Vendor Risk Management 1

© Copyright GuidePoint Security LLC

Overview
• Introduction
• Definition of Vendor Risk Management (VRM)
• Understanding the risks and concerns
• The Real Reason We Need VRM
• Who is Really an Vendor?
• How to Start the Process
• Where to Focus?
• Where Does VRM Belong?
• Due Diligence
• Conclusions
• Q&A
2
© Copyright GuidePoint Security LLC
About me…
• Career spans over 20 years Urban Areingdale
• I’ve worn several Ops hats Sr. Security Consultant, GRC
urban.areingdale@guidepointsecurity.com
• 17 years direct InfoSec
QSA, CCSFP, CISSP, ISO 27001 Lead Auditor,
CISA, CISM, MCSE, CCSA, ITIL Foundations…

• ITOps+NetOps+SecOps+GRC
• GuidePoint’s VRM Practice Lead
• Cloud enthusiast

3
© Copyright GuidePoint Security LLC
What is Vendor Risk Management?
What is a “Vendor”?
A vendor in this case is a third party that has entered into a relationship via contract, agreements or other business
arrangement with the entity to provide products or services to the entity or its customers.

What is the “Risk”?

Based on COSO’s ERM Framework, the strategic, financial, operational and compliance/legal risks may be amplified or
reduced by introducing a third parties into to the business operations.

What is “Management”?
This is the fiduciary duty of an organization to protect the customer data and its bottom line. This implies the
requirement that a vendor applies the same level of control, as the company does internally.
Also known as Third Party Risk Management (TPRM)

A note regarding common sense… Is common, but is not everywhere

Would you agree that this is common sense?

4
© Copyright GuidePoint Security LLC
Understanding the Risks and Concerns
• Risk of breach within the vendor (Delta’s Customer Center – Vendor Breach)
• Data and geographic violations (US and EU regulations)
• Directly affected by attacks on Cloud platforms
• Misunderstanding what data is being exchanged
• Misunderstanding the impact of breach (downtime, reputation, cost, fines, etc.)
• Loss of visibility (“I used to be able to see everything”)
• Identity and access management (Extension into the vendor’s realm)
• New technology and a new lexicon

5
© Copyright GuidePoint Security LLC
The Real Reason We Need VRM
Compliance
• Are you a government contractor? DFARS
• Are you doing business with the EU/European Nationals? GDPR
• Are you doing business in NY? 23 NYCRR 500
• 50 states have a Breach Notification Requirement
• Consumer data? FTC requires companies to implement "reasonable cybersecurity" measures
to protect consumer data
• Financial data? FDIC states that An institution’s board of directors and senior management
are ultimately responsible for third party risks. FIL-22-2017; OCC Bulletin 2013-29; OCC
BULLETIN 2011-12
• Patient data? HHS HIPAA-HITECH
• If your customer’s data includes Personally Identifiable Information (PII), Nonpublic Personal
Information (NPI), Personally Identifiable Financial Information (PFI), Protected health
information (PHI), Cardholder Data (CHD), etc.
• You need to protect it to comply with a regulatory requirement.

6
© Copyright GuidePoint Security LLC
Who is Really a Vendor?
• Is the vendor that installed that nice fish tank, a vendor?
2017. North American casino through a fish tank connected to the internet

• Is the HVAC (A/C) maintenance, a vendor?

2013. Fazio - Target
• Is the cleaning crew, a vendor?
Yes! Unsupervised access to facilities, including data centers
(Janitors, plant maintenance personnel, etc.)

• Is the cloud provider, a vendor?

Yes! Especially, if compounding the use of multiple vendors to
provide the PaaS, and different vendor to provide security, etc.
• Is the consultant that came to install that new software, a vendor?
Yes! Especially, if accessing a critical business app, or their
ancillary support systems.

7
© Copyright GuidePoint Security LLC
How to Start the Process?
• The initial phase: Discovery
• Identify if there is a Vendor Management process in place
• Investigate with each business unit, which contracts exist.
• Perform a data inventory and review the external data flows

• Second phase: Requirements

• Define the business requirements for each vendor (Quality, SLA, etc.)
• Identify the regulatory compliance requirements that affect each vendor
• Classify your vendor in tiers based on criticality (to the business operation)

• Third phase: Due diligence / Risk Assessment

• Use existing tools (Excel spreadsheet questionnaires, GRC tools, Outsource to an MSSP)
• Work with vendors to address any issues via Corrective Action Plan (CAP)
• Document final disposition (Accepted, rejected, Conditional, etc.)

• Fourth phase: Monitoring

• Monitor status (based on the vendor tier, the more scrutiny and frequency is required)
• Work with business units to ensure that business requirements are being met
• Reporting

8
© Copyright GuidePoint Security LLC
Where to Focus?
• The initial phase: Discovery
• Identify if there is a Vendor Management process in place
• Investigate with each business unit, which contracts exist.
• Perform a data inventory and review the external data flows

• Concentrate on vendors that play a vital role for the company’s operation
• Have a significant or critical impact on the company’s mission
• Have potential financial (legal/regulatory) impact
• Manage a large volume of the company’s customers or products

9
© Copyright GuidePoint Security LLC
Where Does VRM Belong?
ERP
Do we need a Requirements
vendor? Due Diligence Onboard Monitor VRM
PMO ERM

Conception Panning Execution Control Closing

CyberSec

VRM

10
© Copyright GuidePoint Security LLC
Due Diligence
• Develop vendor tiers
• Impact to the organization
• Data type being accessed
• Volume of data

• Define the control requirements per data type (confidential – PHI/PII/NPI/PFI...)

• Develop RFI/RFP templates (surveys)
• Develop internal surveys (to know if the VRM is needed)
• Develop template contract Terms and Conditions language (Right o audit, mandatory to remain in
compliance, responsibilities and obligations, method and cost of resolving privacy and security incident
handling, identification, arbitration, exit strategy, quality, SLAs, etc.)

11
© Copyright GuidePoint Security LLC
Due Diligence, Cont…
• Develop a Workflow:
• Start once a decision has been made to explore if an vendor is needed.
• Send out internal survey
• Data Type
• Business requirements
• Business Risk

• Vendor selection
• RFI/RFP (External surveys)
• Due diligence (Financials, D&B report, references, years in business…)
• Assess Risk (Ensure that Integration feasibility is accounted for)

• Vendor status
• Work with business unit(s) and vendor to address any outstanding risk
• Final disposition (Accepted, rejected, conditional)
• Ongoing monitoring (Frequency of risk assessment depends on vendor tier)
12
© Copyright GuidePoint Security LLC
How to Obtain Assurances?
• Have lost the right to audit?
• More or less, but we can have a robust vendor risk management program

• How to obtain assurances?

• Reports of compliance and agreements

• How to measure and report?

• Design your control matrix, and define metrics and KPIs

• How to look beyond compliance?

• Learn the cloud architectures and use available guides

13
© Copyright GuidePoint Security LLC
 What Frameworks are Available?
Information Security Management Information Security Program
Service Organization Controls
Examination Engagement Systems Assessment and Certification
Assessment and Certification NIST 800-53
SOC 1, 2 and 3 And its derivatives
ISO 27001
Following the American Institute Following the Following the Security
of Certified Public Accountants International and Privacy Controls
(AICPA) Statement on Organization for Guidance developed by
Standards for Attestation Standardization (ISO) the National Institute of
Engagements No. 18 (SSAE Information security Standards and
18) Clarified Examination management systems Technology (NIST) for
Engagement Section 205 (AT-C (ISMS) 27000 Series, Federal Information
205) for Service Organization and Systems and
Controls (SOC) Examinations. specifically the ISO Organizations.
SOX 27001:2013 for Documented in the
CSA STAR Certification Special Publication 800-
Contractual 53 Revision 4
Obligations PCI DSS
14
© Copyright GuidePoint Security LLC
A Special Note on Cloud Security?

Source: https://aws.amazon.com/compliance/shared-responsibility-model

15
© Copyright GuidePoint Security LLC
Conclusions
• Are you sure you want to do this? Yes! There are many benefits to properly
manage vendor outsourcing process.

• In today’s business environment it is impossible to not use third parties for key
business functions, including internal and external processes.

• Properly assessing third party risks ensures that your organization is delegating
key business functions to the best possible vendor/partner.

• Perform a cost-benefit analysis to decide if it is better to develop VRM capabilities

inhouse vs contracting with an external VRM MSSP vendor.
16
© Copyright GuidePoint Security LLC
Questions

Thank You

17
© Copyright GuidePoint Security LLC
Resources
COSO - Enterprise Risk Management — Integrated Framework
https://www.coso.org/Pages/erm-integratedframework.aspx

FDIC - Outsourcing and Third-Party Providers (Vendor Management)

https://www.fdic.gov/regulations/resources/director/risk/it-tpp.html

GSA - Rules and Policies - Protecting PII - Privacy Act

https://www.gsa.gov/reference/gsa-privacy-program/rules-and-policies-protecting-pii-privacy-act

NIST SP 800-122 - Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
https://csrc.nist.gov/publications/detail/sp/800-122/final

GuidePoint Security – Managed VRM Services

https://www.guidepointsecurity.com

18
© Copyright GuidePoint Security LLC