ensuring data security at third-party providers
DESCRIPTION
The presentation that was created and given at the Super Strategies Conference in Chicago on May 12, 2011.TRANSCRIPT
![Page 1: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/1.jpg)
© If appropriate, Insert your organization’s copyright information
Session # D5
Ensuring Data Security at Third-Party Providers
Thursday, May 12, 20111:30 – 2:45
Peter Hand, CISA, CRISCSr. Auditor
![Page 2: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/2.jpg)
© If appropriate, Insert your organization’s copyright information
About your presenter
Peter Hand
– Bachelors Degree in Computer Information Systems
– CISA and CRISC certified
– Former Computer Programmer who actually did coding for Y2K, and has to say that the movie Office Space hit what it was like right on the head
– Currently a Sr. IT Auditor for a Chicago based company who performs Data Security audits at third party providers
![Page 3: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/3.jpg)
© If appropriate, Insert your organization’s copyright information
Key Points
Defining security requirements for third-party business partners in line with corporate policies
Creating and maintaining an inventory of third-party providers with services performed
Using your Internal Audit and Information Security teams to perform monitoring through audits and site visits
Linking corporate information security standards to third-party business partners requirements
![Page 4: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/4.jpg)
© If appropriate, Insert your organization’s copyright information
Assumptions
In order to reach the true goal of lockdown Data Security the following should be considered as part of your reality:
– The Earth, Sun, and Moon are all aligned
– There is an unlimited budget and resources are readily available
– 3-6-9-23-35-44 will be the winning lottery numbers
– The Chicago Cubs will win the World Series
![Page 5: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/5.jpg)
© If appropriate, Insert your organization’s copyright information
Importance of Third Party Data Security
Why is Data Security so important?
– The trust factor
• Reputational impact• Business impact
![Page 6: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/6.jpg)
© If appropriate, Insert your organization’s copyright information
Importance of Third Party Data Security
Why is Data Security so important? (cont’d)
– The financial impact of a data breach (aka the bottom line)
• Per a study performed by the Ponemon Institute and Symantec the cost of a data breach is an average of 7.2 million dollars per incident. This is a 7% increase from the previous year
• According to a Bloomberg.com article dated March 8, 2011, one breach incident cost a company $35.3 Million dollars
![Page 7: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/7.jpg)
© If appropriate, Insert your organization’s copyright information
Importance of Third Party Data Security
Why is Data Security so important? (cont’d)
– The average cost of a breached record
• A malicious or criminally compromised record costs a company an average of $318
• A compromised record at a third party costs an average of $302
![Page 8: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/8.jpg)
© If appropriate, Insert your organization’s copyright information
Importance of Third Party Data Security
The value of data & why would anyone attempt to break into a system
– Tough economic times
– SSN = $1
– Medical Identity Information = $50
![Page 9: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/9.jpg)
© If appropriate, Insert your organization’s copyright information
Importance of Third Party Data Security
What happens if a breach occurs at the Third Party Business Partner?
– Who is responsible and who gets the “black eye”?
![Page 10: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/10.jpg)
© If appropriate, Insert your organization’s copyright information
Importance of Third Party Data Security
YOUR COMPANY
![Page 11: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/11.jpg)
© If appropriate, Insert your organization’s copyright information
Importance of Third Party Data Security
![Page 12: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/12.jpg)
© If appropriate, Insert your organization’s copyright information
The Four Areas of consideration
The path to ensuring Data Security at Third-Party Providers can be found in four areas:
– Internal Initiation / Setup / Standards
– External Relationship Initiation / Implementation
– Production State
– Termination State
![Page 13: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/13.jpg)
© If appropriate, Insert your organization’s copyright information
Internal Initiation / Setup / Standards
![Page 14: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/14.jpg)
© If appropriate, Insert your organization’s copyright information
Internal Initiation / Setup / Standards
Understand and maintain up to date documentation of your Third Party Business Partners with, at a minimum, the following:
– Policies & Procedures for defining contractual, technical, and business rule requirements before a relationship is initiated
– Business Partner Inventory
– Services rendered & performance Service Level Agreements (SLA’s) of engaged Business Partners
– Costs
![Page 15: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/15.jpg)
© If appropriate, Insert your organization’s copyright information
Internal Initiation / Setup / Standards
Policies & Procedures for defining contractual, technical, and business rule requirements should exist before a Business Partner relationship is initiated
– Policy & Procedures should be in place defining expected security requirements, SLA’s, and any other expectations for Business Partners
– All of these expectations should be clearly defined and documented so that relationship expectations are clearly understood and can be communicated before beginning a relationship
![Page 16: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/16.jpg)
© If appropriate, Insert your organization’s copyright information
Internal Initiation / Setup / Standards
Business Partner Inventory
– A comprehensive list needs to be maintained of all existing Business Partner relationships including the following:
• Internal relationship owner• Primary Business Partner contacts• Services performed• Production implementation date• Business instrument expiration / renewal date
![Page 17: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/17.jpg)
© If appropriate, Insert your organization’s copyright information
Internal Initiation / Setup / Standards
Services rendered & performance SLA’s of engaged Business Partners
– Understanding the services performed by Business Partners allows you to determine if this relationship can be leveraged for your needs, or if a new Business Partner relationship should be implemented
– Understanding the SLA’s, and whether or not they are being met, will also allow you to determine if a relationship can be leveraged for new needs as well as whether or not the relationship should be terminated or re-negotiated
![Page 18: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/18.jpg)
© If appropriate, Insert your organization’s copyright information
Internal Initiation / Setup / Standards
Costs
– Understand the costs associated with the existing population to determine if it is cheaper to leverage an existing relationship or establish a new one
– When establishing a new relationship consider not only new work, but also transferring existing work if efficiencies and / or savings can be realized
![Page 19: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/19.jpg)
© If appropriate, Insert your organization’s copyright information
Internal Initiation / Setup / Standards
Other considerations
– Clearly defined Production State parameters:
• Regularly scheduled status meetings• Regular reporting on SLA achievement versus target• A dedicated team in place for the “managing” of the
relationship
![Page 20: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/20.jpg)
© If appropriate, Insert your organization’s copyright information
Internal Initiation / Setup / Standards
Other considerations
– Clearly defined Relationship Termination parameters:
• How data will be handled upon relationship termination• How final resolution of data storage will be handled• How will data destruction be accounted for
![Page 21: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/21.jpg)
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
![Page 22: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/22.jpg)
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Understand requirements for engaging, pricing, testing, and implementing Business Partner into production.
– Policies & Procedures for:
• Initiating contact• Request for Information (RFI) requirements• Request for Pricing (RFP) requirements• Security standards• Implementation standards
– Contractual requirements– Site visits
![Page 23: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/23.jpg)
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Initiating contact
– Central point of contact for handling Business Partner initiation, such as a procurement department
– A central business area contact, responsible for maintaining relationship and keeping open communication channels
– A central technical area contact, responsible for working with Business Partner in all technical aspects of relationship duringthe entire relationship lifecycle
![Page 24: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/24.jpg)
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Request for Information (RFI)
– Documentation which outlines Business Partner requirements for services requested as well as security and business processing requirements
– Specific parameters outlining expected deliverables for RFI
![Page 25: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/25.jpg)
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Request for Pricing (RFP)
– Documentation which outlines Business Partner requirements for services requested as well as security and business processing requirements
– Parameters defining number of iterations of process or control execution expected during a defined time period, such as monthly or weekly
![Page 26: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/26.jpg)
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Security Standards
– Documentation outlining the security standards which outlines Business Partner requirements for services requested as well as security and business processing requirements
![Page 27: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/27.jpg)
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Security Standards (cont’d)
– Some security standards to consider include:
• An assigned contact, such as a Security Officer, responsible for ensuring compliance with any and all regulations, including industry standards such as HIPAA
• Defined Policies & Procedures for the technical and administrative controls for the handling of data
![Page 28: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/28.jpg)
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Security Standards (cont’d)
• Continual Security Monitoring & Issue Reporting
• Monthly Performance Reporting
• Incident Response procedures, including breach notification procedures
• Employment screening for new employees who will interact with your data, this can include new or existing employees
![Page 29: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/29.jpg)
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Implementation Standards
– Standard testing Policies & Procedures outlining all test cases and expected results
• This should include communication, security, and access testing
– Dependent on the size of contract, site visits should be performed at Third Party Data Centers to ensure physical access security
![Page 30: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/30.jpg)
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Implementation Standards (cont’d)
– Review different reports that may be available:
• SAS70 – Statement of Auditing Standards No. 70
– Allows service organizations to disclose their control activities and processes to their customers in a uniform reporting format.
![Page 31: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/31.jpg)
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Implementation Standards (cont’d)
• Service Organization Control Reports (SOC) – Provides a framework to examine controls and to help management understand related risks. There are three reporting options:
– SOC1 – Also known as SSAE16 (Statement on Standards for Attestation Engagements No. 16, Reporting of Controls at a Service Organization). This focuses on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statement.
![Page 32: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/32.jpg)
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Implementation Standards (cont’d)
– SOC2 – A report that specifically addresses one or more of the following five key system attributes:
Security Availability Processing Integrity Confidentiality Privacy
![Page 33: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/33.jpg)
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Implementation Standards (cont’d)
– SOC3 – A general-use report that provides only the auditor’s report on whether or not the system achieved the trust services criteria.
![Page 34: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/34.jpg)
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Contractual Requirements
– Right to Audit clause
– Service Level Agreements defining expectations of services performed and expected delivery timeframes
– Business language requiring any use of subcontractors by the engaged Business Partner must be approved before their engagement
![Page 35: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/35.jpg)
© If appropriate, Insert your organization’s copyright information
External Relationship Initiation / Implementation
Contractual Requirements (cont’d)
– Defined security requirements based upon defined and tested security parameters
– Defined escalation procedures in the case of incidents / breaches
– Defined parameters for the handing of data in the case of relationship termination
![Page 36: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/36.jpg)
© If appropriate, Insert your organization’s copyright information
Production State
![Page 37: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/37.jpg)
© If appropriate, Insert your organization’s copyright information
Production State
Production State reporting and monitoring
– Periodic business partner reviews should be performed by a defined team. Some requirements to consider when performing the review:
• Review of audit documents such as SAS70 or SSAE16• Annual site visits to a selection of business partners based
on a pre-defined criteria, such as risk level or performance
![Page 38: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/38.jpg)
© If appropriate, Insert your organization’s copyright information
Production State
Production State reporting and monitoring (cont’d)
– Regularly scheduled meetings to discuss business partner performance against defined SLA’s
– Regular planning and status meetings for any new projects / implementations / upgrades
![Page 39: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/39.jpg)
© If appropriate, Insert your organization’s copyright information
Termination State
![Page 40: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/40.jpg)
© If appropriate, Insert your organization’s copyright information
Termination State
Relationship Termination processing
– Previously defined parameters should be enacted to account for data handling
– Negotiated time parameters regarding processing cut-off date
– Final meeting to discuss official end of relationship
![Page 41: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/41.jpg)
© If appropriate, Insert your organization’s copyright information
Summary
Conclusions
– There is no 100% guarantee of data security, because you are not monitoring 24 X 7
– In order to achieve a high level of data security most of the work is performed by the company outlining their expectations and requirements before engaging a third party business partner
![Page 42: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/42.jpg)
© If appropriate, Insert your organization’s copyright information
Summary
Conclusions (cont’d)
– An inventory of business partners, and services performed, should be maintained for multiple purposes
– Regular contact should be maintained and a dedicated team should be established with members of all parties involved
– Most of the work needed to ensure some, not absolute, comfort around Data Security happens before the external Business Partner is engaged
![Page 43: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/43.jpg)
© If appropriate, Insert your organization’s copyright information
Questions
![Page 44: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/44.jpg)
© If appropriate, Insert your organization’s copyright information
Helpful articles and websites
Bloomberg Article - http://www.bloomberg.com/news/2011-03-08/security-breach-costs-climb-7-to-7-2-million-per-incident.html
Ponemon and Symantec 2010 Data Breach Study -http://www.symantec.com/content/en/us/about/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_costofdatabreach
American Institute of Certified Public Accountants, inc –www.aicpa.org
SAS70 – www.SAS70.com SSAE16 – www.SSAE16.com Identity Theft information – www.theidentityadvocate.com ISACA – www.isaca.org MIS Training Institute – www.misti.com Institute Internal Auditors – www.theiia.org
![Page 45: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/45.jpg)
© If appropriate, Insert your organization’s copyright information
More helpful websites
United States Computer Emergency Readiness Team (US-CERT) – www.us-cert.gov
Carnegie Mellon Software Engineering Institute – www.cert.org Dark Reading – www.darkreading.com
![Page 46: Ensuring Data Security at Third-Party Providers](https://reader033.vdocuments.mx/reader033/viewer/2022051817/547a729b5906b52a358b4696/html5/thumbnails/46.jpg)
© If appropriate, Insert your organization’s copyright information
Contact Information
Thank you for your time!
If you have any question please feel free to contact me at [email protected]