VENDOR CONTRACTING : CYBERSECURITY CHECKLIST

Transcription

1 Software and Supply Chain Assurance Winter Forum 2017 VENDOR CONTRACTING : CYBERSECURITY CHECKLIST Lucy L. Thomson, Esq. CISSP American Bar Associa:on (ABA) Cybersecurity Legal Task Force Livingston PLLC, Washington, D.C. lucythomson1@mindspring.com ~ December 12, 2017

2 What do these breaches have in common?

3 What do these breaches have in common? ATTACK VECTORS = VENDORS Medical Transcription Third KeyPoint Government Party Vendor SoluGons

4 Weakest Link: Third Party Vendors Security is only as strong as its weakest link It is now common pracgce to outsource services Third party vendors are the anack vector for many major breaches Supply chain breaches Point of Sale systems payment cards compromised Target; OPM; Home Depot and many more companies breached

5 ABA U.S. Treasury Department Collaboration Treasury focused on three imperagves: Informa(on sharing, which can alert firms to the types of anacks coming from the same IP addresses, the same malware and anack vectors, and enable them to employ their defenses more effecgvely. Baseline protec(ons, to appraise financial firms of anack methods and vectors that are being deployed and, with forensic analysis, derive a constantly updated set of security protecgons. Incident response, so that if anacked, or even forced perhaps to shut down, firms can respond to an incident and recover from it as quickly as possible.

6 ABA Cybersecurity Initative 2014 Resolution The ABA recognized the importance of focusing on cyber protecgon when it adopted the following ResoluGon in 2014: The American Bar AssociaGon encourages all private and public sector organizagons to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligagons, and is tailored to the nature and scope of the organizagon, and the data and systems to be protected. 6

7 ABA U.S. Treasury Department Collaboration The procurement process is a useful tool to strengthen the security posture of organizagons and their external vendors and business partners located domesgcally and overseas. ABA developed a Vendor ContracGng Checklist to assist procuring organizagons, vendors, and their respecgve counsel to address informagon security requirements in their transacgons

8 Weakest Link: Third Party Vendors Objec:ve of the Cybersecurity Checklist Frame the issues the par:es should consider consistent with common principles for managing cyber risk. It contemplates transac:ons from due diligence and vendor selec:on through contrac:ng and vendor management. Energy Sector Guidance for Contrac5ng with Vendors

9 Weakest Link: Third Party Vendors When contracgng for products and services, organizagons can specify cybersecurity requirements that third party vendors must meet. Including cybersecurity in the procurement process can ensure that those purchasing and supplying delivery systems consider cybersecurity, beginning with the design phase of system development. In short, can argue it is NOT REASONABLE SECURITY to purchase products, socware, or devices with known vulnerabiliges

10 Cybersecurity Checklist: Key Areas of Focus Conduct a risk management assessment of the proposed vendors. Review vendor security pracgces and the ability to follow them. The contracgng process includes seung expecta:ons, mi:ga:ng risk, and alloca:ng liability.

11 1 Cybersecurity Strategy Understanding the Landscape of the Transaction All organiza:ons should establish and maintain a documented strategy for iden:fying and managing their respec:ve cybersecurity risks. The par:es cybersecurity strategies and risk assessments will be key to establishing a solid founda:on for the vendor selec:on process.

12 2 Risk Assessment Cybersecurity Considerations for the Transactions Analyzing interconnec:ons with and dependencies on third par:es is an element of cybersecurity risk assessment and management. In the vendor context, risk assessments should inform the underlying decision to outsource any func:on or ac:vity, as well as the specific requirements for a product to be supplied or service to be performed. Risk assessments and controls should also be referenced in the vendor due diligence and selec:on process to iden:fy gaps or deficiencies that will need to be addressed by the par:es to mi:gate risk.

13 3 Vendor Due Diligence Purchasers should evaluate the capacity of prospec:ve vendors to follow appropriate informa:on security prac:ces. The purchaser s assessment of its own business and risk management objec:ves should inform the purchaser s due diligence ac:vi:es. Purchasers should conduct a security assessment of the vendor.

14 4 Contract Provisions Setting Expectations, Mitigating Risk, and Allocating Liability The material covered in the specified list is intended to highlight provisions that should reflect informa:on security considera:ons, even though the substance of the provisions is not necessarily limited to informa:on security.

15 4 Contract Provisions Setting Expectations, Mitigating Risk, and Allocating Liability Defini:ons Performance Representa:ons and Warran:es Confiden:ality Security program Monitoring/Assessment of Vendor Performance Risk Event Repor:ng Remedies Termina:on Insurance 11) Indemnifica:on 12) Business Con:nuity/ Resiliency 13) Miscellaneous 14) Sojware

16 Financial Sector / Third Party Vendor Guidance Documents Federal Financial Regulator Guidance Third Party Providers Group of 7 ( G7 ), Fundamental Elements of Cybersecurity for the Financial Sector Federal Deposit Insurance Corpora:on (FDIC), Guidance For Managing Third-Party Risk Office of the Comptroller of the Currency, Risk Management Guidance, OCC-Bulle:n Guidance on Managing Outsourcing Risk, Board of Governors, Federal Reserve System, December 5, 2013 CFPB Bulle:n , Service Providers (April 13, 2012) FFIEC Guidance on IT Service Providers (October 2012) Securi:es and Exchange Commission (SEC), Guidance Update No , Cybersecurity Guidance (April 2015)

17 ABA Cybersecurity Legal Task Force

18 Vendor Contracting Project: Cybersecurity Checklist Link images/law_national_security/ Cybersecurity%20Task%20Force%20Vendor%2 0Contracting%20Checklist%20v1.1% pdf