tech providers, payment providers, …
– Countless customer due diligences
Names, Affiliations, Risk Management Experiences
Copyright © 2016 by Paul D. Witman
Regulatory Roots - OCC
• Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination (OCC, 2013)
Copyright © 2016 by Paul D. Witman
Regulatory Roots - FFIEC
• Senior management and board awareness of outsourcing risks
• Ensure that outsourcing arrangement is risk-prudent
• Systematically assess needs and establish risk-based requirements
• Implement effective controls to address identified risks
• Perform ongoing monitoring to identify and evaluate changes in risk
• Document procedures, roles/responsibilities, and reporting mechanisms
Copyright © 2016 by Paul D. Witman
Risk Management Overview
Source: vicimediainc.com
Copyright © 2016 by Paul D. Witman
Cascading Risk Management
Supplier SupplierDirect
VendorCustomer
(Bank)End
Customer
Risk starts at the first supplier in the chain, and travels downstream
…
• Vendor obligations are driven by, and drive, agreements with customers
• Who do your vendors outsource to, and what risk controls do they have in place?
Copyright © 2016 by Paul D. Witman
Vendor, customer obligationsWhat do your contracts (both inbound and outbound) say about these issues?
• Use of “cloud” providers (definition?)
• US(or non-US)-based storage, operations, and facilities
• Encryption levels and practices
• Personnel policies
• Notification policies
• SLAs for performance and for service?
• Others?
Copyright © 2016 by Paul D. Witman
Legal/Compliance
• Contract reviews should check for issues in contracts that could impact tech operations or vendor relationships
– Demands from your customers
– Stipulations from your vendors, and your demands of them
• Data location
• Breach notifications
• Regs from other regions, states or industries
• Others?
Contracts reviews for impactful clauses
Copyright © 2016 by Paul D. Witman
Project Management/SDLC (?)
• Does your organization have a formal SDLC?
• Explicit step for risk identification and controls
– Some risks might simply result in risk acceptance by business owner
• Focus on thoughtful, up-front risk analysis
– Probably the only time you’ll get concentrated attention on vendor
New vendor relationships have explicit steps in PM processes
Copyright © 2016 by Paul D. Witman
Vendor Due Diligence Processes
• Audit reports (SOC2, SSAE16)
• Site visits (perhaps just for big, high-risk, or leveraged vendors)
• Cascading risk questions – how far up the supply chain do you troll for risk?
• Breach and issue notification requirements/practices?
• Others?
The checklist is just the beginning …
Copyright © 2016 by Paul D. Witman
Questions to ask …
• Focus on data and trust levels implied
– Processing high-value PII – focus deeply on what they do and how
– Storing high-value PII – focus even more deeply on operations – risk is longer term
– Low-value PII, or short-term handling vs. storage – perhaps lower investment
• “Laundry list” of questions is just a starting point
– Should trigger deeper dives based on responses and risk profile
• People are still the weakest, most unpredictable link …
• Other suggestions?
Of yourselves, and of the vendors
Copyright © 2016 by Paul D. Witman
Location, location, location
• Disaster recovery
• Sovereignty issues
• Constraints from contracts
• Hardware segregation
• Others?
Geography still matters
Source: granderie.ca
Copyright © 2016 by Paul D. Witman
Audit Issues
• Represent a point in time
• May not check all functions
• Tests documentation and some activities, but not on ongoing basis
• Audit can be clean, with unseen issues under the hood
– Even issues the vendor is unaware of …
Audits are a good start, but …
Source: asil.ae
Copyright © 2016 by Paul D. Witman
Monitoring
• Formal
– Scheduled, periodic check-ins
– Effort commensurate with risk posture
• Informal
– Follow-up on incidents
– Just asking the question can motivate change in behavior
– After action reviews – DR/HA tests, SLA triggers, etc.
Consistent, process-driven monitoring will support solid risk management
Source: inkt.org
Copyright © 2016 by Paul D. Witman
Cloud Issues
• Consumer-grade cloud services are readily available
– May be used by your staff for internal projects
– Or to collaborate with customers
• Even “commercial grade” cloud services may introduce new risks
– Personnel policies
– Shared tenancy on cloud operations
– Breach notifications
• Governance challenges
• Others?
What has your organization done that perhaps you’re not even aware of?
Source: thecloudandediscovery.com
Copyright © 2016 by Paul D. Witman
Pragmatism
• For lower-risk vendors, run with standard checklist, audit reviews, contractual, legal, and compliance
• For higher-risk vendors, drill deeper
– More questions
– More active monitoring
– Site visit?
• Collaborative site visit with other clients?
• Risk posture with vendor (including supply chain) should drive due diligence investment level
If you have limited resources, focus on the highest risk areas
Copyright © 2016 by Paul D. Witman
Upcoming Issues
• New York FinServ Cybersecurity – new regs
– Must have a CISO, annual pen testing, breach notifications, …
– Impacts on your vendors?
• Internet of Things?
– What’s connected to your network?
– Or to your employees’ home networks, to which they connect your equipment?
• Europe privacy requirements - GDPR
• Ransomware attacks?
• Others?
It’s never boring in IT, or in InfoSec …
Copyright © 2016 by Paul D. Witman
Potential Action Items
• Collaboration for vendor analyses, ongoing risk management and monitoring?
• Formal data classification?
• Formalized risk management processes?
– Including ongoing monitoring
– Explicitly driven by risk profiles
• Others?
What can you do together more effectively or efficiently than as individuals?
Source: dtcap.org