Third Party Risk

Management
Cincinnati ISACA
September, 2014
Christopher Dorr

Third Party Risk Management

Your company spends millions of dollars on IT security
systems, technologies, appliances
InfoSec professionals
Internal Audit professionals
External Auditors
Processes, technologies, systems

Then some manager in marketing dumps your client data to

an Excel spreadsheet, and emails it to a direct mail firm in
Omaha.
Perhaps even worse Usually not random. Usually not one
vendor. Often thousands of vendors.

Overview Third Party Risk

Management
1. What it is
2. Business value and justification
Two main regulatory drivers: HIPAA & OCC
2013-29

3. What it looks like

Case study

Information Security focus, but many

additional areas of risk
3

Vendor Breach Background

Fazio Mechanical Data Breach
Fazio Mechanical is a 100-staff, $12M revenue
HVAC company
Perhaps better known as the $250,000,000
Target data breach
Full analysis of the breach is beyond the scope
of todays presentation, and much of what is
described below is unconfirmed.

Vendor Breach Background

Fazio Mechanical was vendor for Target for HVAC services
Started with Fazio being targeted by typical phishing attack
Fazio connected to Targets internal systems for billing,
contract management and contract submission via vendor
portal called Ariba

Target Design Process

Ariba
Vendor
Platform

Intern
al

Intern
al
POS
POS

Internet

A/P
and GL

Fazio

Bank

Vendor

POS

Target Breach
Ariba

Intern
al

Stagin
g
Server
A/P
and GL

SQL Injection &

Privilege
escalation

Internet

POS
POS
POS

RAM
Scraping
malware

Attacke
r
Fazio

Intern
al

Bank

Target by the Numbers

40,000,000 - Number of credit and debit numbers stolen
70,000,000 - Number of non-credit-card PII records stolen
November 27 to December 15, 2013 Duration of theft
46% - The percentage drop in profits for 4 th quarter 2013 from
the year before
$250,000,000 - Total estimated costs as of August 2014
$90,000,000 - Amount paid by Targets insurers (maxed out)
$54,000,000 - Estimated amount generated from sale of cards
stolen

0 Number of CIOs and CEOs who kept their jobs

Third Party Breach Numbers

41% to 63% of breaches involved third parties
Per-record costs of a 3 rd party breach higher - $231 vs.
$188
71% of companies failed to adequately manage risk of
third parties
92% of companies planned to expand their use of
vendors in 2013
90% of anti-corruption actions by DOJ involved 3 rd
parties

Third Party Risk Management

What Is it?

10

TPRM What It Is
Third Party Risk Management (TPRM) is the process of
analyzing and controlling risks presented to your
company, your data, your operations and your finances
by parties OTHER than your own company.
Due Diligence is the investigative process by which a
company or other third party is reviewed to determine
its suitability for a given task. Due diligence is an
ongoing activity, including review, monitoring, and
management communication over the entire vendor
lifecycle.
No universally-accepted framework like CObIT or COSO

11

TPRM Who It Is
Vendors
Customers
Joint Ventures
Counterparties
Fourth parties

12

Third Party Risk Management

Why Should We Do it?

13

Business Justifications
Reduce likelihood of data breach costs
Reduce likelihood of costly operational failures
Reduce likelihood of vendor bankruptcy
Regulatory mandates may require it
Prudent due diligence ethical obligation

Audit where the risk is

Enterprise risk portfolio may expose the organization to most
risk here

14

Regulatory Guidance
Office of the Comptroller of the Currency
(OCC)
US Department of Health & Human
Services (HHS)
State data breach laws

15

Regulatory Requirements
Strongest language so far is for financial institutions regulated
by the Office of the Comptroller of the Currency
If precedents hold true, this will likely migrate to other
financial entities, healthcare entities, and government
contractors
Consumer Financial Protection Bureau (CFPB)
Since 2012, imposed over $1 billion USD in fines
Was partially in response to 2008 financial crisis. Banks did not
manage risk well.

16

OCC 2013-29
Very comprehensive guidance requiring banks to proactively
evaluate ALL risks associated with ALL third parties
Issued in October, 2013, governing all financial institutions
regulated by the OCC
Closest thing we currently have to a generally accepted
framework
. A third-party relationship is any business arrangement
between a bank and another entity, by contract or otherwise
The Office of the Comptroller of the Currency (OCC) expects a
bank to practice effective risk management regardless of
whether the bank performs the activity internally or through a
third party. A banks use of third parties does not diminish the
responsibility of its board of directors and senior management
to ensure that the activity is performed in a safe and sound
manner and in compliance with applicable laws.
17

OCC 2013-29
An effective risk management process throughout
the life cycle of the relationship includes:
Plans that outline the banks strategy, identify the inherent risks of
the activity, and detail how the bank selects, assesses, and
oversees the third party.
Proper due diligence in selecting a third party.
Written contracts that outline the rights and responsibilities of all
parties.
Ongoing monitoring of the third partys activities and performance.
Clear roles and responsibilities for overseeing and managing the
relationship and risk management process.
Documentation and reporting that facilitates oversight,
accountability, monitoring, and risk management.
Independent reviews that allow bank management to determine
that the banks process aligns with its strategy and effectively
manages risks.
18

HIPAA - HITECH
In 2009, the HITECH Act extended compliance requirements
explicitly to Business Associates
Business Associates are persons or entities using PHI to
perform services for a covered entity.
PHI Medical-related PII
Many third parties in healthcare have access very difficult to
perform substantive activities without access to PHI
Can impose fines on Covered Entity (insurer, hospital, etc.) for
actions of a delegate

19

HIPAA Example
Massachusetts General Employee took some work
home
Accidentally left 192 patient billing records on subway
HHS imposed $1,000,000 fine
HHS imposed three-year corrective action plan
What would have happened had this been vendor?
Would there be a difference depending on due diligence?
Fines seem to be directly related to how lackadaisical oversight
was

20

State Data Breach Laws

Many different laws
Almost all laws have provisions requiring notification within
certain period after detection
Detection by whom?
Most appear to make no distinction between losses caused by
an entity and losses caused by an entitys vendor
Penalties
Up to $500,000 in civil penalties per breach for failure to
notify timely (Florida)
$5,000 per violation if not received within 10 days. Every
subsequent day not received is a separate violation
(Louisiana)

21

Third Party Risk Management

What Does It Look Like?

22

What TPRM Looks Like Process

1. Initial Risk Review
1. Based on risk tier
2. Documentation review
3. On-site review
4. Business process documentation
5. Inherent risk/residual risk
6. Remediation plan

2. Ongoing Monitoring
1. Both for changed risks and for changes at vendor

3. Recurring Reviews
1. Based on risk tier

23

What TPRM Looks Like Elements

The Four RMs

1. Risk Measurement
1. Linked to ERM
2. Measures the risk of both the activity itself and of the vendor in
particular

2. Risk Management
1. Standard mechanisms for dealing with risk: accept, decline,
transfer, modify

3. Risk Monitoring
1. New/evolving risks
2. Vendor changes

4. Response Management
1. Incident response, both on your part and the vendors
24

What TPRM Looks Like - Assessment

Using OCC 2013-29 as framework Banks should consider
the following:
Legal and regulatory compliance
Financial condition
Qualifications, backgrounds and reputations of company
principals
Risk management
Information security and management (including physical and
logical security)
Incident reporting and management
Reliance on subcontractors
Contract language, including right to audit and metrics

25

Case Study
RandomCo 300 employee, midsized, technologyoriented company
Specialized in document management and OCR
Being considered for an engagement that required high
levels of data security, operational reliability, and
performance
Would be subject to HIPAA requirements

26

Stage I Case Study

Reviewed SAS 70 (Type 1)
Reviewed architectural documentation
Reviewed online reputation
Reviewed legal entanglements
Reviewed summary financials
Nothing significantly negative was found

27

RandomCo Case Study

Glass-sided stand-alone office building,
surrounded by public, ungated parking lot
Scanned for wireless networks. They had
RandomCoProd SSID
WEP encryption

Unlocked front door

No security cameras
Netgear wireless router bolted to wall in
stairwell
Unlocked server room and networking closet
28

RandomCo Case Study

Data center served by single internet feed
Some systems were RAID 5
Some servers were recycled desktops running Linux
Disaster Recovery Plan never tested
Backup Plan
Network admin drove to data center
Network admin took tapes out of servers
Network admin threw the tapes in his trunk
Network admin drove tapes home

29

Why this story?

Not because particularly bad
In fact, not the worst

Many smaller vendors lack controls

Many vendors will be 25-200 person companies (28M small
bus.)
No full-time IT, let alone IT Security

Never would have known without on-site

Vendor Development

30

Tools
Vendor tiering or stratification
Tier 1 Critical vendors (10%) PII + critical systems
Tier 2 Major vendors (40%) PII OR critical systems
Tier 3 Vendors (50%) commodities/low risk purchases
Workflow tools
Capability Maturity Model
Vendor scorecards (maintained by business owner of vendor)

31

Tools
Shared Assessment Group (Santa Fe Group) Shared
Information Gathering Tool (SIG)
Current version costs $5000
Version 6.0 freely available, but dated
Lite and full versions provides flexibility
Vendor research tools
Dunn & Bradstreet Supplier Risk Manager
Lexis Nexis
Research and monitoring tools
Variety of checklists available online
Contracting language right to audit, required reporting,
standards
32

Risk Capability Maturity

Model

Are the vendors risk

management
processes:
Defined?
Comprehensive?
Repeatable?
Measured?
Reliable?

Processes are
organized,
formalized and
documented

Processes are
formalized, measured
empirically and
controlled

Processes are
highly mature, and
emphasize system
feedback and
improvement

33

Personal Observations
Very cost-effective way to manage risk
One day on-site often is all that is required
Complete review (including on-site) can cost less than
$1,000
Lots of low-hanging fruit
Emphasis area: Test data
Emphasis area: Data retention & lifespan management
Emphasis area: Physical security
Emphasis area: Cloud reliance and architecture
Often you get more pushback from internal parties. Many
vendors appreciate the free consulting

34

Summary
70% of companies do not adequately do this now, yet over
90% say they will INCREASE their use of third parties.
Data breaches caused by third parties cost $43 per record
more than other breaches, yet account for over 40% of all
breaches.
Effective TPRM involves combination of oversight and review
of the external partner AND implementation of internal
controls and processes.

Given the risk exposure and costs involved, TPRM can be the
single most cost-effective risk management program that a
company can implement, and Internal Audit and InfoSec can
contribute in many significant ways.

35

Target Breach - TPRM

Third-party risk management failures contributed to attacks
Vendor used FREE Malwarebytes Anti-Malware software
The free version is only an on-demand scanner. No real-time
scanning.

Target did not require vendors to use multi-factor

authentication
If vendor used free anti-malware, what is probability that it
required users to take security training? Or implement
enterprise email system that might have caught phishing
attack?
But Target also left vast amounts of sensitive data about
vendors on unsecured systems. This is also about vendor
management.
Ariba is vendor too. Was testing/scanning for SQL injection and
architecture reviewed?
How was Ariba monitoring for unusual activity?

36

Questions?

37

References
1.

http://
compliance.med.nyu.edu/news/documenting-inpatient-adm
issions

2.

http://www.grantthornton.com/~/
media/content-page-files/health-care/pdfs/2013/HC-2013-A
IHA-wp-HIPAA-rule-data-control-concerns.ashx

3.

http://
www.occ.gov/news-issuances/bulletins/2013/bulletin-2013
-29.html

4.

http://
www.computerweekly.com/news/2240178104/Bad-outsourcin
g-decisions-cause-63-of-data-breaches

5.

http://
www.experian.com/assets/data-breach/brochures/ponemonaftermath-study.pdf

6.

http://
www.fierceitsecurity.com/story/third-party-vendor-behind-

38

References
1.

http://
www.navexglobal.com/company/press-room/navex-global-surve
y-7-10-us-companies-neglect-third-party-risk

2.

http://
www.ponemon.org/blog/ponemon-institute-releases-2014-costof-data-breach-global-analysis

3.

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1986461

4.

http://listserv.educause.edu/cgi-bin/wa.exe?A3=ind1
112&L=SECURITY&E=base64&P=1183182&B=--_003_BF662A4E
E06D844081EA3B2DB8CCF22B1FDD3423B4SSUMPEXCLUS01_&T=
application%2Fvnd.ms-excel;%20name=%
22SIGv6.2.xls%22&N=SIGv6.2.xls&attachment=q

5.

http://www.privacyrights.org/data-breach

6.

http://www.ejise.com/issue/download.html?idArticle=858

7.

http://krebsonsecurity.com/2014/02/email-attack-on-vendor-se
t-up-breach-at-target
/
39