How safe is your data after it leaves your control howard haile bill mcspadden
Sponsored Links
This presentation is the property of its rightful owner.
1 / 36

IT Vendor Assessments PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

How safe is your data after it leaves your control? Howard Haile Bill McSpadden. IT Vendor Assessments. Topics Covered. Why conduct a vendor audit? Organizing the internal processes Identifying who needs to be involved Get information about your vendors

Download Presentation

IT Vendor Assessments

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

How safe is your data after it leaves your control?

Howard Haile

Bill McSpadden

IT Vendor Assessments

Topics Covered

  • Why conduct a vendor audit?

  • Organizing the internal processes

  • Identifying who needs to be involved

  • Get information about your vendors

  • Survey and assess the vendors

  • Monitor and remediate

Potential Problem Areas

  • Industries

    • banking

    • healthcare

  • Business Processes

    • Employee processes (Payroll, 401k)

    • Customer Service

  • IT processes

    • Cloud computing

    • Backup/recovery

    • Help Desk

Why Audit Your Vendor?

  • You can’t control information once it leaves your control

  • You are putting a great deal of control in the hands of your vendors

  • Your vendor may pass your data to other people – who you don’t know and who have no obligation to you

  • A hack on your vendor may leave your organization as exposed as if you had been hacked.

Why Not a SAS70?

  • SAS70 does not specify a pre-determined set of control objectives or control activities that service organizations must achieve. 

  • SAS70 is used for financial reporting compliance – not other compliance requirements (HIPAA, GLB, etc.).

  • May not cover some important areas like Disaster Recovery, etc.

  • May not be available (too small, out of US)

Other 3rd Party Reviews?

  • You may be able to use results of other 3rd party reviews to reduce the burden of 1st party inspection.

  • However, your organization should perform it’s own risk assessment!

  • Shared Assessments – new organization which supports a standardized set of assessment criteria

Other Types of Reviews

  • ISO 17799 (info security)

  • ISO 9000 series (quality)

  • Trust Services (security oriented including availability)

Develop standards and procedures surrounding data

Make sure it covers

Vendor management (purchasing, etc.)


Field offices

Employee Awareness

Get Everyone On Board


  • Get 'right to audit' in contract

  • Spell out obligations

    • Proactive (not just penalties for failure)

    • Prescribe necessary precautions

  • Make the obligations part of the solicitation and scoring

  • Include ‘claw-back’ provisions in the contract for expenses incurred as a result a breach.


  • Information classification needs to be emphasized

  • Heightened awareness required, particularly involving data repositories

  • Strong change request process is very useful

  • Need heightened awareness involving encryption

  • Direct access to your network heightens the risk as it potentially exposes ALL of your data!!!

Field Offices

  • What is their ability to contract independently

  • How de-centralized is IT?

Employee Awareness

  • Employees need to be aware of data sensitivity

  • Reminder that email attachments (spreadsheets, cut/paste lists, etc.) are covered

  • Provide a point of contact for questions

  • Periodic reminders

Data classification

  • Sensitive data needs to be identified

  • Remember combinations of data

  • Don't send unnecessary data, e.g. account numbers

Discussion Questions

  • Should you hold your vendors to the same information security specs as your own?

  • Do you hold your vendors to the same information security specs as your own?

  • What would it take to satisfy you of the vendors’ security over information?

  • What is your organization doing to satisfy themselves with regard to vendor security?

Assessment Process

  • Rank the risk

  • Identify the vendors (all or some?)

  • Survey vendors

  • Score the survey

  • Identify weaknesses

  • Decide on remediation process

Pre-Survey Steps

  • Does the vendor know what is expected – in detail?

  • Do you have a good contact at the vendor, if permitted?

  • What sort of tracking system do you need?

  • Who is responsible for devising, administering and scoring the survey?

Survey Process

  • Develop the survey

  • Devise a scoring system (Keep it simple!)

  • Design the questions to be ‘gradable’

  • Have all vendors complete a standard questionnaire.

  • Review and score questionnaire – use same criteria.

  • Use 'skepticism' when grading

  • Evaluate by predetermined score

Survey Considerations

  • Once high risks vendors are completed are you comfortable with results? If not, keep going until you begin to feel comfortable

  • Evaluate risks against questionnaire score

  • High risk data/processes necessitate high vendor score

  • Determine if additional info, including site visit, is needed

On-site inspections?

  • High risk vendors may require on-site inspection

  • High risk implies sensitive data and/or questionable safeguards

  • Set up a schedule based on risk assessment. The higher the risk, the greater the frequency.

  • Might be a good opportunity for employing consultants whose presence overlaps your vendors

Vendor - Background Info

  • Nature of service provided

  • Frequency that information is supplied to vendor

  • List of date elements provided (selection criteria is not essential)

  • How data is transported (transport method and encryption technique)

Vendor - Background (cont’d)

  • Will any of the data reside outside of the US?

  • Are any of the services provided further outsourced? (If so, more detailed information on nature, location, etc. is required)

Vendor Oversight

  • Regulatory or other Governance the vendor must follow (HIPAA, PCI, banking, SOX, SAS70, etc.)

  • Is your data/processes covered by those compliance processes? If so, can those regulatory bodies affect your organization?

  • Employee policies (confidentiality agreements, background checks, termination process within systems, etc.)

Vendor – Process Inventory

  • Provide a specific list of servers, databases, and networks where data will reside or be processed

  • Provide information on each (location, operating systems, age, etc.)

Vendor - Security Questions

  • Describe security policies

  • Provide data classification grid

  • How does your vendors’ classification match your data classification scheme

  • Technical/logical system controls

Vendor – Physical Risks

  • Physical security of facilities (accessibility by public)

  • Data Center

  • Off-site data storage – is your data going to yet another vendor?

  • Call center services (if in scope)

  • Identity theft monitoring process

Vendor Business Continuity

  • Business Continuity plans (may not be in scope depending upon nature of the services provided)

  • What is the recovery timeframe for your data and equipment?

  • Does response time match your need?

  • Does the response time match your contract?

  • Has your data and equipment recovery been specifically tested?

Handling 3rd Parties

  • What processes are further sub-contracted to a 3rd party?

    NOTE: same assessment process needs to be followed for the 3rd party

  • What are your rights with regards to 3rd party inspections or ability to have primary vendor inspect?

Vendor Documentation

  • Any documentation from third party reviews (PCI, SAS-70, BITS)

  • Organization chart (especially showing security responsibility and hierarchy)

  • Outline or listing of security policies and procedures in place (an index or table of contents, etc.)

  • Process documentation or results of any security risk assessment processes

Vendor Doc (cont’d)

  • Employee background check template to verify scope

  • Floor plan diagram showing security devices (i.e. cameras, badge readers, etc)

  • Access control list for the data center (if applicable)

  • Account password settings (screen shot of settings for systems

Vendor Doc (cont’d)

  • Audit/logging policies for systems processing/protecting

  • Data retention and secure purging related policies and procedures.

  • eDiscovery program

  • Incident response plan – is your organization notified promptly?

  • A sample of the change control process sign off form or document recording approval for system/software changes

  • Org chart

Managing Deficiencies

  • Prioritize the deficiencies

  • Ensure that purchasing and business unit is aware of vendor deficiencies – and potential impact

  • Work with vendor and purchasing to develop a reasonable timeline to fix

  • If necessary, begin enforcing contractual penalties

One More Thought (or so)

If you are provide outsourced services:

  • What are you doing to provide this info?

  • Are you meeting your obligations?

  • What is the processes for keeping your clients informed?

  • What do you outsource that might create a problem?

Call to Action

  • Assess the process for managing information flow to outside parties

  • Identify the risks for data residing outside your direct control

  • Evaluate external organizations’ ability to secure your data

More Information

Shared Assessments

  • Agreed Upon Procedures

  • Standard Info Gathering Questionnaire

  • Low/high risk questionnaire

  • Business Continuity questionnaire

  • Privacy Continuity questionnaire

Questions & Contact Info

  • Bill McSpadden (

  • Howard Haile


  • Login