Privacy & Security Controls In Vendor Management Al Raymond

2010 All Star ConferenceOctober 18 – 20, 2010 / The Palazzo / Las Vegas, NV, USA

Privacy & Security Controls in Vendor Management

Al Raymond

Chief Privacy Officer

PHH Corporati

on


Background

PHH Corporation– One of the top five originators of retail

residential mortgages in the United States

– Largest private label mortgage company

– 2nd largest fleet vehicle management company

– 300+ of the country’s largest financial

institutions as clients – banks, thrifts, S&L’s,

credit unions


– Use vendors in and outside the U.S.

– Audited by everyone, every day

Background


Agenda

1. Discussion of controls in place at vendors both locally and remotely to ensure that privacy and confidentiality of customer data is given top priority.

2. Discussion of the audit and oversight program in place to ensure above.


ChallengesHeightened visibility and profile of vendor management, particularly offshore vendors is causing many companies to finally formalize and document their vendor management program.

Banking institution clients and especially legislation is requiring companies to ensure that they have ‘oversight’ of their vendors – and their vendor’s vendors.

So, how do you put that program in place and ensure its “operating effectively”?


Why do it? ‘Cause Regulation says so:

Gramm-Leach-Bliley: FTC Rule requires financial institutions to ensure the safeguards of their affiliates and take steps to oversee their service providers’ safeguards.

Oversee service providers, by:(1) Taking reasonable steps to select and retain service

providers that are capable of maintaining appropriate safeguards for the customer information; and

(2) Requiring your service providers by contract to implement and maintain such safeguards.


More Regulation says:

HIPAA Privacy Rule says:

“a covered entity must obtain satisfactory assurances from its business associate that they will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity”.


Governance

To be or not to be… in compliance?

What’s needed?

What should be in place?


The Prerequisites….










The Prerequisites……….not kidding now

Contract Provisions (examples)• Dictate how vendors and suppliers are securing information and

protecting customer privacy

• Language should included to enforce compliance in all contracts• “Upon reasonable notice, we may perform audits and security tests

of vendor’s environment that may include, but are not limited to, interviews of relevant personnel, review of documentation, or technical inspection of systems, as they relate to the receipt, maintenance, use, retention, and authorized destruction of vendor Confidential Information”

• Steer clear of vendors that do not have secure practices

• US court of law in case of disputes


Prioritizing On-Site Reviews – Determine who must be seen

High Risk ProvidersService provided is either business critical, deals with sensitive PII/NPI/PHI data, or both. On-site reviews should be conducted every 24 months at least, ideally annually. Reviews should focus on significant changes in security stance and risk management, and following up on any issues. Regular review of monitoring and oversight by management and end user groups.

Medium Risk ProvidersService provided may be critical, but not as time sensitive. May involve some level of PII/NPI/PHI data. On-site reviews should be conducted at least every 36 months. Discussions with company management, limited scope visits, reviews of significant security and service issues.

Low Risk ProvidersService provided is not critical, or time sensitive. Does not involve any PII/NPI/PHI data. Infrequent on-site reviews. Governance strategy may call for an initial on-site visit or limited scope examination. Periodic (generally at least every 24 months) off-site or informal reviews to confirm the risk ratings and obtain any information for security / service review documents.

Governance Approach – Define ‘risk’


Annual due diligence questionnaire submitted to Vendor

– Review of existing company security stance, security program, controls

– Evaluate new and/or proposed changes to infrastructure, any new facilities, any new procedures, etc. that may be relevant

– Evaluate financials

– Review independent controls assessments

Governance Approach………...continued


On the Ground…….In CountryAdditional information to uncover prior to production:

• Review any use of third-parties/partners that is used to support the

outsourced operation

• Consideration of additional systems, data conversions, or

connections

• Evaluate ability to respond to service disruptions

• If the nature of the data is PII/NPI/PHI then a site visit to review both the physical security of their data center or call center should be strongly considered


The conundrum:Onshore vs. Nearshore vs.

Offshore

Are all controls the same everywhere?

Risk Based? Or just Perception of risk?

Information Security & Physical Controls


(dreaming)


Information Security & Physical Controls

Back to reality:

What controls are put in place and ultimately

validated by inspection, observation

and corroborative inquiry?


Information Security & Physical Controls – continued…

Physical and Environmentals– Physically separated VLAN – separate switch, router and

firewall (ideally)– Vendor employees to handle sensitive information in a

secure production area only– Geographically diverse facilities to ensure recovery in

case of disaster – No physical storage of data locally– Thin client configuration (Citrix) to access company

network and resources – all controlled / monitored by company



Secured Connectivity

– Data connectivity through MPLS nodes to ensure

business continuity

– Secondary B2B VPN connectivity for high

availability


Vendor environment– Enterprise anti-virus / personal firewall deployed

– No USB access, CD-RW, floppy drives or similar devices allowed on workstations

– Access to facility limited to authorized personnel, on-site security guards, and CCTV.




System Access Control

–Unique username and password, enforced access control at Active Directory

–Role-based, profile based access to system resources



Operational Management – why I’m loved worldwide

– No printers or fax allowed in production area

– No paper, pens or cell phones allowed in production area

– Clipboard (cut and paste) feature disabled on both sides

– Web E-mail access blocked

– Limited Internet URL Access – ‘white list’ defined by Company

– Monthly reconciliation process of new, existing and terminated employee accounts


Information Security & Physical Controls –continued…

Personnel Security– Hiring protocols: criminal background check,

signed NDA; signed acceptable usage policy, Company awareness training

– Access card

– Lockers for employee use outside of production area – no personal items on production floor

– Drug tests administered for all employees traveling to Company (e.g. training)



Country Risk – quantify risk by assessing foreign political and economic conditions. Risk management procedures should evaluate contingency, service continuity, and exit strategies in the event of unexpected disruptions in service.

Monitor and analyze the following specific risks:• Economic Environment• Political & Overall Legal Environment• Privacy & security laws (if any)• Cultural Environment• Developments in new geographic locations of

vendor

Additional Risk Management


The Audit and Oversight Process

The ultimate objective is to:

“provide reasonable assurance to the Audit Committee and Management that appropriate control procedures are in place relative to the scope of outsourced services and operations, thus safeguarding our overall business, security and continuity interests”.


Key aspects of the audit process include:• Evaluate the adequacy and effectiveness of

the vendors’ internal control systems• Identify security lapses and/or Client

contractual non-compliance.• Evaluate the procedures used by Vendor

management to monitor key controls applicable to the project and the related vendor operations.

Audit and Oversight Process


Audit and Oversight Process…..continued

• Provide a work product that can be relied upon for Company’s internal compliance objectives.

• Schedule and conduct audits in-line with Company’s Annual Audit Plan as directed by Internal Audit charter.



Audit scope/concerns include:• IT General Controls • Business Continuity Planning (BCP)

and related activities• Additional Security related controls as

deemed necessary based on risks



• All offshore facilities of Vendor are subject to semi-annual visits by Internal Audit resource / annual Mgmt team

– IA Reports are presented to VP of Internal Audit, Audit Committee and Board of Directors

–Findings are reported to InfoSec and/or Vendor Relations to begin remediation process with Vendor


•


Conclusions

• Heightened visibility and profile of vendor management

• You either do it, and do it right or your clients will do it for you (hint: you don’t want this)

• You must show due care and a level of reasonable risk assessment

• You are always liable


Privacy & Security Controls in Vendor Management

Thank You!

Questions?

Al Raymond

PHH Mortgage

856.917.5499

[email protected]

Technology

Privacy & Security Controls In Vendor Management Al Raymond