How safe is your data after it leaves your control howard haile bill mcspadden
Download
1 / 36

IT Vendor Assessments - PowerPoint PPT Presentation


  • 110 Views
  • Updated On :

How safe is your data after it leaves your control? Howard Haile Bill McSpadden. IT Vendor Assessments. Topics Covered. Why conduct a vendor audit? Organizing the internal processes Identifying who needs to be involved Get information about your vendors

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'IT Vendor Assessments' - dee


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
How safe is your data after it leaves your control howard haile bill mcspadden l.jpg

How safe is your data after it leaves your control?

Howard Haile

Bill McSpadden

IT Vendor Assessments


Topics covered l.jpg
Topics Covered

  • Why conduct a vendor audit?

  • Organizing the internal processes

  • Identifying who needs to be involved

  • Get information about your vendors

  • Survey and assess the vendors

  • Monitor and remediate


Potential problem areas l.jpg
Potential Problem Areas

  • Industries

    • banking

    • healthcare

  • Business Processes

    • Employee processes (Payroll, 401k)

    • Customer Service

  • IT processes

    • Cloud computing

    • Backup/recovery

    • Help Desk


Why audit your vendor l.jpg
Why Audit Your Vendor?

  • You can’t control information once it leaves your control

  • You are putting a great deal of control in the hands of your vendors

  • Your vendor may pass your data to other people – who you don’t know and who have no obligation to you



Why not a sas70 l.jpg
Why Not a SAS70? as if you had been hacked.

  • SAS70 does not specify a pre-determined set of control objectives or control activities that service organizations must achieve. 

  • SAS70 is used for financial reporting compliance – not other compliance requirements (HIPAA, GLB, etc.).

  • May not cover some important areas like Disaster Recovery, etc.

  • May not be available (too small, out of US)


Other 3 rd party reviews l.jpg
Other 3 as if you had been hacked.rd Party Reviews?

  • You may be able to use results of other 3rd party reviews to reduce the burden of 1st party inspection.

  • However, your organization should perform it’s own risk assessment!

  • Shared Assessments – new organization which supports a standardized set of assessment criteria


Other types of reviews l.jpg
Other Types of Reviews as if you had been hacked.

  • ISO 17799 (info security)

  • ISO 9000 series (quality)

  • Trust Services (security oriented including availability)


Get everyone on board l.jpg

Develop standards and procedures surrounding data as if you had been hacked.

Make sure it covers

Vendor management (purchasing, etc.)

IT

Field offices

Employee Awareness

Get Everyone On Board


Purchasing l.jpg
Purchasing as if you had been hacked.

  • Get 'right to audit' in contract

  • Spell out obligations

    • Proactive (not just penalties for failure)

    • Prescribe necessary precautions

  • Make the obligations part of the solicitation and scoring

  • Include ‘claw-back’ provisions in the contract for expenses incurred as a result a breach.


Slide11 l.jpg
IT as if you had been hacked.

  • Information classification needs to be emphasized

  • Heightened awareness required, particularly involving data repositories

  • Strong change request process is very useful

  • Need heightened awareness involving encryption

  • Direct access to your network heightens the risk as it potentially exposes ALL of your data!!!


Field offices l.jpg
Field Offices as if you had been hacked.

  • What is their ability to contract independently

  • How de-centralized is IT?


Employee awareness l.jpg
Employee Awareness as if you had been hacked.

  • Employees need to be aware of data sensitivity

  • Reminder that email attachments (spreadsheets, cut/paste lists, etc.) are covered

  • Provide a point of contact for questions

  • Periodic reminders


Data classification l.jpg
Data classification as if you had been hacked.

  • Sensitive data needs to be identified

  • Remember combinations of data

  • Don't send unnecessary data, e.g. account numbers


Discussion questions l.jpg
Discussion Questions as if you had been hacked.

  • Should you hold your vendors to the same information security specs as your own?

  • Do you hold your vendors to the same information security specs as your own?

  • What would it take to satisfy you of the vendors’ security over information?

  • What is your organization doing to satisfy themselves with regard to vendor security?


Assessment process l.jpg
Assessment Process as if you had been hacked.

  • Rank the risk

  • Identify the vendors (all or some?)

  • Survey vendors

  • Score the survey

  • Identify weaknesses

  • Decide on remediation process


Pre survey steps l.jpg
Pre-Survey Steps as if you had been hacked.

  • Does the vendor know what is expected – in detail?

  • Do you have a good contact at the vendor, if permitted?

  • What sort of tracking system do you need?

  • Who is responsible for devising, administering and scoring the survey?


Survey process l.jpg
Survey Process as if you had been hacked.

  • Develop the survey

  • Devise a scoring system (Keep it simple!)

  • Design the questions to be ‘gradable’

  • Have all vendors complete a standard questionnaire.

  • Review and score questionnaire – use same criteria.

  • Use 'skepticism' when grading

  • Evaluate by predetermined score


Survey considerations l.jpg
Survey Considerations as if you had been hacked.

  • Once high risks vendors are completed are you comfortable with results? If not, keep going until you begin to feel comfortable

  • Evaluate risks against questionnaire score

  • High risk data/processes necessitate high vendor score

  • Determine if additional info, including site visit, is needed


On site inspections l.jpg
On-site inspections? as if you had been hacked.

  • High risk vendors may require on-site inspection

  • High risk implies sensitive data and/or questionable safeguards

  • Set up a schedule based on risk assessment. The higher the risk, the greater the frequency.

  • Might be a good opportunity for employing consultants whose presence overlaps your vendors


Vendor background info l.jpg
Vendor - Background Info as if you had been hacked.

  • Nature of service provided

  • Frequency that information is supplied to vendor

  • List of date elements provided (selection criteria is not essential)

  • How data is transported (transport method and encryption technique)


Vendor background cont d l.jpg
Vendor - Background as if you had been hacked.(cont’d)

  • Will any of the data reside outside of the US?

  • Are any of the services provided further outsourced? (If so, more detailed information on nature, location, etc. is required)


Vendor oversight l.jpg
Vendor Oversight as if you had been hacked.

  • Regulatory or other Governance the vendor must follow (HIPAA, PCI, banking, SOX, SAS70, etc.)

  • Is your data/processes covered by those compliance processes? If so, can those regulatory bodies affect your organization?

  • Employee policies (confidentiality agreements, background checks, termination process within systems, etc.)


Vendor process inventory l.jpg
Vendor – Process Inventory as if you had been hacked.

  • Provide a specific list of servers, databases, and networks where data will reside or be processed

  • Provide information on each (location, operating systems, age, etc.)


Vendor security questions l.jpg
Vendor - Security Questions as if you had been hacked.

  • Describe security policies

  • Provide data classification grid

  • How does your vendors’ classification match your data classification scheme

  • Technical/logical system controls


Vendor physical risks l.jpg
Vendor – Physical Risks as if you had been hacked.

  • Physical security of facilities (accessibility by public)

  • Data Center

  • Off-site data storage – is your data going to yet another vendor?

  • Call center services (if in scope)

  • Identity theft monitoring process


Vendor business continuity l.jpg
Vendor Business Continuity as if you had been hacked.

  • Business Continuity plans (may not be in scope depending upon nature of the services provided)

  • What is the recovery timeframe for your data and equipment?

  • Does response time match your need?

  • Does the response time match your contract?

  • Has your data and equipment recovery been specifically tested?


Handling 3 rd parties l.jpg
Handling 3 as if you had been hacked.rd Parties

  • What processes are further sub-contracted to a 3rd party?

    NOTE: same assessment process needs to be followed for the 3rd party

  • What are your rights with regards to 3rd party inspections or ability to have primary vendor inspect?


Vendor documentation l.jpg
Vendor Documentation as if you had been hacked.

  • Any documentation from third party reviews (PCI, SAS-70, BITS)

  • Organization chart (especially showing security responsibility and hierarchy)

  • Outline or listing of security policies and procedures in place (an index or table of contents, etc.)

  • Process documentation or results of any security risk assessment processes


Vendor doc cont d l.jpg
Vendor Doc (cont’d) as if you had been hacked.

  • Employee background check template to verify scope

  • Floor plan diagram showing security devices (i.e. cameras, badge readers, etc)

  • Access control list for the data center (if applicable)

  • Account password settings (screen shot of settings for systems


Vendor doc cont d31 l.jpg
Vendor Doc (cont’d) as if you had been hacked.

  • Audit/logging policies for systems processing/protecting

  • Data retention and secure purging related policies and procedures.

  • eDiscovery program

  • Incident response plan – is your organization notified promptly?

  • A sample of the change control process sign off form or document recording approval for system/software changes

  • Org chart


Managing deficiencies l.jpg
Managing Deficiencies as if you had been hacked.

  • Prioritize the deficiencies

  • Ensure that purchasing and business unit is aware of vendor deficiencies – and potential impact

  • Work with vendor and purchasing to develop a reasonable timeline to fix

  • If necessary, begin enforcing contractual penalties


One more thought or so l.jpg
One More Thought (or so) as if you had been hacked.

If you are provide outsourced services:

  • What are you doing to provide this info?

  • Are you meeting your obligations?

  • What is the processes for keeping your clients informed?

  • What do you outsource that might create a problem?


Call to action l.jpg
Call to Action as if you had been hacked.

  • Assess the process for managing information flow to outside parties

  • Identify the risks for data residing outside your direct control

  • Evaluate external organizations’ ability to secure your data


More information l.jpg
More Information as if you had been hacked.

Shared Assessments

http://sharedassessments.org/

  • Agreed Upon Procedures

  • Standard Info Gathering Questionnaire

  • Low/high risk questionnaire

  • Business Continuity questionnaire

  • Privacy Continuity questionnaire


Questions contact info l.jpg
Questions & Contact Info as if you had been hacked.

  • Bill McSpadden (BMcSpadden@Chanllc.com)

  • Howard Haile

    (HHaile@Chanllc.com)