Dipti Patel, CISA, CISM, ISO 27001 LA, ITIL V3, is a security consultant at Tata Consultancy Services, a leading IT services company Outsourcing is often a default strategy for today’s with worldwide experience businesses. While it has huge potential benefits Also available in Japanese in information security and to offer enterprises, outsourcing has also given cyberresilience. Patel brings rise to security threats that are persistent, an excellent understanding large-scale and devastating. In the past two years, of governance, risk and sophisticated cyberadversaries have launched worldwide. Massive breaches were seen again compliance (GRC) aspects powerful attacks through vendor networks/ in 2014, once again targeting credit card data, and is a follower of trending connections and siphoned off money, millions personal information, sensitive health records GRC concepts and techniques. of credit card records and customers’ sensitive and financial information.3 Large-scale heists of She can be reached at personal information. consumer data were reported in South Korea, diptiapatel@gmail.com. There has been a noticeable jump in those where 105 million payment card accounts were organizations that attribute security incidents exposed in a security breach.4 In Verden, Germany, to current service providers and contractors city officials announced the theft of 18 million (23 percent) and former partners (45 percent).1 email addresses, passwords and other information.5 Changes in targets and threats outside the Regulators around the world are climbing on enterprise are shaping the current and near-future the bandwagon of tightening vendor security. risk landscape. Looking at these anticipated Regulators are revisiting their guidelines on changes in a strategic manner will enable security vendor security and are directing organizations and risk leadership to unearth new opportunities to increase their focus on vendor risk as while managing this emerging risk. Thus, it is organizations continue to expand the number clear that enterprises require adequate oversight and complexities of their vendor relationships. of vendor security risk as part of a comprehensive For example, the US Office of the Comptroller of cyberrisk management policy. the Currency (OCC) and the Board of Governors of the US Federal Reserve System released THE HEART OF THE MATTER updated guidance on the risk management of Most people did not expect that connectivity third-party relationships. This guidance signals with vendors would result in exploits on retailers, a fundamental shift in how financial institutions many of which would go unnoticed for several need to assess third-party relationships. In Do you have months. Very few risk management programs particular, it calls for robust risk assessment and something would have considered such a risk, which is not monitoring processes to be employed relative to to say about only large impact but also hard to predict. Such third-party relationships and specifically those this article? events were rare and typically beyond the realm that involve critical activities with the potential to Visit the Journal of normal expectations. expose an institution to significant risk.6 pages of the ISACA Attackers, organized cybercriminals and Enterprises must elevate their vendor-related web site (www.isaca. some nation-states have captured news headlines security practices to keep pace with ever-evolving org/journal), find the as a result of high-profile security breaches. threats and security needs. article and choose Almost one-third (32 percent) of respondents the Comments tab to to a PricewaterhouseCoopers survey said that TAKING ACTION ON VENDOR SECURITY GOVERNANCE share your thoughts. insider crimes are more costly or damaging than Given today’s interconnected business ecosystem Go directly to the article: incidents perpetrated by outsiders.2 Most people in which exponentially more data are generated know that employees are not the only source and shared with suppliers and business partners, of insider threat; insider threat can also include the lack of risk oversight and due diligence former employees, service providers, consultants, regarding third parties is concerning. Vendor risk contractors, suppliers and business partners. oversight from a security point of view will demand Verizon labeled 2013 “the year of retailer a program that covers the entire enterprise— breach.” There were 467 retailer breaches outlining the policy and guidelines to manage and
1 ISACA JOURNAL VOLUME 4, 2015
mitigate vendor security risk—combined with clearly articulated vendor contracts. Such oversight will not only help organizations improve cybersecurity programs but also potentially advance their • Read Vendor Management: Using COBIT® 5. regulatory and legal standing in the future. The following www.isaca.org/vendor-management six steps can help organizations start their vendor security governance policy (figure 1): • Learn more about, discuss and collaborate on risk management in the Knowledge Center. Figure 1—Vendor Risk Management Program and Components www.isaca.org/topic-risk-management
Executive • The contract governance function to ensure that vendor
Oversight contracts adequately address the need for security Monitor Vendor and assessments and vendors’ obligations to complete and Report Contract these assessments Database 2. Vendor and contract database—Most organizations today Vendor Risk Management deal with a considerable amount of third parties and service Validate Assign providers. Missing contact information, responsibility Trust Trust Level matrices or updated contracts are typical areas of concerns Level Security for which risk managers would have to initiate assessments. Assessment This poses a significant challenge, especially when there are multiple teams involved for procurement purposes. A vendor and contract database (VCD) ensures that an accurate and complete inventory of vendors is maintained, Source: Dipti Patel. Reprinted with permission. including other third-party relationships (e.g., joint ventures, utilities, business partners, fourth parties). 1. Executive oversight—Executive alignment and business 3. Assign trust level—For the vendor risk management context is critical for appropriate implementation throughout program to be effective, one cannot conduct the same type the organization. Proper alignment is like a command center, of risk assessment for all vendors. Rather, it is necessary providing the required policies, processes and guidelines for to identify those vendor services deemed to carry the the program. The decision to outsource is strategic and not greatest risk and prioritize them accordingly. The first merely a procurement decision. It is, therefore, of the utmost step is to understand which vendors and services are in importance that executive committees provide direction for the scope from an active risk management perspective. the vendor risk management program. The program should Once this subset of vendors has been identified and obtain executive guidance from: prioritized, due diligence assessments are performed for •T he compliance function to provide regulatory and the vendors, depending on the level of internal versus other compliance requirements that have specific vendor-owned controls. The results of these assessments rules regarding vendor risk management to which the help establish the appropriate trust-level rating (TLR) and organization must adhere the future requirements in terms of reassessments and •T he IT risk and control function to determine the monitoring. This approach focuses resources on the vendor risk and the risk level, depending on the nature of relationships that matter most, limiting unnecessary work access/data sensitivity shared with the vendors. The for lower-risk relationships. For example, a vendor with vendor risk management program should utilize the key a high TLR should be prioritized over a vendor with a risk indicators provided by this function to address risk low TLR. during assessments.
ISACA JOURNAL VOLUME 4, 2015 2
4. Security assessment—Proper control and management of CONCLUSION vendor risk requires continuous assessments. It is important Vendor risk management is the next step to elevate to decide the types of assessments to be performed on information security from a technical control process to an vendors depending on the TLR and frequency. Figure 2 effective management process. Regular security assessments provides an example of assessment types that can be included of vendors give organizations the confidence that their in a program. business is aware of the security risk involved and is effectively managing it by transferring, mitigating or accepting Figure 2—Assessment Types Based on TLR it. Comprehensive vendor security assessments provide Trust-level Rating (TLR) Assessment Types enterprises with insight on whether their systems and data are being used consistently with their security policies. Low Vendor self-assessment Vendor risk management is not a mere project; it is an Moderate Desktop review, infrastructure ongoing program and requires continuous trust to keep assessment the momentum going. Once the foundational framework High Onsite review, infrastructure and application assessment has been established, organizations can look at enhancing maturity through initiatives such as improving guidelines Source: Dipti Patel. Reprinted with permission. and procedures, rationalizing assessment questionnaires, and automation. Awareness and communication are key to As a good practice, areas of assessment could be drawn ensure that the program is effective and achieves its intended from security standards and practices (e.g., ISO 27001, outcome—securing enterprises together with their business COBIT®, OWASP) combined with specific compliance partners and vendors. requirements (e.g. Payment Card Industry Data Security Standard [PCI DSS]) as applicable. ENDNOTES 5. Validate trust level—Outsourced relationships usually go 1 PricewaterhouseCoopers, “Managing Cyber Risks in an through iterations and evolve as they mature. As the client Interconnected World. Key Findings From The Global State organizations strategize to outsource more, they should also of Information Security Survey,” 2015, www.pwc.com/gx/ validate trust level in anticipation of more information and en/consulting-services/information-security-survey/ resources being shared. With technological advancements, 2 Ibid. a continuously changing business environment and 3 Verizon, 2014 Verizon Data Breach Investigations Report, increased regulatory demands, validating trust level is a www.verizonenterprise.com/DBIR/2014/ continuous exercise. To get the most rational and effective 4 Op cit, PricewaterhouseCoopers 2015 findings, it is best to use the results of ongoing assessments. 5 Brewster, Thomas; “Germany Investigating Data Breach 6. Monitor and report—In a reiterative process, it is Affecting 18 Million,” TechWeek Europe, 7 April 2014, necessary to continuously monitor and routinely assess www.techweekeurope.co.uk/workspace/germany-id-theft- vendors based on the trust level they carry. The program 18m-143269 should share information about the vendor security posture 6 Office of the Comptroller of the Currency, “OCC Bulletin and risk levels with an executive sponsor, who can help the 2013-29. Description: Risk Management Guidance,” USA, organization progress toward the target profile. Narrating http://occ.gov/news-issuances/bulletins/2013/ risk with the business perspective can be an additional bulletin-2013-29.html feature, especially when reports are furnished to inform internal stakeholders, internal audit functions, lines of business and the board of directors, if necessary.