IT Vendor Assessments How safe is your data after it leaves your control? Howard Haile Bill McSpadden.

Slides:



Advertisements
Similar presentations
Tips to a Successful Monitoring Visit
Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
CIP Cyber Security – Security Management Controls
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
Review Questions Business 205
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
Springfield Technical Community College Security Awareness Training.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
KDE Employee Training. What IS a Data Breach? Unauthorized release (loss or theft) of Sensitive or Confidential Data, such as PII, PHI, etc. On site or.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
1 Outsourcing Contract and Service Level Issues Sharon O’Bryan Week 5 November 2, 2004.
Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Date: 03/05/2007 Vendor Management and Metrics. 2 A.T. Kearney X/mm.yyyy/00000 AT Kearney’s IT/Telecom Vendor Facts IT/Telecom service, software and equipment.
Computers: Tools for an Information Age
The Information Systems Audit Process
Vendor Management Frequent regulatory findings:
Wisconsin Knowledge & Concepts Examination (WKCE) Test Security Wisconsin Department of Public Instruction Office of Educational Accountability 06/26/2013.
Session 3 – Information Security Policies
Copyright © 2003 by Prentice Hall Computers: Tools for an Information Age Chapter 14 Systems Analysis and Design: The Big Picture.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Case Study: Five ways to energize your information security program By Jim Reiner, ISO, HIPAA Security Manager County of.
Contract Administration Stacy Sassman Purchasing Agent Iowa State University Cory Harms Associate Director of Purchasing Iowa State University.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
ISO27001 Introduction to Information Security. Who has day-to-day responsibility? All of us! Why Information Security? Control risk, limit liability What.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
NCQA Standards Update & Delegated Credentialing Tips NYSAMSS Annual Meeting – May 4, 2012 By: Di Hall, CPCS, CPMSM Director, Compliance & Quality Improvement.
College Reviews An Overview Presented by Howard Lutwak, CIA Director of Internal Audit January 2004.
Working with HIT Systems
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
5/18/2006 Department of Technology Services Security Architecture.
Compliance August 18, Agenda Outline Status Draft of Answers.
TOTAL QUALITY MANAGEMENT
James Fox Shane Stuart Danny Deselle Matt Baldwin Acceptable Use Policies.
Chapter 8 Auditing in an E-commerce Environment
Chapter 15 Telecommunication Department Management.
28 June 2016 | Proprietary and confidential information. © Mphasis 2013 Audit and its classifications Mar-2016 Internal Auditor Training.
Wisconsin Department of Health Services Purchase of Services Contract Guide Julie Anstett and Lucinda Champion Friday, May 6, 2016 Wisconsin Department.
Washington State Auditor’s Office Third Party Receipting Presented to Washington Public Ports Association June 2016 Peg Bodin, CISA.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Performing Risk Analysis and Testing: Outsource or In-house
Understanding The Cloud
CPA Gilberto Rivera, VP Compliance and Operational Risk
WSU IT Risk Assessment Process
Information Technology (IT) Audits
ISO/IEC
Auditing Cloud Services
Privacy of Client Data.
Current ‘Hot Topics’ in Information Security Governance Auditing
Defining Internal Control
Office 365 Security Assessment Workshop
General Counsel and Chief Privacy Officer
Red Flags Rule An Introduction County College of Morris
County HIPAA Review All Rights Reserved 2002.
How to conduct Effective Stage-1 Audit
Colorado “Protections For Consumer Data Privacy” Law
PERSONALLY IDENTIFIABLE INFORMATION: AUDIT CONSIDERATIONS
Presentation transcript:

IT Vendor Assessments How safe is your data after it leaves your control? Howard Haile Bill McSpadden

Topics Covered Why conduct a vendor audit? Organizing the internal processes Identifying who needs to be involved Get information about your vendors Survey and assess the vendors Monitor and remediate

Potential Problem Areas Industries –banking –healthcare Business Processes –Employee processes (Payroll, 401k) –Customer Service IT processes –Cloud computing –Backup/recovery –Help Desk

Why Audit Your Vendor? You can’t control information once it leaves your control You are putting a great deal of control in the hands of your vendors Your vendor may pass your data to other people – who you don’t know and who have no obligation to you

A hack on your vendor may leave your organization as exposed as if you had been hacked.

Why Not a SAS70? SAS70 does not specify a pre- determined set of control objectives or control activities that service organizations must achieve. SAS70 is used for financial reporting compliance – not other compliance requirements (HIPAA, GLB, etc.). May not cover some important areas like Disaster Recovery, etc. May not be available (too small, out of US)

Other 3 rd Party Reviews? You may be able to use results of other 3 rd party reviews to reduce the burden of 1 st party inspection. However, your organization should perform it’s own risk assessment! Shared Assessments – new organization which supports a standardized set of assessment criteria

Other Types of Reviews ISO (info security) ISO 9000 series (quality) Trust Services (security oriented including availability)

Get Everyone On Board Develop standards and procedures surrounding data Make sure it covers Vendor management (purchasing, etc.) IT Field offices Employee Awareness

Purchasing Get 'right to audit' in contract Spell out obligations Proactive (not just penalties for failure) Prescribe necessary precautions Make the obligations part of the solicitation and scoring Include ‘claw-back’ provisions in the contract for expenses incurred as a result a breach.

IT Information classification needs to be emphasized Heightened awareness required, particularly involving data repositories Strong change request process is very useful Need heightened awareness involving encryption Direct access to your network heightens the risk as it potentially exposes ALL of your data!!!

Field Offices What is their ability to contract independently How de-centralized is IT?

Employee Awareness Employees need to be aware of data sensitivity Reminder that attachments (spreadsheets, cut/paste lists, etc.) are covered Provide a point of contact for questions Periodic reminders

Data classification Sensitive data needs to be identified Remember combinations of data Don't send unnecessary data, e.g. account numbers

Discussion Questions 1.Should you hold your vendors to the same information security specs as your own? 2.Do you hold your vendors to the same information security specs as your own? 3.What would it take to satisfy you of the vendors’ security over information? 4.What is your organization doing to satisfy themselves with regard to vendor security?

Assessment Process 1.Rank the risk 2.Identify the vendors (all or some?) 3.Survey vendors 4.Score the survey 5.Identify weaknesses 6.Decide on remediation process

Pre-Survey Steps Does the vendor know what is expected – in detail? Do you have a good contact at the vendor, if permitted? What sort of tracking system do you need? Who is responsible for devising, administering and scoring the survey?

Survey Process Develop the survey Devise a scoring system (Keep it simple!) Design the questions to be ‘gradable’ Have all vendors complete a standard questionnaire. Review and score questionnaire – use same criteria. Use 'skepticism' when grading Evaluate by predetermined score

Survey Considerations Once high risks vendors are completed are you comfortable with results? If not, keep going until you begin to feel comfortable Evaluate risks against questionnaire score High risk data/processes necessitate high vendor score Determine if additional info, including site visit, is needed

On-site inspections? High risk vendors may require on-site inspection High risk implies sensitive data and/or questionable safeguards Set up a schedule based on risk assessment. The higher the risk, the greater the frequency. Might be a good opportunity for employing consultants whose presence overlaps your vendors

Vendor - Background Info Nature of service provided Frequency that information is supplied to vendor List of date elements provided (selection criteria is not essential) How data is transported (transport method and encryption technique)

Vendor - Background (cont’d) Will any of the data reside outside of the US? Are any of the services provided further outsourced? (If so, more detailed information on nature, location, etc. is required)

Vendor Oversight Regulatory or other Governance the vendor must follow (HIPAA, PCI, banking, SOX, SAS70, etc.) Is your data/processes covered by those compliance processes? If so, can those regulatory bodies affect your organization? Employee policies (confidentiality agreements, background checks, termination process within systems, etc.)

Vendor – Process Inventory Provide a specific list of servers, databases, and networks where data will reside or be processed Provide information on each (location, operating systems, age, etc.)

Vendor - Security Questions Describe security policies Provide data classification grid How does your vendors’ classification match your data classification scheme Technical/logical system controls

Vendor – Physical Risks Physical security of facilities (accessibility by public) Data Center Off-site data storage – is your data going to yet another vendor? Call center services (if in scope) Identity theft monitoring process

Vendor Business Continuity Business Continuity plans (may not be in scope depending upon nature of the services provided) What is the recovery timeframe for your data and equipment? Does response time match your need? Does the response time match your contract? Has your data and equipment recovery been specifically tested?

Handling 3 rd Parties What processes are further sub- contracted to a 3 rd party? NOTE: same assessment process needs to be followed for the 3 rd party What are your rights with regards to 3 rd party inspections or ability to have primary vendor inspect?

Vendor Documentation Any documentation from third party reviews (PCI, SAS-70, BITS) Organization chart (especially showing security responsibility and hierarchy) Outline or listing of security policies and procedures in place (an index or table of contents, etc.) Process documentation or results of any security risk assessment processes

Vendor Doc (cont’d) Employee background check template to verify scope Floor plan diagram showing security devices (i.e. cameras, badge readers, etc) Access control list for the data center (if applicable) Account password settings (screen shot of settings for systems

Vendor Doc (cont’d) Audit/logging policies for systems processing/protecting Data retention and secure purging related policies and procedures. eDiscovery program Incident response plan – is your organization notified promptly? A sample of the change control process sign off form or document recording approval for system/software changes Org chart

Managing Deficiencies Prioritize the deficiencies Ensure that purchasing and business unit is aware of vendor deficiencies – and potential impact Work with vendor and purchasing to develop a reasonable timeline to fix If necessary, begin enforcing contractual penalties

One More Thought (or so) If you are provide outsourced services: What are you doing to provide this info? Are you meeting your obligations? What is the processes for keeping your clients informed? What do you outsource that might create a problem?

Call to Action Assess the process for managing information flow to outside parties Identify the risks for data residing outside your direct control Evaluate external organizations’ ability to secure your data

More Information Shared Assessments Agreed Upon Procedures Standard Info Gathering Questionnaire Low/high risk questionnaire Business Continuity questionnaire Privacy Continuity questionnaire

Questions & Contact Info Bill McSpadden Howard Haile