Upload
spencerharry
View
903
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Discussion of controls in place at vendors both locally and remotely to ensure that privacy and confidentiality of customer data is given top priority. Discussion of the audit and oversight program in place to ensure above
Citation preview
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Privacy & Security Controls in Vendor Management
Al Raymond
Chief Privacy Officer
PHH Corporati
on
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Background
PHH Corporation– One of the top five originators of retail
residential mortgages in the United States
– Largest private label mortgage company
– 2nd largest fleet vehicle management company
– 300+ of the country’s largest financial
institutions as clients – banks, thrifts, S&L’s,
credit unions
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
– Use vendors in and outside the U.S.
– Audited by everyone, every day
Background
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Agenda
1. Discussion of controls in place at vendors both locally and remotely to ensure that privacy and confidentiality of customer data is given top priority.
2. Discussion of the audit and oversight program in place to ensure above.
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
ChallengesHeightened visibility and profile of vendor management, particularly offshore vendors is causing many companies to finally formalize and document their vendor management program.
Banking institution clients and especially legislation is requiring companies to ensure that they have ‘oversight’ of their vendors – and their vendor’s vendors.
So, how do you put that program in place and ensure its “operating effectively”?
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Why do it? ‘Cause Regulation says so:
Gramm-Leach-Bliley: FTC Rule requires financial institutions to ensure the safeguards of their affiliates and take steps to oversee their service providers’ safeguards.
Oversee service providers, by:(1) Taking reasonable steps to select and retain service
providers that are capable of maintaining appropriate safeguards for the customer information; and
(2) Requiring your service providers by contract to implement and maintain such safeguards.
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
More Regulation says:
HIPAA Privacy Rule says:
“a covered entity must obtain satisfactory assurances from its business associate that they will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity”.
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Governance
To be or not to be… in compliance?
What’s needed?
What should be in place?
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
The Prerequisites….
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
The Prerequisites….
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
The Prerequisites….
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
The Prerequisites….
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
The Prerequisites….
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
The Prerequisites……….not kidding now
Contract Provisions (examples)• Dictate how vendors and suppliers are securing information and
protecting customer privacy
• Language should included to enforce compliance in all contracts• “Upon reasonable notice, we may perform audits and security tests
of vendor’s environment that may include, but are not limited to, interviews of relevant personnel, review of documentation, or technical inspection of systems, as they relate to the receipt, maintenance, use, retention, and authorized destruction of vendor Confidential Information”
• Steer clear of vendors that do not have secure practices
• US court of law in case of disputes
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Prioritizing On-Site Reviews – Determine who must be seen
High Risk ProvidersService provided is either business critical, deals with sensitive PII/NPI/PHI data, or both. On-site reviews should be conducted every 24 months at least, ideally annually. Reviews should focus on significant changes in security stance and risk management, and following up on any issues. Regular review of monitoring and oversight by management and end user groups.
Medium Risk ProvidersService provided may be critical, but not as time sensitive. May involve some level of PII/NPI/PHI data. On-site reviews should be conducted at least every 36 months. Discussions with company management, limited scope visits, reviews of significant security and service issues.
Low Risk ProvidersService provided is not critical, or time sensitive. Does not involve any PII/NPI/PHI data. Infrequent on-site reviews. Governance strategy may call for an initial on-site visit or limited scope examination. Periodic (generally at least every 24 months) off-site or informal reviews to confirm the risk ratings and obtain any information for security / service review documents.
Governance Approach – Define ‘risk’
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Annual due diligence questionnaire submitted to Vendor
– Review of existing company security stance, security program, controls
– Evaluate new and/or proposed changes to infrastructure, any new facilities, any new procedures, etc. that may be relevant
– Evaluate financials
– Review independent controls assessments
Governance Approach………...continued
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
On the Ground…….In CountryAdditional information to uncover prior to production:
• Review any use of third-parties/partners that is used to support the
outsourced operation
• Consideration of additional systems, data conversions, or
connections
• Evaluate ability to respond to service disruptions
• If the nature of the data is PII/NPI/PHI then a site visit to review both the physical security of their data center or call center should be strongly considered
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
The conundrum:Onshore vs. Nearshore vs.
Offshore
Are all controls the same everywhere?
Risk Based? Or just Perception of risk?
Information Security & Physical Controls
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
(dreaming)
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Information Security & Physical Controls
Back to reality:
What controls are put in place and ultimately
validated by inspection, observation
and corroborative inquiry?
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Information Security & Physical Controls – continued…
Physical and Environmentals– Physically separated VLAN – separate switch, router and
firewall (ideally)– Vendor employees to handle sensitive information in a
secure production area only– Geographically diverse facilities to ensure recovery in
case of disaster – No physical storage of data locally– Thin client configuration (Citrix) to access company
network and resources – all controlled / monitored by company
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Information Security & Physical Controls – continued…
Secured Connectivity
– Data connectivity through MPLS nodes to ensure
business continuity
– Secondary B2B VPN connectivity for high
availability
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Vendor environment– Enterprise anti-virus / personal firewall deployed
– No USB access, CD-RW, floppy drives or similar devices allowed on workstations
– Access to facility limited to authorized personnel, on-site security guards, and CCTV.
Information Security & Physical Controls – continued…
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Information Security & Physical Controls – continued…
System Access Control
–Unique username and password, enforced access control at Active Directory
–Role-based, profile based access to system resources
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Information Security & Physical Controls – continued…
Operational Management – why I’m loved worldwide
– No printers or fax allowed in production area
– No paper, pens or cell phones allowed in production area
– Clipboard (cut and paste) feature disabled on both sides
– Web E-mail access blocked
– Limited Internet URL Access – ‘white list’ defined by Company
– Monthly reconciliation process of new, existing and terminated employee accounts
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Information Security & Physical Controls –continued…
Personnel Security– Hiring protocols: criminal background check,
signed NDA; signed acceptable usage policy, Company awareness training
– Access card
– Lockers for employee use outside of production area – no personal items on production floor
– Drug tests administered for all employees traveling to Company (e.g. training)
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Country Risk – quantify risk by assessing foreign political and economic conditions. Risk management procedures should evaluate contingency, service continuity, and exit strategies in the event of unexpected disruptions in service.
Monitor and analyze the following specific risks:• Economic Environment• Political & Overall Legal Environment• Privacy & security laws (if any)• Cultural Environment• Developments in new geographic locations of
vendor
Additional Risk Management
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
The Audit and Oversight Process
The ultimate objective is to:
“provide reasonable assurance to the Audit Committee and Management that appropriate control procedures are in place relative to the scope of outsourced services and operations, thus safeguarding our overall business, security and continuity interests”.
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Key aspects of the audit process include:• Evaluate the adequacy and effectiveness of
the vendors’ internal control systems• Identify security lapses and/or Client
contractual non-compliance.• Evaluate the procedures used by Vendor
management to monitor key controls applicable to the project and the related vendor operations.
Audit and Oversight Process
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Audit and Oversight Process…..continued
• Provide a work product that can be relied upon for Company’s internal compliance objectives.
• Schedule and conduct audits in-line with Company’s Annual Audit Plan as directed by Internal Audit charter.
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Audit and Oversight Process…..continued
Audit scope/concerns include:• IT General Controls • Business Continuity Planning (BCP)
and related activities• Additional Security related controls as
deemed necessary based on risks
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Audit and Oversight Process…..continued
• All offshore facilities of Vendor are subject to semi-annual visits by Internal Audit resource / annual Mgmt team
– IA Reports are presented to VP of Internal Audit, Audit Committee and Board of Directors
–Findings are reported to InfoSec and/or Vendor Relations to begin remediation process with Vendor
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
•
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Conclusions
• Heightened visibility and profile of vendor management
• You either do it, and do it right or your clients will do it for you (hint: you don’t want this)
• You must show due care and a level of reasonable risk assessment
• You are always liable
2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA
Privacy & Security Controls in Vendor Management
Thank You!
Questions?
Al Raymond
PHH Mortgage
856.917.5499