Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Similar documents
Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

Cybersecurity Auditing in an Unsecure World

locuz.com SOC Services

Exploring Emerging Cyber Attest Requirements

ADIENT VENDOR SECURITY STANDARD

Cyber Risks in the Boardroom Conference

University of Pittsburgh Security Assessment Questionnaire (v1.7)

SOC Lessons Learned and Reporting Changes

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Effective Strategies for Managing Cybersecurity Risks

Altius IT Policy Collection

Altius IT Policy Collection Compliance and Standards Matrix

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

SECURITY & PRIVACY DOCUMENTATION

Altius IT Policy Collection Compliance and Standards Matrix

Auditing the Cloud. Paul Engle CISA, CIA

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Cybersecurity in Higher Ed

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

FDIC InTREx What Documentation Are You Expected to Have?

Google Cloud & the General Data Protection Regulation (GDPR)

Cloud Transformation Program Cloud Change Champions June 20, 2018

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Certified Information Security Manager (CISM) Course Overview

HP Standard for Information Protection and Security for Suppliers/Partners

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

SOARING THROUGH THE CLOUDS IT S A BREEZE

CYBER SECURITY WORKSHOP NOVEMBER 2, Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Managing SaaS risks for cloud customers

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

NYDFS Cybersecurity Regulations

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Data Breaches: Is IBM i Really At Risk? All trademarks and registered trademarks are the property of their respective owners.

Data Processing Agreement for Oracle Cloud Services

HITRUST CSF: One Framework

The Evolving Threat to Corporate Cyber & Data Security

Oracle Data Cloud ( ODC ) Inbound Security Policies

Cybersecurity The Evolving Landscape

01.0 Policy Responsibilities and Oversight

Is Your Compliance Strategy Putting Your Business at Risk?

ISE North America Leadership Summit and Awards

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

CYBERSECURITY: E-COMMERCE, GOVERNANCE AND APPLIED CERTIFICATIONS A ROUNDTABLE DISCUSSION 15 DECEMBER 2015

Cloud Computing, SaaS and Outsourcing

PTLGateway Data Breach Policy

ISACA Cincinnati Chapter March Meeting

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

HCL GRC IT AUDIT & ASSURANCE SERVICES

Integrating Information Security Protections In Supplier Agreements: Guidance for Business and Technology Counsel

Model Approach to Efficient and Cost-Effective Third-Party Assurance

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

CACUBO Higher Education Accounting Workshop Top 10 Cyber Security Issues for Higher Education Business Managers. May 2017

ASD CERTIFICATION REPORT

Information Security Policy

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

IT Attestation in the Cloud Era

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Tips for Passing an Audit or Assessment

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Data Security and Privacy Principles IBM Cloud Services

Cover Slide. Third Party Risk and the Role of the Cyber Security/IT Risk Officer. Robert Satchmo Anderson

Credit Card Data Compromise: Incident Response Plan

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

COBIT 5 With COSO 2013

Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No

Understanding and Evaluating Service Organization Controls (SOC) Reports

Introduction to AWS GoldBase

SDL Privacy Policy Cloud Services

Information Technology General Control Review

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Risk Management in Electronic Banking: Concepts and Best Practices

WORKSHARE SECURITY OVERVIEW

Achieving third-party reporting proficiency with SOC 2+

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

WHITE PAPER. Title. Managed Services for SAS Technology

Security Information & Policies

HPE DATA PRIVACY AND SECURITY

Locking Down the Cloud Security is Not a Myth

Vendor Security Questionnaire

Information Security Program Audit Introduction and Survival Guide

SOC 3 for Security and Availability

Accelerating the HCLS Industry Through Cloud Computing

Information for entity management. April 2018

HITRUST Common Security Framework - Are you prepared?

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

GLBA, information security and incident response a compliance perspective

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Security Breach Notification Reflections on the U.S. Experience

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Transcription:

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

1 Speaker Bio Katie McIntosh, CISM, CRISC, CISA, CIA, CRMA, is the Cyber Security Specialist for Central Hudson Gas & Electric Corporation, a wholly owned subsidiary of Fortis Inc. Katie is responsible for Central Hudson s vendor security reviews, access management, security awareness program, IT risk management program, IT general controls, and security policies and procedures. Prior to this role, Katie was an IT Auditor within Central Hudson s Internal Audit Group. Katie is a board member with ISACA s Hudson Valley Chapter.

2 Objectives Things to consider when building your program Be able to develop a policy for your program The elements to consider in performing your review What contract terms to consider Developing a process for handling exceptions How to handle current vendor relationships

3 Planning Your Program Departments you need to partner with Governance Committees Risk Management Contracts Legal Accounting Resource requirements Determine timeframe to perform reviews

4 Align with Risk Management Program Understanding your risk management policy and methodology Define exception handling procedures Understanding your risk appetite What data will require a security review to be performed PII Credit Card Bank Routing and Account Numbers Driver s License Number Protected Health Information Intellectual Property Research & Development Financial Information Operational Information

5 Policy Develop a Vendor Security Review Policy Purpose Protecting company assets Scope Types of Data that fall within this policy What types of vendor relationships fall under this policy Cloud vendors Beware of employees signing up for free services Service Organizations

6 Policy Develop a Vendor Security Review Policy Requirements Timing Business Requirements Review Requirements Required Approvals Follow Up Reviews Handling Exceptions

7 Policy Develop a Vendor Security Review Policy Policy Approvals Data Owner(s) Risk Management Policy Communication Policy Training

8 Getting Buy-In Executive Discuss the risks to the business Business Financial Reputation Regulatory Better understanding of vendor s offerings Ownership of the risk

9 Performing a Review Developing your program Leverage Industry Frameworks NIST Cybersecurity Framework or SP 800-53 20 Critical Controls ISACA s COBIT 5 Cloud Security Alliances (CSA) Assessments Initiative Questionnaire or Cloud Controls Matrix Understanding from business what data the vendor will have vs. what is needed

10 Performing a Review Questions to ask Where will my data be stored? What are the laws that will protect my data? How will my data get there? Who else will have access to my data? Co-location data centers Cloud hosting provider (AWS, Microsoft, Rackspace) Subvendors Outsourced resources (Help Desk, Managed Service Provider, etc)

11 Performing a Review Questions to ask Describe your security governance structure Do you provide security awareness training to your employees? What are your security layers? External Internal What is you removable media policies and how do you prevent employees from removing my company s data?

12 Performing a Review Questions to ask Do you include security within the development of your software solution? How do you handle cybersecurity incidents? Have you experienced a cybersecurity incident? When will you notify your customers of a breach? Do you have a relationship with a forensic specialist? Do you have cyber insurance?

13 Performing a Review Questions to ask What are the security layers of your subvendors? Develop your own questionnaire to send to vendor or hold a phone interview Request documentation to support responses Response to your Questionnaire Vendor Cybersecurity Policies and Procedures Network Diagrams

14 Performing a Review Request documentation to support responses AICPA SSAE 16 SOC 2 Know which Trust Service Principles you are interested in: security, privacy, confidentiality, availability, processing integrity ISO 27001/2 Certification PCI DSS Audit Report Penetration Test Results Latest Vulnerability Scan Results

15 Performing a Review Identify any internal controls that should be developed Access management Configuring the system & change management Providing complete and accurate data to vendor Data output is reviewed and approved Handling Exceptions Additional approvals needed Determine Risk Rating of Vendor

16 Performing a Review Documenting Review Describe Business Use Data fields being requested Summary of review performed Issues identified Internal Controls to be Implemented Obtaining Data Owner Approval

17 Lessons Learned Business may not have understood how many subvendors existed Business may want to send too much data, instead of only what is needed Review the data file prior to sending to vendor you may find additional fields that need high levels of protection Confusion between cyber incident response times and service level response times

18 Lessons Learned Vendor relies on security controls of subvendor and may not have strong security controls Vendor may be a small shop working out of home Vendor may just send you documentation, but not fill out your questionnaire

19 Contracts Why is it important to get involved in contract negotiations? Develop a Data Security Rider to attach to contract Find a lawyer that understands technology, cyber security, and privacy law Review all agreements Cloud Services will reference other agreements or policies obtain all of them and review each one

20 Contract Terms Terms of Ownership Data: company vs. vendor s ownership rights Domain names Cannot place a lien on company s data Data will not be used for R&D purposes of the vendor Notification of subpoenas to access company s data Confidentiality and Non Disclosure Terms

21 Contract Terms Requirement to implement cyber security controls that follow industry best practices Prompt notification of changes to cyber security policies and controls Requirement to follow regulations (e.g PCI DSS, HIPAA, Privacy Laws) Company s data is segregated and identifiable from other parties Encrypt data at rest and in-transit

22 Contract Terms Store data in the U.S. If not, define which jurisdiction shall govern data Are there any export import laws to consider Provide security awareness training to employees Record Retention requirements Subvendor is bound by terms and obligations at least as stringent as those set forth in the rider / contract Notified and approval obtained prior to use of a new subvendor

23 Contract Terms System Development Terms Secure code development Testing system to verify security features are working Vulnerability assessment of system Proper change management and patch management process Warrants software does not contain malicious code or backdoors

24 Contract Terms Terms to exit Requirement for all data to be returned in a usable format Requirement that vendor will provide a means to retrieve data Requirement that vendor shall delete all data and provide affidavit stating that Don t forget backup and data held by subcontractors

25 Contract Terms Incident Response requirements Define what a cyber incident is Define when vendor is required to report an incident Make sure that this isn t limited based on vendor s time zone Require cyber incident to be investigated by qualified personnel or forensic expert

26 Contract Terms Requirement for cyber insurance Ask your insurance provider to give you language on this Right to Audit Audit vendor and subvendors Receive vendor audit reports SSAE 16, ISO 27001/2, PCI DSS, penetration test, etc. Requirement to address all audit findings Requirement to implement any complimentary user entity controls noted in the vendor s subcontractor s SSAE 16

27 Things to Watch Out For Understand if there are multiple agreements which one takes precedence Limitation of Liability May limit to the annual payment terms When a vendor has the right to suspend or terminate services Vendor does not negotiate terms with subvendors (AWS, Microsoft, etc.) Vendor will hold you to its policies, but not notify you when revisions have occurred

28 Contract Resources OWASP: Security Software Contract SANS: Application Security Procurement Language Stanford Technology Law Review: Negotiating Cloud Contracts: Looking at Cloud from Both Sides Now Cloud Council: Practical Guide to Cloud Service Agreements Educause: If It s in the Cloud, Get It on Paper: Cloud Computing Contract Issues

29 Handling Exceptions Why should you have an exceptions process? Exceptions can be: Changes in standard company terms Changes in insurance terms Review identified high risk items Who needs to approve exception? Risk Management Data Owners Legal

30 Current Vendor Relationships How to handle vendor relationships already in existence Work with Contracts Department to review contract when it comes up for renewal Review current contract and see if you can perform a security review If no right to audit term, your vendor may be willing to work with you anyway Add an addendum to the current contract

31 Reperform Security Reviews Timing of when to reperform security reviews Based off risk High risk: annually Moderate risk: every 3 years Low risk: every 5 years or when contract is renewed Contract renegotiation Change of vendor ownership

32 Tools to Assist You Develop a vendor review database using MS Access Purchase software solution Gartner Magic Quadrant IT Vendor Risk Management LockPath: KeyLight MetricStream: Vendor Risk Management Prevalent: Vendor Risk Manager RSA: Archer Vendor Management

33 Program Enhancements Update policy, procedures and templates Get feedback from business and vendors being reviewed Lessons learned from each review Benchmark against other companies programs Assess achievability of timelines and metrics Wait time for vendor s response

34 Thank You Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback