In this session information will be presented on Third Party Risk Governance. The presenter will provide a better understand of the what’s, why’s and how’s of a Third Party Risk Governance program and provide some suggestions on sources for a program as well as some of the typical “gotchas”. This presentation will also provide common objections from the recipients of assessments and how to overcome those objections as well as discuss contract language that can be added to your products and services contracts.
2. Does Commercial Off the Shelf Software introduce risk to your
environment?
Do commercially produced hardware products introduce risk
Does the security culture of the organization providing software,
hardware and services have anything to do with your risk?
Do fourth party relationships matter?
3. Culture of Security
It is critical that an organization have a “Culture of Security”
What is a “Culture of Security”
Culture - the quality in a person or society that arises from a concern for what is
regarded as excellent in arts, letters, manners, scholarly pursuits, etc.
Culture of Security is embedded in the daily operation of the organization so that it
becomes a norm and not an exception
The culture of security drives the practices of an organization
It’s deeper than just having AV and IDS/IPS
Includes mature policies, standards and practices
4. Product and Services Risk
Every product or service introduces risk
Network interfaces and access to you
Poor coding practices
Vendor systems
Personnel activities
Fourth party participation
5. Fourth Party Relationships
Where are they located
Do they have a “Culture of Security”
Does your Third Party have a security contract or understanding with
their third party providers?
7. Identify Framework/Methodology
There are many ways to determine and manage risk
NIST SP 800-161 (Supply Chain Risk Management (SCRM) for Information
and Communications Technology)
National Strategy for Global Supply Chain Security
Cloud Security Alliance
Shared Assessments Standard Information Gathering (SIG) and Agreed Upon
Procedures (AUP)
8. Determination Questionnaire
Not all relationships require intense scrutiny
You must determine which do and which don’t
Short questionnaire
High level evaluation of risk
Groundskeepers
Cleaning teams
Service personnel
Construction crews
9. Does the vendor store, process, transmit or access systems or data?
Does the vendor have logical or physical access to facilities?
Can the vendor directly or indirectly impact your business availability?
Does the engagement create, modify or purchase software and/or hardware?
Are any of the above criteria met before, during or after implementation of the
products or services?
10. 1) What type of data will the Third Party potentially process, store,
transmit, or have access to, as part of this engagement?
2) What is the greatest daily average quantity of records/account
information of which this engagement scope will send, receive, process,
store or have access to before, during or after implementation?
3) What is the frequency at which this engagement scope will send,
receive, process, store or have access to before, during or after
implementation?
4) Does this engagement scope include any type of data-
sharing/user/admin/database access OR inbound connectivity to your
corporate network OR outbound connectivity from corporate network
with the third party before, during or after implementation?
11. 5) Does this engagement scope include physical access by Third Party
personnel to your facilities before, during or after implementation?
6) Does this engagement scope involve creation of new services and/or
changes to existing services?
7) Does this engagement scope involve the creation/modification of
software applications and/or the deployment of new devices/IT
infrastructure?
8) Does this engagement scope include offshore (offshore=outside
continental U.S.) facilities or personnel involvement of any kind before,
during or after implementation or use of any products and/or service(s)
involved? (Consider sending, receiving, processing, storing data / any
access at any time / software development)
12. 9) Does this engagement scope include inbound and/or outbound
connectivity and/or data sharing with other external parties
(vendors/partners of this vendor) before, during or after
implementation?
10) Is a cloud solution utilized from this vendor?
11) Is a mobile solution utilized from this vendor as part of this engagement
scope?
12) How many "Fourth Party" vendors will have access to Third Party data
or facilities and/or your corporate data or facilities as part of this
engagement scope?
13. 15) What is the vendor's most recent annual income?
16) Has the vendor recently gone through a merger, acquisition, or
divestiture?
17) Will the vendor’s services include performing any transactions on behalf
of your company or your subsidiary entities?
18) What is the volume of transactions per day the vendor will perform on
behalf of your company or your subsidiary entities?
19) What is the daily value of the transactions performed by the vendor on
behalf of your company or your subsidiary entities?
20) What is the current Disaster Recovery (DR) Tier?
14. 22) What is the current Business Impact Analysis (BIA)?
23) Does this vendor provide services that are customer facing?
24) Are there any (public or private) known issues, findings or concerns?
25) Is this vendor a strategic vendor for your company?
26) Known count of viable alternative vendors?
24) What concentration of this Line of Business‘ cumulative business
position is represented by this specific project/engagement scope?
(percentage estimate / response optional)
25) What is the currently projected utilization term for this vendor?
15. Risk Rank
After you have determined whether an assessment is needed
Level of scrutiny
On-site
Frequency of review
16. Risk Assessments
Perform your assessment
Use the framework you chose
Create a scoring model
Maintain record of assessments
Follow up on findings
Create process to document risk acceptance
Maintain timelines for remediation
Document when remediation has been completed
Provide a path forward to the business through Risk Acceptance/Risk Remediation
17. Assessments can be done at various levels
Contract only
Lite assessments (Questionnaire)
Heavy Assessments (Questionnaire)
On-site Assessments
18. One of the most frequently selected options is:
Shared Assessments Standard Information Gathering Questionnaire
(SIG) Lite and Full
Questionnaire submitted to vendors to assess control effectiveness
Evidence is collected in support of the answers provided
Sometimes evidence is viewed but not physically received
On-site Assessments using Agreed Upon Procedures (AUP)
Guideline for on-site assessments
19. Shared Assessments SIG Lite and SIG Full
A. Risk Management
B. Security Policy
C. Organizational Security
D. Asset Management
E. Human Resource Security
F. Physical and Environmental
G. Communications and Operations Management
20. H. Access Control
I. Information Systems Acquisition Development & Maintenance
J. Incident, Event & Communications Management
K. Business Continuity and Disaster Recovery
L. Compliance
M. Mobile
P. Privacy
21. Q. Software Security
V. Cloud Security
Z. Additional Questions
22. Contractual Agreements
Should be included with every contract (based on determination)
Should be negotiable
Should be general enough to allow flexibility, but specific enough to
ensure security
Should ensure accountability