Upload
phand9
View
443
Download
0
Embed Size (px)
DESCRIPTION
The presentation that was created and given at the Super Strategies Conference in Chicago on May 12, 2011.
Citation preview
© If appropriate, Insert your organization’s copyright information
Session # D5
Ensuring Data Security at Third-Party Providers
Thursday, May 12, 20111:30 – 2:45
Peter Hand, CISA, CRISCSr. Auditor
© If appropriate, Insert your organization’s copyright information
About your presenter
Peter Hand
– Bachelors Degree in Computer Information Systems
– CISA and CRISC certified
– Former Computer Programmer who actually did coding for Y2K, and has to say that the movie Office Space hit what it was like right on the head
– Currently a Sr. IT Auditor for a Chicago based company who performs Data Security audits at third party providers
© If appropriate, Insert your organization’s copyright information
Key Points
Defining security requirements for third-party business partners in line with corporate policies
Creating and maintaining an inventory of third-party providers with services performed
Using your Internal Audit and Information Security teams to perform monitoring through audits and site visits
Linking corporate information security standards to third-party business partners requirements
© If appropriate, Insert your organization’s copyright information
Assumptions
In order to reach the true goal of lockdown Data Security the following should be considered as part of your reality:
– The Earth, Sun, and Moon are all aligned
– There is an unlimited budget and resources are readily available
– 3-6-9-23-35-44 will be the winning lottery numbers
– The Chicago Cubs will win the World Series
© If appropriate, Insert your organization’s copyright information
Importance of Third Party Data Security
Why is Data Security so important?
– The trust factor
• Reputational impact• Business impact
© If appropriate, Insert your organization’s copyright information
Importance of Third Party Data Security
Why is Data Security so important? (cont’d)
– The financial impact of a data breach (aka the bottom line)
• Per a study performed by the Ponemon Institute and Symantec the cost of a data breach is an average of 7.2 million dollars per incident. This is a 7% increase from the previous year
• According to a Bloomberg.com article dated March 8, 2011, one breach incident cost a company $35.3 Million dollars
© If appropriate, Insert your organization’s copyright information
Importance of Third Party Data Security
Why is Data Security so important? (cont’d)
– The average cost of a breached record
• A malicious or criminally compromised record costs a company an average of $318
• A compromised record at a third party costs an average of $302
© If appropriate, Insert your organization’s copyright information
Importance of Third Party Data Security
The value of data & why would anyone attempt to break into a system
– Tough economic times
– SSN = $1
– Medical Identity Information = $50
© If appropriate, Insert your organization’s copyright information
Importance of Third Party Data Security
What happens if a breach occurs at the Third Party Business Partner?
– Who is responsible and who gets the “black eye”?
© If appropriate, Insert your organization’s copyright information
Importance of Third Party Data Security
YOUR COMPANY
© If appropriate, Insert your organization’s copyright information
Importance of Third Party Data Security
© If appropriate, Insert your organization’s copyright information
The Four Areas of consideration
The path to ensuring Data Security at Third-Party Providers can be found in four areas:
– Internal Initiation / Setup / Standards
– External Relationship Initiation / Implementation
– Production State
– Termination State
© If appropriate, Insert your organization’s copyright information
Internal Initiation / Setup / Standards
© If appropriate, Insert your organization’s copyright information
Internal Initiation / Setup / Standards
Understand and maintain up to date documentation of your Third Party Business Partners with, at a minimum, the following:
– Policies & Procedures for defining contractual, technical, and business rule requirements before a relationship is initiated
– Business Partner Inventory
– Services rendered & performance Service Level Agreements (SLA’s) of engaged Business Partners
– Costs
© If appropriate, Insert your organization’s copyright information
Internal Initiation / Setup / Standards
Policies & Procedures for defining contractual, technical, and business rule requirements should exist before a Business Partner relationship is initiated
– Policy & Procedures should be in place defining expected security requirements, SLA’s, and any other expectations for Business Partners
– All of these expectations should be clearly defined and documented so that relationship expectations are clearly understood and can be communicated before beginning a relationship
© If appropriate, Insert your organization’s copyright information
Internal Initiation / Setup / Standards
Business Partner Inventory
– A comprehensive list needs to be maintained of all existing Business Partner relationships including the following:
• Internal relationship owner• Primary Business Partner contacts• Services performed• Production implementation date• Business instrument expiration / renewal date
© If appropriate, Insert your organization’s copyright information
Internal Initiation / Setup / Standards
Services rendered & performance SLA’s of engaged Business Partners
– Understanding the services performed by Business Partners allows you to determine if this relationship can be leveraged for your needs, or if a new Business Partner relationship should be implemented
– Understanding the SLA’s, and whether or not they are being met, will also allow you to determine if a relationship can be leveraged for new needs as well as whether or not the relationship should be terminated or re-negotiated
© If appropriate, Insert your organization’s copyright information
Internal Initiation / Setup / Standards
Costs
– Understand the costs associated with the existing population to determine if it is cheaper to leverage an existing relationship or establish a new one
– When establishing a new relationship consider not only new work, but also transferring existing work if efficiencies and / or savings can be realized
© If appropriate, Insert your organization’s copyright information
Internal Initiation / Setup / Standards
Other considerations
– Clearly defined Production State parameters:
• Regularly scheduled status meetings• Regular reporting on SLA achievement versus target• A dedicated team in place for the “managing” of the
relationship
© If appropriate, Insert your organization’s copyright information
Internal Initiation / Setup / Standards
Other considerations
– Clearly defined Relationship Termination parameters:
• How data will be handled upon relationship termination• How final resolution of data storage will be handled• How will data destruction be accounted for
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Understand requirements for engaging, pricing, testing, and implementing Business Partner into production.
– Policies & Procedures for:
• Initiating contact• Request for Information (RFI) requirements• Request for Pricing (RFP) requirements• Security standards• Implementation standards
– Contractual requirements– Site visits
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Initiating contact
– Central point of contact for handling Business Partner initiation, such as a procurement department
– A central business area contact, responsible for maintaining relationship and keeping open communication channels
– A central technical area contact, responsible for working with Business Partner in all technical aspects of relationship duringthe entire relationship lifecycle
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Request for Information (RFI)
– Documentation which outlines Business Partner requirements for services requested as well as security and business processing requirements
– Specific parameters outlining expected deliverables for RFI
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Request for Pricing (RFP)
– Documentation which outlines Business Partner requirements for services requested as well as security and business processing requirements
– Parameters defining number of iterations of process or control execution expected during a defined time period, such as monthly or weekly
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Security Standards
– Documentation outlining the security standards which outlines Business Partner requirements for services requested as well as security and business processing requirements
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Security Standards (cont’d)
– Some security standards to consider include:
• An assigned contact, such as a Security Officer, responsible for ensuring compliance with any and all regulations, including industry standards such as HIPAA
• Defined Policies & Procedures for the technical and administrative controls for the handling of data
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Security Standards (cont’d)
• Continual Security Monitoring & Issue Reporting
• Monthly Performance Reporting
• Incident Response procedures, including breach notification procedures
• Employment screening for new employees who will interact with your data, this can include new or existing employees
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Implementation Standards
– Standard testing Policies & Procedures outlining all test cases and expected results
• This should include communication, security, and access testing
– Dependent on the size of contract, site visits should be performed at Third Party Data Centers to ensure physical access security
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Implementation Standards (cont’d)
– Review different reports that may be available:
• SAS70 – Statement of Auditing Standards No. 70
– Allows service organizations to disclose their control activities and processes to their customers in a uniform reporting format.
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Implementation Standards (cont’d)
• Service Organization Control Reports (SOC) – Provides a framework to examine controls and to help management understand related risks. There are three reporting options:
– SOC1 – Also known as SSAE16 (Statement on Standards for Attestation Engagements No. 16, Reporting of Controls at a Service Organization). This focuses on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statement.
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Implementation Standards (cont’d)
– SOC2 – A report that specifically addresses one or more of the following five key system attributes:
Security Availability Processing Integrity Confidentiality Privacy
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Implementation Standards (cont’d)
– SOC3 – A general-use report that provides only the auditor’s report on whether or not the system achieved the trust services criteria.
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Contractual Requirements
– Right to Audit clause
– Service Level Agreements defining expectations of services performed and expected delivery timeframes
– Business language requiring any use of subcontractors by the engaged Business Partner must be approved before their engagement
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Contractual Requirements (cont’d)
– Defined security requirements based upon defined and tested security parameters
– Defined escalation procedures in the case of incidents / breaches
– Defined parameters for the handing of data in the case of relationship termination
© If appropriate, Insert your organization’s copyright information
Production State
© If appropriate, Insert your organization’s copyright information
Production State
Production State reporting and monitoring
– Periodic business partner reviews should be performed by a defined team. Some requirements to consider when performing the review:
• Review of audit documents such as SAS70 or SSAE16• Annual site visits to a selection of business partners based
on a pre-defined criteria, such as risk level or performance
© If appropriate, Insert your organization’s copyright information
Production State
Production State reporting and monitoring (cont’d)
– Regularly scheduled meetings to discuss business partner performance against defined SLA’s
– Regular planning and status meetings for any new projects / implementations / upgrades
© If appropriate, Insert your organization’s copyright information
Termination State
© If appropriate, Insert your organization’s copyright information
Termination State
Relationship Termination processing
– Previously defined parameters should be enacted to account for data handling
– Negotiated time parameters regarding processing cut-off date
– Final meeting to discuss official end of relationship
© If appropriate, Insert your organization’s copyright information
Summary
Conclusions
– There is no 100% guarantee of data security, because you are not monitoring 24 X 7
– In order to achieve a high level of data security most of the work is performed by the company outlining their expectations and requirements before engaging a third party business partner
© If appropriate, Insert your organization’s copyright information
Summary
Conclusions (cont’d)
– An inventory of business partners, and services performed, should be maintained for multiple purposes
– Regular contact should be maintained and a dedicated team should be established with members of all parties involved
– Most of the work needed to ensure some, not absolute, comfort around Data Security happens before the external Business Partner is engaged
© If appropriate, Insert your organization’s copyright information
Questions
© If appropriate, Insert your organization’s copyright information
Helpful articles and websites
Bloomberg Article - http://www.bloomberg.com/news/2011-03-08/security-breach-costs-climb-7-to-7-2-million-per-incident.html
Ponemon and Symantec 2010 Data Breach Study -http://www.symantec.com/content/en/us/about/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_costofdatabreach
American Institute of Certified Public Accountants, inc –www.aicpa.org
SAS70 – www.SAS70.com SSAE16 – www.SSAE16.com Identity Theft information – www.theidentityadvocate.com ISACA – www.isaca.org MIS Training Institute – www.misti.com Institute Internal Auditors – www.theiia.org
© If appropriate, Insert your organization’s copyright information
More helpful websites
United States Computer Emergency Readiness Team (US-CERT) – www.us-cert.gov
Carnegie Mellon Software Engineering Institute – www.cert.org Dark Reading – www.darkreading.com
© If appropriate, Insert your organization’s copyright information
Contact Information
Thank you for your time!
If you have any question please feel free to contact me at [email protected]