Upload
nasrulloh
View
223
Download
0
Embed Size (px)
Citation preview
7/30/2019 091210 IT Vendor Audit
1/36
IT Vendor Assessments
How safe is your data after it leavesyour control?
Howard HaileBill McSpadden
7/30/2019 091210 IT Vendor Audit
2/36
Topics Covered
Why conduct a vendor audit?
Organizing the internal processes
Identifying who needs to be involved
Get information about your vendors
Survey and assess the vendors
Monitor and remediate
7/30/2019 091210 IT Vendor Audit
3/36
Potential Problem Areas
Industries
banking
healthcare
Business Processes Employee processes (Payroll, 401k)
Customer Service
IT processes Cloud computing
Backup/recovery
Help Desk
7/30/2019 091210 IT Vendor Audit
4/36
Why Audit Your Vendor?
You cant control information once it
leaves your control
You are putting a great deal of control
in the hands of your vendors
Your vendor may pass your data to
other peoplewho you dont know and
who have no obligation to you
7/30/2019 091210 IT Vendor Audit
5/36
A hack on your vendor may leave your
organization as exposed as if you had
been hacked.
7/30/2019 091210 IT Vendor Audit
6/36
Why Not a SAS70?
SAS70 does not specify a pre-
determined set of control objectives or
control activities that service
organizations must achieve. SAS70 is used for financial reporting
compliance not other compliance
requirements (HIPAA, GLB, etc.). May not cover some important areas
like Disaster Recovery, etc.
May not be available (too small, out of
7/30/2019 091210 IT Vendor Audit
7/36
Other 3rd Party Reviews?
You may be able to use results of other
3rd party reviews to reduce the burden of
1st party inspection.
However, your organization shouldperform its own risk assessment!
Shared Assessments new organization
which supports a standardized set ofassessment criteria
7/30/2019 091210 IT Vendor Audit
8/36
Other Types of Reviews
ISO 17799 (info security)
ISO 9000 series (quality)
Trust Services (security oriented
including availability)
7/30/2019 091210 IT Vendor Audit
9/36
Get Everyone On Board
Develop standards and procedures surrounding
data
Make sure it covers
Vendormanagement (purchasing, etc.)
IT
Field offices
Employee Awareness
7/30/2019 091210 IT Vendor Audit
10/36
Purchasing
Get 'right to audit' in contract
Spell out obligations Proactive (not just penalties for failure)
Prescribe necessary precautions
Make the obligations part of the solicitationand scoring
Include claw-back provisions in thecontract for expenses incurred as a resulta breach.
7/30/2019 091210 IT Vendor Audit
11/36
IT
Information classification needs to be
emphasized
Heightened awareness required,particularly involving data repositories
Strong change request process is very
useful Need heightened awareness involving
encryption
Direct access to your network heightens
7/30/2019 091210 IT Vendor Audit
12/36
Field Offices
What is their ability to contract
independently
How de-centralized is IT?
7/30/2019 091210 IT Vendor Audit
13/36
Employee Awareness
Employees need to be aware of data
sensitivity
Reminder that email attachments
(spreadsheets, cut/paste lists, etc.) arecovered
Provide a point of contact for questions
Periodic reminders
7/30/2019 091210 IT Vendor Audit
14/36
Data classification
Sensitive data needs to be identified
Remember combinations of data
Don't send unnecessary data, e.g.account numbers
7/30/2019 091210 IT Vendor Audit
15/36
Discussion Questions
1. Should you hold your vendors to the
same information security specs as
your own?
2. Do you hold your vendors to the sameinformation security specs as your
own?
3. What would it take to satisfy you of thevendors security over information?
4. What is your organization doing to
satisfy themselves with regard to
7/30/2019 091210 IT Vendor Audit
16/36
Assessment Process
1. Rank the risk
2. Identify the vendors (all or some?)
3. Survey vendors
4. Score the survey
5. Identify weaknesses
6. Decide on remediation process
7/30/2019 091210 IT Vendor Audit
17/36
Pre-Survey Steps
Does the vendor know what is expectedin detail?
Do you have a good contact at the vendor,if permitted?
What sort of tracking system do youneed?
Who is responsible for devising,administering and scoring the survey?
7/30/2019 091210 IT Vendor Audit
18/36
Survey Process
Develop the survey
Devise a scoring system (Keep it simple!)
Design the questions to be gradable
Have all vendors complete a standardquestionnaire.
Review and score questionnaire use
same criteria. Use 'skepticism' when grading
Evaluate by predetermined score
7/30/2019 091210 IT Vendor Audit
19/36
Survey Considerations
Once high risks vendors are completedare you comfortable with results? If not,keep going until you begin to feel
comfortable Evaluate risks against questionnaire
score
High risk data/processes necessitatehigh vendor score
Determine if additional info, including sitevisit, is needed
7/30/2019 091210 IT Vendor Audit
20/36
On-site inspections?
High risk vendors may require on-siteinspection
High risk implies sensitive data and/orquestionable safeguards
Set up a schedule based on riskassessment. The higher the risk, thegreater the frequency.
Might be a good opportunity for
employing consultants whose presenceoverlaps your vendors
7/30/2019 091210 IT Vendor Audit
21/36
Vendor - Background Info
Nature of service provided Frequency that information is supplied to
vendor
List of date elements provided (selectioncriteria is not essential)
How data is transported (transport
method and encryption technique)
7/30/2019 091210 IT Vendor Audit
22/36
Vendor - Background (contd)
Will any of the data reside outside of the
US?
Are any of the services provided furtheroutsourced? (If so, more detailed
information on nature, location, etc. is
required)
7/30/2019 091210 IT Vendor Audit
23/36
Vendor Oversight
Regulatory or other Governance thevendor must follow (HIPAA, PCI,banking, SOX, SAS70, etc.)
Is your data/processes covered by thosecompliance processes? If so, can thoseregulatory bodies affect yourorganization?
Employee policies (confidentialityagreements, background checks,termination process within systems,
etc.)
7/30/2019 091210 IT Vendor Audit
24/36
Vendor Process Inventory
Provide a specific list of servers,databases, and networks where data
will reside or be processed
Provide information on each (location,operating systems, age, etc.)
7/30/2019 091210 IT Vendor Audit
25/36
Vendor - Security Questions
Describe security policies
Provide data classification grid
How does your vendors classification
match your data classification scheme
Technical/logical system controls
7/30/2019 091210 IT Vendor Audit
26/36
Vendor Physical Risks
Physical security of facilities(accessibility by public)
Data Center
Off-site data storageis your datagoing to yet another vendor?
Call center services (if in scope)
Identity theft monitoring process
7/30/2019 091210 IT Vendor Audit
27/36
Vendor Business Continuity
Business Continuity plans (may not be inscope depending upon nature of the
services provided)
What is the recovery timeframe for yourdata and equipment?
Does response time match your need?
Does the response time match yourcontract?
Has your data and equipment recovery
been specifically tested?
7/30/2019 091210 IT Vendor Audit
28/36
Handling 3rd Parties
What processes are further sub-contracted to a 3rd party?
NOTE: same assessment process
needs to be followed for the 3rd party What are your rights with regards to 3rd
party inspections or ability to have
primary vendor inspect?
7/30/2019 091210 IT Vendor Audit
29/36
Vendor Documentation
Any documentation from third partyreviews (PCI, SAS-70, BITS)
Organization chart (especially showing
security responsibility and hierarchy) Outline or listing of security policies and
procedures in place (an index or table of
contents, etc.) Process documentation or results of any
security risk assessment processes
7/30/2019 091210 IT Vendor Audit
30/36
Vendor Doc (contd)
Employee background check template toverify scope
Floor plan diagram showing security
devices (i.e. cameras, badge readers,etc)
Access control list for the data center (if
applicable) Account password settings (screen shot
of settings for systems
7/30/2019 091210 IT Vendor Audit
31/36
Vendor Doc (contd)
Audit/logging policies for systemsprocessing/protecting
Data retention and secure purgingrelated policies and procedures.
eDiscovery program
Incident response planis yourorganization notified promptly?
A sample of the change control processsign off form or document recordingapproval for system/software changes
Org chart
f
7/30/2019 091210 IT Vendor Audit
32/36
Managing Deficiencies
Prioritize the deficiencies
Ensure that purchasing and business unit
is aware of vendor deficiencies and
potential impact Work with vendor and purchasing to
develop a reasonable timeline to fix
If necessary, begin enforcing contractualpenalties
O M Th ht ( )
7/30/2019 091210 IT Vendor Audit
33/36
One More Thought (or so)
If you are provide outsourced services:
What are you doing to provide this info?
Are you meeting your obligations?
What is the processes for keeping your
clients informed?
What do you outsource that might
create a problem?
C ll t A ti
7/30/2019 091210 IT Vendor Audit
34/36
Call to Action
Assess the process for managinginformation flow to outside parties
Identify the risks for data residing
outside your direct control Evaluate external organizations ability
to secure your data
M I f ti
7/30/2019 091210 IT Vendor Audit
35/36
More Information
Shared Assessmentshttp://sharedassessments.org/
Agreed Upon Procedures Standard Info Gathering Questionnaire
Low/high risk questionnaire
Business Continuity questionnaire Privacy Continuity questionnaire
Q ti & C t t I f
7/30/2019 091210 IT Vendor Audit
36/36
Questions & Contact Info
Bill McSpadden([email protected])
Howard Haile