Vendor Risk Management Data Privacy & Security -Panel€¦ · vFor AWS, we use ISO Certification, HIPAA security configurations, SOC 3 report, security control mappings, whitepapers,

1

Vendor Risk ManagementData Privacy & Security - Panel

Sherry Ryan, CISO, JuniperTanya O’Connor, Director, Information Security, Arcadia Healthcare

SolutionsGary Roboff, Senior Advisor, Santa Fe Group - Shared Assessments

Rick Olin, Shareholder, CIPP/US, GTC Law Group (Moderator)

2

Vendor Risk Management – Data Privacy & Security (Panel)

Sherry Ryan, Chief Information Security Officer, Juniper Networks• previously established and led information security programs at Blue Shield of

California, Hewlett-Packard, Safeway and Levi Strauss • Certifications: Certified Information Security Manager (CISM) from ISACA and

Certified Information Systems Security Professional (CISSP) from ISC2 • member of High Tech Crime Investigation Association (HTCIA) and Information

Systems Security Association (ISSA)

Tanya O’Connor, Director, Information Security, Arcadia Healthcare Solutions• responsible for strategic security and privacy planning and implementation,

contract review, continuous monitoring, HIPAA/HITECH compliance, and responding to customer privacy/security assessments

• Oracle Corporation - Compliance Manager and Security Lead• U.S. Department of the Treasury - Information Systems Security Manager• U.S. Navy - Information Security Business Analyst and Information Assurance

Governance Analyst

3

Vendor Risk Management – Data Privacy & Security (Panel)

Gary Roboff, Senior Advisor, Santa Fe Group – Shared Assessments• focuses on payments, risk management, mobile financial services, and information

management• JPMorgan – served 25 years; retired as Senior Vice President of Electronic

Commerce; led effort to return to merchant services business with the founding of Chase Merchant Services LLC (now Chase Paymentech)

• International Security Trust and Privacy Alliance (ISTPA)– Founder• Chemical and Manufacturers Hanover - led development of pinned debit services• served on various Boards of Directors, including: ISTPA, the NYCE network, and

the Electronic Funds Transfer Association

Rick Olin, Shareholder, CIPP/US, GTC Law Group• focuses on transactional matters, including: M&A and technology transfer;

compliance areas such as data privacy and security, and information management matters; as well as general business counseling to GTC’s technology and media clients

• TechTarget, Inc. (NASDAQ, TTGT) - Vice President, General Counsel and Secretary

• Workscape, Inc. (acquired by ADP, Inc.) - Senior Vice President of Corporate Development, General Counsel and Secretary

• SpeechWorks International, Inc. (acquired by ScanSoft, Inc. and now Nuance Communications, Inc.) - Vice President, General Counsel and Secretary

Vendor Risk Management PanelNovember 3, 2017Sherry Ryan, VP/CISO

Why third-party cybersecurity matters

• 41 - 63% of breaches in recent years were traced to third-party vendors

• Cross industry: restaurants, chain stores, pharmacies, construction companies, hotels and medical centers

• Financial impact of breach response plus revenue and share price impact

• Reputational impacts, regulatory exposure, and lawsuits plus job loss for executives, directors and others

CSO Cybersecurity Insights, December 7, 2016

• As dependence on third parties becomes increasingly critical, organizations are being compelled to rapidly “catch up” in enhancing the maturity of their third party governance and risk management processes

• The drivers for third party engagement are progressively shifting from a focus upon cost to a focus upon value

• Third party risk incidents are on the increase

• Increased monitoring and assurance activity over third parties is believed to significantly reduce third party risk

• Organizational commitment to third party risk management is not supported by confidence in the related technology and processes

• Third party risk is starting to feature consistently on Board agendas

• Visits to third party locations are considered the most effective assurance method

• Most organizations are mandating consistent third party governance

• Existing technology platforms for managing third parties are considered inadequate

• Organizations are in the process of deciding between centralized in-house models and external service-provider based models for third party monitoring

The Third Party Ecosystem

Managing Third Party Risk

Third Party Governance

Technology and Delivery Models

Key Findings

Deloitte: Third Party Governance and Risk Management, Global Survey 2016

Due Diligence Tools

• On-site reviews• Assessments and questionnaires• Attestations• Documentation review• Review assessments and certifications• Security risk rating scores• Contractual

Risk-Based Approach

Service risks:• Customer and financial impact• Data sensitivity• Compliance and regulatory• Transaction volumeVendor risks:• Geographic location• Financial health• Prior breaches• Performance record• Extent of work performed

• Organize into high, medium and low risk categories

• Prioritize high risk vendors for greater scrutiny

• Higher risk – On-site reviews and more frequent monitoring

• Moderate risk – telephone reviews and periodic monitoring

• Lower risk – vendor self assessments follow up as required

Risk Factors Vendor Prioritization Level of Due Diligence and Monitoring

Trust But Verify Assessment Model

Thank youThank you

12© 2017 ARCADIA HEALTHCARE SOLUTIONS | NOT FOR REDISTRIBUTION.

November, 2017

PRESENTED BY TANYA O’CONNORDIRECTOR, INFORMATION SECURITY

VENDOR RISK MANAGEMENT PANEL


ABOUT ARCADIAARCADIA OVERVIEW

ARCADIA IS AN EHR DATA AGGREGATION AND ANALYTICS COMPANYFOCUSED ON ENABLING OUR PARTNERS TO SUCCEED IN SHARED RISKUSING INTEGRATED AMBULATORY, INPATIENT & ADMINISTRATIVEDATA.

35M PATIENTSMEASURED

50K PROVIDERSMEASURED

3000 PRACTICESIMPACTED

30+ EHR VENDORS

CONNECTED

2002 YEARFOUNDED

250 AWESOMEEMPLOYEES

ARCADIA HAS ANALYZED OVER 35 MILLION PATIENTS NATIONALLY

BOSTON20 Blanchard Rd. #10Burlington, MA

CHICAGO630 E Jefferson St.Rockford, IL

SEATTLE1215 4th Ave. #925Seattle, WA

PITTSBURGH29 West Main Street Carnegie, PA


EXAMPLE CUSTOMERSARCADIA OVERVIEW

PROVIDERS HEALTH PLANS


BECOMING A TRUSTED BUSINESS PARTNER(FROM THE VENDOR PERSPECTIVE)

ALIGNMENT OF INTERESTS

ØSame rules/liabilities apply to vendors (business associates) and customers (covered entities)ØRequires a partnership approach to securing dataØDriven by HIPAA/HITECH compliance for both parties

DUE DILIGENCE/TRUST BUT VERIFY MODEL

Ø1-5 written assessments monthlyØSubmission of artifactsØFollow-up questionnairesØOnsite visitsØProving downstream vendor compliance


BECOMING A TRUSTED BUSINESS PARTNER - CHALLENGES

PRIVACY & SECURITY ASSESSMENTS ARE TIME/RESOURCE INTENSIVE

Ø Steady stream of written and on-site assessments (no two are ever alike!)Ø Often times not relevant to our business model (CAIQ for example)Ø Existing culture shifts burden onto vendor (except large companies like Amazon) to fill out assessment

rather than review existing security controls and submit follow-up questions

MANAGING CLIENT EXPECTATIONS

Ø Resolving differing interpretations of HIPAA requirements, for example:v HIPAA/HITECH doesn’t specific a time frame for audit log retention `v HIPAA/HITECH does not provide specific guidance regarding what content must be logged


BECOMING A TRUSTED BUSINESS PARTNER – CHALLENGES (CONT)

PROVING DOWNSTREAM VENDOR COMPLIANCE

Ø Responsible for articulating downstream vendor security & compliancev For AWS, we use ISO Certification, HIPAA security configurations, SOC 3 report, security control

mappings, whitepapers, published information, and more

Ø Verification of downstream vendor security controlsv Done through research, assessments, contractual clauses, etc.


ADDRESSING THE CHALLENGES

MOVING TOWARDS AN INDUSTRY-ACCEPTED UNIFIED FRAMEWORK Ø Dramatically reduces the number of assessments, eliminates the multitudes of unique artifacts collected

on a yearly basis, and shifts the burden of oversight to Certification bodyØ Defines control parameters (such as audit log retention timeframe and content) based on best practices

so that there is less conflict when it comes to interpreting grey areas of the lawØ Certification affirms security & compliance of both vendor and downstream vendors

v Arcadia has chosen HITRUST and its common security framework (CSF)* and are working towards certification by next year.

*The HITRUST CSF “is a certifiable framework that encompasses and harmonizes several other compliance frameworks and standards including HIPAA, HITECH, PCI, ISO/IEC, COBIT, NIST RMF and varying state requirements.”

VENDOR RISK MANAGEMENT PANEL

November 3, 2017

Gary S. Roboff, Senior Advisor

© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 20

The Shared Assessments Program

Thought Leadership

ü Industry Agnosticü Member-drivenü Annual Third Party Risk Management Summit

Training and Certification

ü More than 650 third party riskprofessionals trained since 2015 (CTPRP)

ResourcesResearch Studies White PapersWebinars Workshops Assessment Tools

ü Actionable, enterprise-wide solution-building ü Industry and technology specific peer working

groupsü Examine the entire TPRM Landscapeü Assessment Tools up-to-date with

regulations and threat landscapeü Licensees incorporate SA Program Tools to

deliver effective ERM solutions to their clients


Outsourcing Risks


Assertion Statements

SIG Privacy Tab Example:P.2

For Scoped Data, is personal information about individuals transmitted to or received from countries outside the United States? If yes, list the countries.

P.2.1 Is information directly collected and used about individuals?

P.2.2 Are notices provided (and where required, consents obtained) when information is directly collected from an individual? If yes, describe.

P.2.3 Are there documented policies and operating procedures regarding limiting the personal data collected and its use?

P.2.4 Are there policies and operating procedures for onward transfer of Scoped Data? If yes, describe.

P.2.5Is Safe Harbor /Privacy Shield status maintained with the Department of Commerce with respect to the data protection applicable to the European Union or other legitimizing method such as Model Contracts?

P.2.6 If customer data is directly collected from individuals, does the customer have the ability to opt out?

P.2.7 If customer data of individuals is retained, are there processes and procedures to enable individuals to access, correct, amend, or delete inaccurate information?

P.2.8 Are there documented policies and procedures for cross border data flows of Scoped Data to the US from other countries. If yes, list the countries:

23© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.

Virtual Assessments

• Emerging Alternative to On-Site Assessments• Hosted by Third Parties, Either:

– Regularly, as scheduled by third party (e.g., quarterly)– As defined by contract (often annually), typically outsourcer determines timing

• Remotely Connected to Third Party; Vendor Demonstrates Controls, Shows Evidence, etc.

• Assertion Statement Due Diligence/Control Test Results• Most are Interactive by Design• Significantly Less Expensive for Both Outsourcer and Vendor• Yields Perhaps 80% Value Compared to an On-Site Visit

– May not be appropriate for all mission-critical situations

24© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.

Onsite Control Testing

AUP Privacy Test Procedure Example• P.4 Third Party Privacy Agreements

– Objective: All entities that access, process or store client-scoped privacy data can be a risk to an organization or its clients. Management should ensure that all agreements with third parties contain specific clauses to ensure scoped privacy data is protected and that certain other privacy requirements are included.

– Risk Statement: The absence of privacy agreements with third parties where data is shared may lead to misunderstandings in protection, disclosure and compliance, as well as loss of legal standing, in case there is a disclosure or breach.

– Control: Privacy agreements detail privacy and protection requirements between the organization and its third parties that have access to scoped privacy data.

– Procedure: a. Using the sample of third parties from the list obtained in P.1 Scoped Privacy Data Inventory and Flows, obtain from the organization and selected third parties, via the organization, the privacy and security portions of the agreement with the organization in place for providing services and a representative sample of third party privacy and security sections of the agreements from each third party.

b. Inspect each agreement chosen in the sample for evidence of the following attributes:

1. Third party requirement to protect all scoped privacy data and protected scoped privacy data.

2. Third party requirement to document the flow of scoped privacy data within its organization and to those third parties with whom it shares scoped privacy data.

3. Third party requirement to process scoped privacy data in accordance with the agreement.

4. Etc.


Continuous Monitoring

Continuous third party risk monitoring is a real-time (or close to real-time) risk management approach designed to improve organizational awareness related to third party risks and potential control weaknesses as they emerge.

Area ActivityBeingMonitored RiskAddressed

Information Technology

Change Management, Network Connectivity

Device Connectivity, Identity Management, Penetration

Testing

Information Security Cyber Hygiene, Patch Management

Confidentiality, Integrity, Availability, Data Leakage,

Vulnerability Exposure

Privacy Data Obfuscation Encryption, Data Protection, Cross Boarder Data Flows

Human Resources

Employee Due Diligence, Background Checks, Access

Management

Insider Threats, Social Engineering, Unauthorized

Access


Vendor Risk Management Model Maturity Levels

Level 5 Continuous improvement - Organizations that strive toward operational excellence, understand best-in-class performance levels and implement program changes to achieve them through continuous improvement processes.

Level 4 Fully implemented and operational – Organizations in which vendor risk management activities are fully operational and all compliance measures (including metrics reporting and independent oversight) are in place.

Level 3 Defined and established – Organizations with fully defined, approved and established vendor risk management activity, where activities are not yet fully operational and where metrics reporting and enforcement are lacking.

Level 2 Approved road map and ad hoc activity – Organizations which perform third party risk activity on an ad hoc basis, but have a management approved plan to structure the activity as part an effort to achieve full implementation.

Level 1 Initial visioning and ad hoc activity – Organizations which perform third party risk management activities on an ad hoc basis, but are considering how to best structure third party risk activities as part of an effort to achieve full implementation.

Level 0 Start-up or no TPRM activity – New organizations beginning operations or organizations with no existing vendor risk management activities.


Board Engagement Correlates With Practice Maturity, Yet Most Boards Are Not Highly Engaged

Practice Maturity Level

High engagement/

understanding by the board

Medium engagement/


Low engagement/


Eight Category Average 3.6 3.0 2.5

How engaged is your board of directors with cybersecurity risks relating to your vendors? 2017 2016

High level of board engagement/understanding 29% 26%

Medium level of board engagement/understanding 39% 37%

Low level of board engagement/understanding 25% 27%

Source: 2017 Vendor Risk Management Benchmark Study, forthcoming, © 2017 by The Santa Fe Group, Shared Assessments Program, and Protiviti, Inc.


De-risking: Exiting High Risk Relationships

Over the next 12 months, what is the likelihood that your organization will move to exit or "de-risk" third-party relationships that are determined to have the highest risk?

Extremely Likely 14%

Somewhat Likely 39%

Somewhat Unlikely 24%

Not all all Likely 13%

Don’t Know 10%

Which of the following are reasons why your organization may be more inclined to exit or "de-risk" certain third-party relationships? (Multiple responses permitted.)

It's become imperative from a risk and regulatory standpoint to also assess our vendors' subcontractors

48%

The cost associated to access our vendors properly is becoming too high 29%

We lack the internal support and/or skills for the required sophisticated forensic control testing of our vendors

24%

We will not receive sufficient internal support to "de-risk" our third party relationships 18%

We do not have the right technologies in place to access vendor risk properly 15%

Source: 2017 Vendor Risk Management Benchmark Study, forthcoming, © 2017 by The Santa Fe Group, Shared Assessments Program, and Protiviti, Inc.


Hot Topics

•GDPR•Fourth Parties•IoT•Open Source Software•Cloud•De-Risking•Resources•Assessment Costs•New York State Cyber Regs


Questions

31

Vendor Risk Management:GDPR Implications for Vendor Management

32

GDPR Implications for Vendor Management • GDPR requires implementing a comprehensive vendor management program

– Vendor due diligence and audits• Controllers may only use processors providing “sufficient guarantees” of their

abilities to implement technical and organizational measures necessary to meet GDPR requirements (Art. 28)

• Existing vendor agreements must also be reviewed– Consider conducting a Data Protection Impact Assessment (“DPIA”) prior to

engaging a vendor (Art. 35)– Long list of mandatory data processing provisions (Art. 28)– Restrictions on sub-contracting (only with controller’s prior consent and on same

terms) (Art. 28)– GDPR’s direct compliance obligations and enhanced liability force processors to

change their approach to data privacy compliance

33

GDPR Implications for Vendor Management (cont.) • Vendor contracts should include (Art. 28):

– Details of data processing (e.g., subject-matter, duration, nature and purpose of processing, types of data, categories of data subjects)

– Processing only on controller’s documented instructions (including international data transfers)

– Individuals processing data must be subject to duty of confidentiality– Requirements to implement adequate security for processing– Assist controller to comply with data subject rights (e.g., right of access, data

portability, right to erasure (“right to be forgotten”), etc.)– Assist controller in reporting data breaches and performing DPIAs– Requirement to return or delete data after processing/end of the agreement– Requirement to respond to controller’s information request and submit to

controller’s audits– Restrictions on engaging sub-processors

34

Thank You

Documents

Vendor Risk Management Data Privacy & Security -Panel€¦ · vFor AWS, we use ISO Certification, HIPAA security configurations, SOC 3 report, security control mappings, whitepapers,