Third Party Risk Management - Domain Overview
Third Party Risk Management - Domain Overview
Third Party Risk Management - Domain Overview
Management
Cincinnati ISACA
September, 2014
Christopher Dorr
Intern
al
Intern
al
POS
POS
Internet
A/P
and GL
Fazio
Bank
Vendor
POS
Target Breach
Ariba
Intern
al
Stagin
g
Server
A/P
and GL
Internet
POS
POS
POS
RAM
Scraping
malware
Attacke
r
Fazio
Intern
al
Bank
What Is it?
10
TPRM What It Is
Third Party Risk Management (TPRM) is the process of
analyzing and controlling risks presented to your
company, your data, your operations and your finances
by parties OTHER than your own company.
Due Diligence is the investigative process by which a
company or other third party is reviewed to determine
its suitability for a given task. Due diligence is an
ongoing activity, including review, monitoring, and
management communication over the entire vendor
lifecycle.
No universally-accepted framework like CObIT or COSO
11
TPRM Who It Is
Vendors
Customers
Joint Ventures
Counterparties
Fourth parties
12
13
Business Justifications
Reduce likelihood of data breach costs
Reduce likelihood of costly operational failures
Reduce likelihood of vendor bankruptcy
Regulatory mandates may require it
Prudent due diligence ethical obligation
14
Regulatory Guidance
Office of the Comptroller of the Currency
(OCC)
US Department of Health & Human
Services (HHS)
State data breach laws
15
Regulatory Requirements
Strongest language so far is for financial institutions regulated
by the Office of the Comptroller of the Currency
If precedents hold true, this will likely migrate to other
financial entities, healthcare entities, and government
contractors
Consumer Financial Protection Bureau (CFPB)
Since 2012, imposed over $1 billion USD in fines
Was partially in response to 2008 financial crisis. Banks did not
manage risk well.
16
OCC 2013-29
Very comprehensive guidance requiring banks to proactively
evaluate ALL risks associated with ALL third parties
Issued in October, 2013, governing all financial institutions
regulated by the OCC
Closest thing we currently have to a generally accepted
framework
. A third-party relationship is any business arrangement
between a bank and another entity, by contract or otherwise
The Office of the Comptroller of the Currency (OCC) expects a
bank to practice effective risk management regardless of
whether the bank performs the activity internally or through a
third party. A banks use of third parties does not diminish the
responsibility of its board of directors and senior management
to ensure that the activity is performed in a safe and sound
manner and in compliance with applicable laws.
17
OCC 2013-29
An effective risk management process throughout
the life cycle of the relationship includes:
Plans that outline the banks strategy, identify the inherent risks of
the activity, and detail how the bank selects, assesses, and
oversees the third party.
Proper due diligence in selecting a third party.
Written contracts that outline the rights and responsibilities of all
parties.
Ongoing monitoring of the third partys activities and performance.
Clear roles and responsibilities for overseeing and managing the
relationship and risk management process.
Documentation and reporting that facilitates oversight,
accountability, monitoring, and risk management.
Independent reviews that allow bank management to determine
that the banks process aligns with its strategy and effectively
manages risks.
18
HIPAA - HITECH
In 2009, the HITECH Act extended compliance requirements
explicitly to Business Associates
Business Associates are persons or entities using PHI to
perform services for a covered entity.
PHI Medical-related PII
Many third parties in healthcare have access very difficult to
perform substantive activities without access to PHI
Can impose fines on Covered Entity (insurer, hospital, etc.) for
actions of a delegate
19
HIPAA Example
Massachusetts General Employee took some work
home
Accidentally left 192 patient billing records on subway
HHS imposed $1,000,000 fine
HHS imposed three-year corrective action plan
What would have happened had this been vendor?
Would there be a difference depending on due diligence?
Fines seem to be directly related to how lackadaisical oversight
was
20
21
22
2. Ongoing Monitoring
1. Both for changed risks and for changes at vendor
3. Recurring Reviews
1. Based on risk tier
23
1. Risk Measurement
1. Linked to ERM
2. Measures the risk of both the activity itself and of the vendor in
particular
2. Risk Management
1. Standard mechanisms for dealing with risk: accept, decline,
transfer, modify
3. Risk Monitoring
1. New/evolving risks
2. Vendor changes
4. Response Management
1. Incident response, both on your part and the vendors
24
25
Case Study
RandomCo 300 employee, midsized, technologyoriented company
Specialized in document management and OCR
Being considered for an engagement that required high
levels of data security, operational reliability, and
performance
Would be subject to HIPAA requirements
26
27
29
30
Tools
Vendor tiering or stratification
Tier 1 Critical vendors (10%) PII + critical systems
Tier 2 Major vendors (40%) PII OR critical systems
Tier 3 Vendors (50%) commodities/low risk purchases
Workflow tools
Capability Maturity Model
Vendor scorecards (maintained by business owner of vendor)
31
Tools
Shared Assessment Group (Santa Fe Group) Shared
Information Gathering Tool (SIG)
Current version costs $5000
Version 6.0 freely available, but dated
Lite and full versions provides flexibility
Vendor research tools
Dunn & Bradstreet Supplier Risk Manager
Lexis Nexis
Research and monitoring tools
Variety of checklists available online
Contracting language right to audit, required reporting,
standards
32
Processes are
organized,
formalized and
documented
Processes are
formalized, measured
empirically and
controlled
Processes are
highly mature, and
emphasize system
feedback and
improvement
33
Personal Observations
Very cost-effective way to manage risk
One day on-site often is all that is required
Complete review (including on-site) can cost less than
$1,000
Lots of low-hanging fruit
Emphasis area: Test data
Emphasis area: Data retention & lifespan management
Emphasis area: Physical security
Emphasis area: Cloud reliance and architecture
Often you get more pushback from internal parties. Many
vendors appreciate the free consulting
34
Summary
70% of companies do not adequately do this now, yet over
90% say they will INCREASE their use of third parties.
Data breaches caused by third parties cost $43 per record
more than other breaches, yet account for over 40% of all
breaches.
Effective TPRM involves combination of oversight and review
of the external partner AND implementation of internal
controls and processes.
Given the risk exposure and costs involved, TPRM can be the
single most cost-effective risk management program that a
company can implement, and Internal Audit and InfoSec can
contribute in many significant ways.
35
36
Questions?
37
References
1.
http://
compliance.med.nyu.edu/news/documenting-inpatient-adm
issions
2.
http://www.grantthornton.com/~/
media/content-page-files/health-care/pdfs/2013/HC-2013-A
IHA-wp-HIPAA-rule-data-control-concerns.ashx
3.
http://
www.occ.gov/news-issuances/bulletins/2013/bulletin-2013
-29.html
4.
http://
www.computerweekly.com/news/2240178104/Bad-outsourcin
g-decisions-cause-63-of-data-breaches
5.
http://
www.experian.com/assets/data-breach/brochures/ponemonaftermath-study.pdf
6.
http://
www.fierceitsecurity.com/story/third-party-vendor-behind-
38
References
1.
http://
www.navexglobal.com/company/press-room/navex-global-surve
y-7-10-us-companies-neglect-third-party-risk
2.
http://
www.ponemon.org/blog/ponemon-institute-releases-2014-costof-data-breach-global-analysis
3.
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1986461
4.
http://listserv.educause.edu/cgi-bin/wa.exe?A3=ind1
112&L=SECURITY&E=base64&P=1183182&B=--_003_BF662A4E
E06D844081EA3B2DB8CCF22B1FDD3423B4SSUMPEXCLUS01_&T=
application%2Fvnd.ms-excel;%20name=%
22SIGv6.2.xls%22&N=SIGv6.2.xls&attachment=q
5.
http://www.privacyrights.org/data-breach
6.
http://www.ejise.com/issue/download.html?idArticle=858
7.
http://krebsonsecurity.com/2014/02/email-attack-on-vendor-se
t-up-breach-at-target
/
39