Discussion of controls in place at vendors both locally and remotely to ensure that privacy and confidentiality of customer data is given top priority.
Discussion of the audit and oversight program in place to ensure above
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Privacy & Security Controls In Vendor Management Al Raymond
1. Privacy & Security Controls in Vendor Management Al Raymond Chief Privacy Officer PHH Corporation
2. Background PHH Corporation One of the top five originators of retail residential mortgages in the United States Largest private label mortgage company 2nd largest fleet vehicle management company 300+ of the country’s largest financial institutions as clients – banks, thrifts, S&L’s, credit unions
3. Use vendors in and outside the U.S. Audited by everyone, every day Background
4. Agenda Discussion of controls in place at vendors both locally and remotely to ensure that privacy and confidentiality of customer data is given top priority. Discussion of the audit and oversight program in place to ensure above.
5. Challenges Heightened visibility and profile of vendor management, particularly offshore vendors is causing many companies to finally formalize and document their vendor management program. Banking institution clients and especially legislation is requiring companies to ensure that they have ‘oversight’ of their vendors – and their vendor’s vendors. So, how do you put that program in place and ensure its “operating effectively”?
6. Why do it? ‘Cause Regulation says so: Gramm-Leach-Bliley: FTC Rule requires financial institutions to ensure the safeguards of their affiliates and take steps to oversee their service providers’ safeguards. Oversee service providers, by: Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information; and (2) Requiring your service providers by contract to implement and maintain such safeguards.
7. More Regulation says: HIPAA Privacy Rule says: “a covered entity must obtain satisfactory assurances from its business associate that they will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity”.
8. Governance To be or not to be… in compliance? What’s needed? What should be in place?
14. The Prerequisites……….not kidding nowContract Provisions (examples) Dictate how vendors and suppliers are securing information and protecting customer privacy Language should included to enforce compliance in all contracts “Upon reasonable notice, we may perform audits and security tests of vendor’s environment that may include, but are not limited to, interviews of relevant personnel, review of documentation, or technical inspection of systems, as they relate to the receipt, maintenance, use, retention, and authorized destruction of vendor Confidential Information” Steer clear of vendors that do not have secure practices US court of law in case of disputes
15. Governance Approach – Define ‘risk’ Prioritizing On-Site Reviews – Determine who must be seen High Risk ProvidersService provided is either business critical, deals with sensitive PII/NPI/PHI data, or both. On-site reviews should be conducted every 24 months at least, ideally annually. Reviews should focus on significant changes in security stance and risk management, and following up on any issues. Regular review of monitoring and oversight by management and end user groups. Medium Risk ProvidersService provided may be critical, but not as time sensitive. May involve some level of PII/NPI/PHI data. On-site reviews should be conducted at least every 36 months. Discussions with company management, limited scope visits, reviews of significant security and service issues. Low Risk ProvidersService provided is not critical, or time sensitive. Does not involve any PII/NPI/PHI data. Infrequent on-site reviews. Governance strategy may call for an initial on-site visit or limited scope examination. Periodic (generally at least every 24 months) off-site or informal reviews to confirm the risk ratings and obtain any information for security / service review documents.
16. Annual due diligence questionnaire submitted to Vendor Review of existing company security stance, security program, controls Evaluate new and/or proposed changes to infrastructure, any new facilities, any new procedures, etc. that may be relevant Evaluate financials Review independent controls assessments Governance Approach………...continued
17. On the Ground…….In Country Additional information to uncover prior to production: Review any use of third-parties/partners that is used to support the outsourced operation Consideration of additional systems, data conversions, or connections Evaluate ability to respond to service disruptions If the nature of the data is PII/NPI/PHI then a site visit to review both the physical security of their data center or call center should be strongly considered
18. The conundrum: Onshore vs. Nearshore vs. Offshore Are all controls the same everywhere? Risk Based? Or just Perception of risk? Information Security & Physical Controls
20. Information Security & Physical Controls Back to reality: What controls are put in place and ultimately validated by inspection, observation and corroborative inquiry?
21. Information Security & Physical Controls – continued… Physical and Environmentals Physically separated VLAN – separate switch, router and firewall (ideally) Vendor employees to handle sensitive information in a secure production area only Geographically diverse facilities to ensure recovery in case of disaster No physical storage of data locally Thin client configuration (Citrix) to access company network and resources – all controlled / monitored by company
22. Information Security & Physical Controls – continued… Secured Connectivity Data connectivity through MPLS nodes to ensure business continuity Secondary B2B VPN connectivity for high availability
23. Vendor environment Enterprise anti-virus / personal firewall deployed No USB access, CD-RW, floppy drives or similar devices allowed on workstations Access to facility limited to authorized personnel, on-site security guards, and CCTV. Information Security & Physical Controls – continued…
24. Information Security & Physical Controls – continued… System Access Control Unique username and password, enforced access control at Active Directory Role-based, profile based access to system resources
25. Information Security & Physical Controls – continued… Operational Management – why I’m loved worldwide No printers or fax allowed in production area No paper, pens or cell phones allowed in production area Clipboard (cut and paste) feature disabled on both sides Web E-mail access blocked Limited Internet URL Access – ‘white list’ defined by Company Monthly reconciliation process of new, existing and terminated employee accounts
26. Information Security & Physical Controls –continued… Personnel Security Hiring protocols: criminal background check, signed NDA; signed acceptable usage policy, Company awareness training Access card Lockers for employee use outside of production area – no personal items on production floor Drug tests administered for all employees traveling to Company (e.g. training)
27.
28. Country Risk – quantify risk by assessing foreign political and economic conditions. Risk management procedures should evaluate contingency, service continuity, and exit strategies in the event of unexpected disruptions in service. Monitor and analyze the following specific risks: Economic Environment Political & Overall Legal Environment Privacy & security laws (if any) Cultural Environment Developments in new geographic locations of vendor Additional Risk Management
29. The Audit and Oversight Process The ultimate objective is to: “provide reasonable assurance to the Audit Committee and Management that appropriate control procedures are in place relative to the scope of outsourced services and operations, thus safeguarding our overall business, security and continuity interests”.
30. Audit and Oversight Process Key aspects of the audit process include: Evaluate the adequacy and effectiveness of the vendors’ internal control systems Identify security lapses and/or Client contractual non-compliance. Evaluate the procedures used by Vendor management to monitor key controls applicable to the project and the related vendor operations.
31. Audit and Oversight Process…..continued Provide a work product that can be relied upon for Company’s internal compliance objectives. Schedule and conduct audits in-line with Company’s Annual Audit Plan as directed by Internal Audit charter.
32. Audit and Oversight Process…..continued Audit scope/concerns include: IT General Controls Business Continuity Planning (BCP) and related activities Additional Security related controls as deemed necessary based on risks
33. Audit and Oversight Process…..continued All offshore facilities of Vendor are subject to semi-annual visits by Internal Audit resource / annual Mgmt team IA Reports are presented to VP of Internal Audit, Audit Committee and Board of Directors Findings are reported to InfoSec and/or Vendor Relations to begin remediation process with Vendor
34.
35. Conclusions Heightened visibility and profile of vendor management You either do it, and do it right or your clients will do it for you (hint: you don’t want this) You must show due care and a level of reasonable risk assessment You are always liable
36. Privacy & Security Controls in Vendor Management Thank You! Questions? Al Raymond PHH Mortgage 856.917.5499 Albert.Raymond@PHHMortgage.com