IT Vendor Assessments

Document Sample
IT Vendor Assessments Powered By Docstoc
					IT Vendor Assessments
How safe is your data after it leaves
           your control?

                   Howard Haile
                   Bill McSpadden
Topics Covered
•   Why conduct a vendor audit?
•   Organizing the internal processes
•   Identifying who needs to be involved
•   Get information about your vendors
•   Survey and assess the vendors
•   Monitor and remediate
Potential Problem Areas

• Industries
  – banking
  – healthcare
• Business Processes
  – Employee processes (Payroll, 401k)
  – Customer Service
• IT processes
  – Cloud computing
  – Backup/recovery
  – Help Desk
Why Audit Your
• You can’t control information once it
  leaves your control
• You are putting a great deal of
  control in the hands of your vendors
• Your vendor may pass your data to
  other people – who you don’t know
  and who have no obligation to you
• A hack on your vendor may leave
  your organization as exposed as if
  you had been hacked.
Why Not a SAS70?
• SAS70 does not specify a pre-
  determined set of control objectives
  or control activities that service
  organizations must achieve.
• SAS70 is used for financial reporting
  compliance – not other compliance
  requirements (HIPAA, GLB, etc.).
• May not cover some important areas
  like Disaster Recovery, etc.
• May not be available (too small, out
Other 3rd Party Reviews?
• You may be able to use results of
  other 3rd party reviews to reduce the
  burden of 1st party inspection.
• However, your organization should
  perform it’s own risk assessment!
• Shared Assessments – new
  organization which supports a
  standardized set of assessment
Other Types of Reviews

• ISO 17799 (info security)
• ISO 9000 series (quality)
• Trust Services (security oriented
  including availability)
Get Everyone On Board

   Develop standards and procedures
    surrounding data

   Make sure it covers

        Vendor management (purchasing, etc.)

        IT

        Field offices

        Employee Awareness

• Get 'right to audit' in contract
• Spell out obligations
     •   Proactive (not just penalties for
     •   Prescribe necessary precautions
• Make the obligations part of the
  solicitation and scoring
• Include ‘claw-back’ provisions in the
  contract for expenses incurred as a
  result a breach.

• Information classification needs to be
• Heightened awareness required,
  particularly involving data repositories
• Strong change request process is very
• Need heightened awareness involving
• Direct access to your network
Field Offices
• What is their ability to contract
• How de-centralized is IT?
Employee Awareness
• Employees need to be aware of data
• Reminder that email attachments
  (spreadsheets, cut/paste lists, etc.)
  are covered
• Provide a point of contact for
• Periodic reminders
Data classification

•   Sensitive data needs to be identified
•   Remember combinations of data
•   Don't send unnecessary data, e.g.
    account numbers
Discussion Questions
1. Should you hold your vendors to
   the same information security
   specs as your own?
2. Do you hold your vendors to the
   same information security specs as
   your own?
3. What would it take to satisfy you of
   the vendors’ security over
4. What is your organization doing to
Assessment Process
1.   Rank the risk
2.   Identify the vendors (all or some?)
3.   Survey vendors
4.   Score the survey
5.   Identify weaknesses
6.   Decide on remediation process
Pre-Survey Steps

   Does the vendor know what is
    expected – in detail?
   Do you have a good contact at the
    vendor, if permitted?
   What sort of tracking system do you
   Who is responsible for devising,
    administering and scoring the survey?
Survey Process
•   Develop the survey
•   Devise a scoring system (Keep it
•   Design the questions to be ‘gradable’
•   Have all vendors complete a standard
•   Review and score questionnaire – use
    same criteria.
•   Use 'skepticism' when grading
•   Evaluate by predetermined score
Survey Considerations

• Once high risks vendors are
  completed are you comfortable with
  results? If not, keep going until you
  begin to feel comfortable
• Evaluate risks against questionnaire
• High risk data/processes necessitate
  high vendor score
• Determine if additional info, including
  site visit, is needed
On-site inspections?
 High risk vendors may require on-
  site inspection
• High risk implies sensitive data
  and/or questionable safeguards
• Set up a schedule based on risk
  assessment. The higher the risk, the
  greater the frequency.
• Might be a good opportunity for
  employing consultants whose
  presence overlaps your vendors
Vendor - Background
•   Nature of service provided
•   Frequency that information is
    supplied to vendor
•   List of date elements provided
    (selection criteria is not essential)
•   How data is transported (transport
    method and encryption technique)
Vendor - Background

•   Will any of the data reside outside of
    the US?
•   Are any of the services provided
    further outsourced? (If so, more
    detailed information on nature,
    location, etc. is required)
Vendor Oversight
• Regulatory or other Governance the
  vendor must follow (HIPAA, PCI,
  banking, SOX, SAS70, etc.)
• Is your data/processes covered by
  those compliance processes? If so,
  can those regulatory bodies affect
  your organization?
• Employee policies (confidentiality
  agreements, background checks,
  termination process within systems,
Vendor – Process
•   Provide a specific list of servers,
    databases, and networks where data
    will reside or be processed
•   Provide information on each
    (location, operating systems, age,
Vendor - Security
•   Describe security policies
•   Provide data classification grid
•   How does your vendors’
    classification match your data
    classification scheme
•   Technical/logical system controls
Vendor – Physical Risks
•   Physical security of facilities
    (accessibility by public)
•   Data Center
•   Off-site data storage – is your data
    going to yet another vendor?
•   Call center services (if in scope)
•   Identity theft monitoring process
Vendor Business Continuity
•   Business Continuity plans (may not be
    in scope depending upon nature of the
    services provided)
•   What is the recovery timeframe for
    your data and equipment?
•   Does response time match your need?
•   Does the response time match your
•   Has your data and equipment
    recovery been specifically tested?
Handling     3 rd   Parties
•   What processes are further sub-
    contracted to a 3rd party?
    NOTE: same assessment process
    needs to be followed for the 3rd
•   What are your rights with regards to
    3rd party inspections or ability to
    have primary vendor inspect?
Vendor Documentation
•   Any documentation from third party
    reviews (PCI, SAS-70, BITS)
•   Organization chart (especially
    showing security responsibility and
•   Outline or listing of security policies
    and procedures in place (an index or
    table of contents, etc.)
•   Process documentation or results of
    any security risk assessment
Vendor Doc (cont’d)
• Employee background check template
  to verify scope
• Floor plan diagram showing security
  devices (i.e. cameras, badge readers,
• Access control list for the data center
  (if applicable)
• Account password settings (screen
  shot of settings for systems
Vendor Doc (cont’d)
• Audit/logging policies for systems
• Data retention and secure purging
  related policies and procedures.
• eDiscovery program
• Incident response plan – is your
  organization notified promptly?
• A sample of the change control
  process sign off form or document
  recording approval for
  system/software changes
• Org chart
Managing Deficiencies
• Prioritize the deficiencies
• Ensure that purchasing and business
  unit is aware of vendor deficiencies –
  and potential impact
• Work with vendor and purchasing to
  develop a reasonable timeline to fix
• If necessary, begin enforcing
  contractual penalties
One More Thought (or
If you are provide outsourced
• What are you doing to provide this
• Are you meeting your obligations?
• What is the processes for keeping
  your clients informed?
• What do you outsource that might
  create a problem?
Call to Action
• Assess the process for managing
  information flow to outside parties
• Identify the risks for data residing
  outside your direct control
• Evaluate external organizations’
  ability to secure your data
More Information
Shared Assessments

• Agreed Upon Procedures
• Standard Info Gathering
• Low/high risk questionnaire
• Business Continuity questionnaire
• Privacy Continuity questionnaire
Questions & Contact Info

• Bill McSpadden

• Howard Haile