Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH
1 Speaker Bio Katie McIntosh, CISM, CRISC, CISA, CIA, CRMA, is the Cyber Security Specialist for Central Hudson Gas & Electric Corporation, a wholly owned subsidiary of Fortis Inc. Katie is responsible for Central Hudson s vendor security reviews, access management, security awareness program, IT risk management program, IT general controls, and security policies and procedures. Prior to this role, Katie was an IT Auditor within Central Hudson s Internal Audit Group. Katie is a board member with ISACA s Hudson Valley Chapter.
2 Objectives Things to consider when building your program Be able to develop a policy for your program The elements to consider in performing your review What contract terms to consider Developing a process for handling exceptions How to handle current vendor relationships
3 Planning Your Program Departments you need to partner with Governance Committees Risk Management Contracts Legal Accounting Resource requirements Determine timeframe to perform reviews
4 Align with Risk Management Program Understanding your risk management policy and methodology Define exception handling procedures Understanding your risk appetite What data will require a security review to be performed PII Credit Card Bank Routing and Account Numbers Driver s License Number Protected Health Information Intellectual Property Research & Development Financial Information Operational Information
5 Policy Develop a Vendor Security Review Policy Purpose Protecting company assets Scope Types of Data that fall within this policy What types of vendor relationships fall under this policy Cloud vendors Beware of employees signing up for free services Service Organizations
6 Policy Develop a Vendor Security Review Policy Requirements Timing Business Requirements Review Requirements Required Approvals Follow Up Reviews Handling Exceptions
7 Policy Develop a Vendor Security Review Policy Policy Approvals Data Owner(s) Risk Management Policy Communication Policy Training
8 Getting Buy-In Executive Discuss the risks to the business Business Financial Reputation Regulatory Better understanding of vendor s offerings Ownership of the risk
9 Performing a Review Developing your program Leverage Industry Frameworks NIST Cybersecurity Framework or SP 800-53 20 Critical Controls ISACA s COBIT 5 Cloud Security Alliances (CSA) Assessments Initiative Questionnaire or Cloud Controls Matrix Understanding from business what data the vendor will have vs. what is needed
10 Performing a Review Questions to ask Where will my data be stored? What are the laws that will protect my data? How will my data get there? Who else will have access to my data? Co-location data centers Cloud hosting provider (AWS, Microsoft, Rackspace) Subvendors Outsourced resources (Help Desk, Managed Service Provider, etc)
11 Performing a Review Questions to ask Describe your security governance structure Do you provide security awareness training to your employees? What are your security layers? External Internal What is you removable media policies and how do you prevent employees from removing my company s data?
12 Performing a Review Questions to ask Do you include security within the development of your software solution? How do you handle cybersecurity incidents? Have you experienced a cybersecurity incident? When will you notify your customers of a breach? Do you have a relationship with a forensic specialist? Do you have cyber insurance?
13 Performing a Review Questions to ask What are the security layers of your subvendors? Develop your own questionnaire to send to vendor or hold a phone interview Request documentation to support responses Response to your Questionnaire Vendor Cybersecurity Policies and Procedures Network Diagrams
14 Performing a Review Request documentation to support responses AICPA SSAE 16 SOC 2 Know which Trust Service Principles you are interested in: security, privacy, confidentiality, availability, processing integrity ISO 27001/2 Certification PCI DSS Audit Report Penetration Test Results Latest Vulnerability Scan Results
15 Performing a Review Identify any internal controls that should be developed Access management Configuring the system & change management Providing complete and accurate data to vendor Data output is reviewed and approved Handling Exceptions Additional approvals needed Determine Risk Rating of Vendor
16 Performing a Review Documenting Review Describe Business Use Data fields being requested Summary of review performed Issues identified Internal Controls to be Implemented Obtaining Data Owner Approval
17 Lessons Learned Business may not have understood how many subvendors existed Business may want to send too much data, instead of only what is needed Review the data file prior to sending to vendor you may find additional fields that need high levels of protection Confusion between cyber incident response times and service level response times
18 Lessons Learned Vendor relies on security controls of subvendor and may not have strong security controls Vendor may be a small shop working out of home Vendor may just send you documentation, but not fill out your questionnaire
19 Contracts Why is it important to get involved in contract negotiations? Develop a Data Security Rider to attach to contract Find a lawyer that understands technology, cyber security, and privacy law Review all agreements Cloud Services will reference other agreements or policies obtain all of them and review each one
20 Contract Terms Terms of Ownership Data: company vs. vendor s ownership rights Domain names Cannot place a lien on company s data Data will not be used for R&D purposes of the vendor Notification of subpoenas to access company s data Confidentiality and Non Disclosure Terms
21 Contract Terms Requirement to implement cyber security controls that follow industry best practices Prompt notification of changes to cyber security policies and controls Requirement to follow regulations (e.g PCI DSS, HIPAA, Privacy Laws) Company s data is segregated and identifiable from other parties Encrypt data at rest and in-transit
22 Contract Terms Store data in the U.S. If not, define which jurisdiction shall govern data Are there any export import laws to consider Provide security awareness training to employees Record Retention requirements Subvendor is bound by terms and obligations at least as stringent as those set forth in the rider / contract Notified and approval obtained prior to use of a new subvendor
23 Contract Terms System Development Terms Secure code development Testing system to verify security features are working Vulnerability assessment of system Proper change management and patch management process Warrants software does not contain malicious code or backdoors
24 Contract Terms Terms to exit Requirement for all data to be returned in a usable format Requirement that vendor will provide a means to retrieve data Requirement that vendor shall delete all data and provide affidavit stating that Don t forget backup and data held by subcontractors
25 Contract Terms Incident Response requirements Define what a cyber incident is Define when vendor is required to report an incident Make sure that this isn t limited based on vendor s time zone Require cyber incident to be investigated by qualified personnel or forensic expert
26 Contract Terms Requirement for cyber insurance Ask your insurance provider to give you language on this Right to Audit Audit vendor and subvendors Receive vendor audit reports SSAE 16, ISO 27001/2, PCI DSS, penetration test, etc. Requirement to address all audit findings Requirement to implement any complimentary user entity controls noted in the vendor s subcontractor s SSAE 16
27 Things to Watch Out For Understand if there are multiple agreements which one takes precedence Limitation of Liability May limit to the annual payment terms When a vendor has the right to suspend or terminate services Vendor does not negotiate terms with subvendors (AWS, Microsoft, etc.) Vendor will hold you to its policies, but not notify you when revisions have occurred
28 Contract Resources OWASP: Security Software Contract SANS: Application Security Procurement Language Stanford Technology Law Review: Negotiating Cloud Contracts: Looking at Cloud from Both Sides Now Cloud Council: Practical Guide to Cloud Service Agreements Educause: If It s in the Cloud, Get It on Paper: Cloud Computing Contract Issues
29 Handling Exceptions Why should you have an exceptions process? Exceptions can be: Changes in standard company terms Changes in insurance terms Review identified high risk items Who needs to approve exception? Risk Management Data Owners Legal
30 Current Vendor Relationships How to handle vendor relationships already in existence Work with Contracts Department to review contract when it comes up for renewal Review current contract and see if you can perform a security review If no right to audit term, your vendor may be willing to work with you anyway Add an addendum to the current contract
31 Reperform Security Reviews Timing of when to reperform security reviews Based off risk High risk: annually Moderate risk: every 3 years Low risk: every 5 years or when contract is renewed Contract renegotiation Change of vendor ownership
32 Tools to Assist You Develop a vendor review database using MS Access Purchase software solution Gartner Magic Quadrant IT Vendor Risk Management LockPath: KeyLight MetricStream: Vendor Risk Management Prevalent: Vendor Risk Manager RSA: Archer Vendor Management
33 Program Enhancements Update policy, procedures and templates Get feedback from business and vendors being reviewed Lessons learned from each review Benchmark against other companies programs Assess achievability of timelines and metrics Wait time for vendor s response
34 Thank You Questions?