Copyright © 2016 by Paul D. Witman

Vendor Due D i l i gence:D igg ing Beneath the

Sur face

for SecureTheVillage Financial Services CyberSecurity Roundtable

October 14, 2016

Paul Witman

Professor, Information Technology Management

School of Management

Copyright © 2016 by Paul D. Witman

Introductions

• Paul Witman, Professor, IT Management

• Formerly with Citibank (technology ops), and Digital Insight

– Six acquisition due diligences (both sides)

– Numerous vendor due diligences – ATMs, tech providers, payment providers, …

– Countless customer due diligences

Names, Affiliations, Risk Management Experiences

Copyright © 2016 by Paul D. Witman

Regulatory Roots - OCC

• Banks must maintain adequate risk management processes throughout each phase of a third party relationship’s life cycle: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination (OCC, 2013)

Copyright © 2016 by Paul D. Witman

Regulatory Roots - FFIEC

• Senior management and board awareness of outsourcing risks

• Ensure that outsourcing arrangement is risk-prudent

• Systematically assess needs and establish risk-based requirements

• Implement effective controls to address identified risks

• Perform ongoing monitoring to identify and evaluate changes in risk

• Document procedures, roles/responsibilities, and reporting mechanisms

Copyright © 2016 by Paul D. Witman

Risk Management Overview

Source: vicimediainc.com

Copyright © 2016 by Paul D. Witman

Cascading Risk Management

Supplier SupplierDirect

VendorCustomer

(Bank)End

Customer

Risk starts at the first supplier in the chain, and travels downstream

…

• Vendor obligations are driven by, and drive, agreements with customers

• Who do your vendors outsource to, and what risk controls do they have in place?

Copyright © 2016 by Paul D. Witman

Vendor, customer obligationsWhat do your contracts (both inbound and outbound) say about these issues?

• Use of “cloud” providers (definition?)

• US(or non-US)-based storage, operations, and facilities

• Encryption levels and practices

• Personnel policies

• Notification policies

• SLAs for performance and for service?

• Others?

Copyright © 2016 by Paul D. Witman

Legal/Compliance

• Contract reviews should check for issues in contracts that could impact tech operations or vendor relationships

– Demands from your customers

– Stipulations from your vendors, and your demands of them

• Data location

• Breach notifications

• Regs from other regions, states or industries

• Others?

Contracts reviews for impactful clauses

Copyright © 2016 by Paul D. Witman

Project Management/SDLC (?)

• Does your organization have a formal SDLC?

• Explicit step for risk identification and controls

– Some risks might simply result in risk acceptance by business owner

• Focus on thoughtful, up-front risk analysis

– Probably the only time you’ll get concentrated attention on vendor

New vendor relationships have explicit steps in PM processes

Copyright © 2016 by Paul D. Witman

Vendor Due Diligence Processes

• Audit reports (SOC2, SSAE16)

• Site visits (perhaps just for big, high-risk, or leveraged vendors)

• Cascading risk questions – how far up the supply chain do you troll for risk?

• Breach and issue notification requirements/practices?

• Others?

The checklist is just the beginning …

Copyright © 2016 by Paul D. Witman

Questions to ask …

• Focus on data and trust levels implied

– Processing high-value PII – focus deeply on what they do and how

– Storing high-value PII – focus even more deeply on operations – risk is longer term

– Low-value PII, or short-term handling vs. storage – perhaps lower investment

• “Laundry list” of questions is just a starting point

– Should trigger deeper dives based on responses and risk profile

• People are still the weakest, most unpredictable link …

• Other suggestions?

Of yourselves, and of the vendors

Copyright © 2016 by Paul D. Witman

Location, location, location

• Disaster recovery

• Sovereignty issues

• Constraints from contracts

• Hardware segregation

• Others?

Geography still matters

Source: granderie.ca

Copyright © 2016 by Paul D. Witman

Audit Issues

• Represent a point in time

• May not check all functions

• Tests documentation and some activities, but not on ongoing basis

• Audit can be clean, with unseen issues under the hood

– Even issues the vendor is unaware of …

Audits are a good start, but …

Source: asil.ae

Copyright © 2016 by Paul D. Witman

Monitoring

• Formal

– Scheduled, periodic check-ins

– Effort commensurate with risk posture

• Informal

– Follow-up on incidents

– Just asking the question can motivate change in behavior

– After action reviews – DR/HA tests, SLA triggers, etc.

Consistent, process-driven monitoring will support solid risk management

Source: inkt.org

Copyright © 2016 by Paul D. Witman

Cloud Issues

• Consumer-grade cloud services are readily available

– May be used by your staff for internal projects

– Or to collaborate with customers

• Even “commercial grade” cloud services may introduce new risks

– Personnel policies

– Shared tenancy on cloud operations

– Breach notifications

• Governance challenges

• Others?

What has your organization done that perhaps you’re not even aware of?

Source: thecloudandediscovery.com

Copyright © 2016 by Paul D. Witman

Pragmatism

• For lower-risk vendors, run with standard checklist, audit reviews, contractual, legal, and compliance

• For higher-risk vendors, drill deeper

– More questions

– More active monitoring

– Site visit?

• Collaborative site visit with other clients?

• Risk posture with vendor (including supply chain) should drive due diligence investment level

If you have limited resources, focus on the highest risk areas

Copyright © 2016 by Paul D. Witman

Upcoming Issues

• New York FinServ Cybersecurity – new regs

– Must have a CISO, annual pen testing, breach notifications, …

– Impacts on your vendors?

• Internet of Things?

– What’s connected to your network?

– Or to your employees’ home networks, to which they connect your equipment?

• Europe privacy requirements - GDPR

• Ransomware attacks?

• Others?

It’s never boring in IT, or in InfoSec …

Copyright © 2016 by Paul D. Witman

Potential Action Items

• Collaboration for vendor analyses, ongoing risk management and monitoring?

• Formal data classification?

• Formalized risk management processes?

– Including ongoing monitoring

– Explicitly driven by risk profiles

• Others?

What can you do together more effectively or efficiently than as individuals?

Source: dtcap.org

Copyright © 2016 by Paul D. Witman

Contact: Paul Witman

witman@ieee.org 805-493-3562