Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cincinnati ISACA – September, 2014 Christopher Dorr.

Similar presentations

Presentation on theme: "Cincinnati ISACA – September, 2014 Christopher Dorr."— Presentation transcript:

1 Cincinnati ISACA – September, 2014 Christopher Dorr

2 Your company spends millions of dollars on IT security – systems, technologies, appliances InfoSec professionals Internal Audit professionals External Auditors Processes, technologies, systems Then some manager in marketing dumps your client data to an Excel spreadsheet, and emails it to a direct mail firm in Omaha. Perhaps even worse – Usually not random. Usually not one vendor. Often thousands of vendors. Third Party Risk Management 2

3 1. What it is 2. Business value and justification Two main regulatory drivers: HIPAA & OCC 2013-29 3. What it looks like Case study Information Security focus, but many additional areas of risk Overview – Third Party Risk Management 3

4 Fazio Mechanical Data Breach Fazio Mechanical is a 100-staff, $12M revenue HVAC company Perhaps better known as the $250,000,000 Target data breach Full analysis of the breach is beyond the scope of today’s presentation, and much of what is described below is unconfirmed. Vendor Breach Background 4

5 Fazio Mechanical was vendor for Target for HVAC services Started with Fazio being targeted by typical phishing attack Fazio connected to Target’s internal systems for billing, contract management and contract submission via vendor portal called “Ariba” 5 Vendor Breach Background

6 Target Design Process Ariba Vendor Platform Fazio Vendor A/P and GL Internet Internal Bank Internal POS 6

7 Target Breach Ariba Fazio A/P and GL Internet Internal Bank Internal POS Attacker SQL Injection & Privilege escalation RAM Scraping malware Staging Server 7

8 40,000,000 - Number of credit and debit numbers stolen 70,000,000 - Number of non-credit-card PII records stolen November 27 to December 15, 2013 – Duration of theft 46% - The percentage drop in profits for 4 th quarter 2013 from the year before $250,000,000 - Total estimated costs as of August 2014 $90,000,000 - Amount paid by Target’s insurers (maxed out) $54,000,000 - Estimated amount generated from sale of cards stolen 0 – Number of CIOs and CEOs who kept their jobs Target by the Numbers 8

9 41% to 63% of breaches involved third parties Per-record costs of a 3 rd party breach higher - $231 vs. $188 71% of companies failed to adequately manage risk of third parties 92% of companies planned to expand their use of vendors in 2013 90% of anti-corruption actions by DOJ involved 3 rd parties 9 Third Party Breach Numbers

10 What Is it? 10 Third Party Risk Management

11 Third Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties OTHER than your own company. Due Diligence is the investigative process by which a company or other third party is reviewed to determine its suitability for a given task. Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire vendor lifecycle. No universally-accepted framework like CObIT or COSO TPRM – What It Is 11

12 Vendors Customers Joint Ventures Counterparties Fourth parties TPRM – Who It Is 12

13 Why Should We Do it? 13 Third Party Risk Management

14 Reduce likelihood of data breach costs Reduce likelihood of costly operational failures Reduce likelihood of vendor bankruptcy Regulatory mandates may require it Prudent due diligence – ethical obligation Audit where the risk is Enterprise risk portfolio may expose the organization to most risk here Business Justifications 14

15 Office of the Comptroller of the Currency (OCC) US Department of Health & Human Services (HHS) State data breach laws Regulatory Guidance 15

16 Strongest language so far is for financial institutions regulated by the Office of the Comptroller of the Currency If precedents hold true, this will likely “migrate” to other financial entities, healthcare entities, and government contractors Consumer Financial Protection Bureau (CFPB) Since 2012, imposed over $1 billion USD in fines Was partially in response to 2008 financial crisis. Banks did not manage risk well. Regulatory Requirements 16

17 Very comprehensive guidance requiring banks to proactively evaluate ALL risks associated with ALL third parties Issued in October, 2013, governing all financial institutions regulated by the OCC Closest thing we currently have to a generally accepted framework “…. A third-party relationship is any business arrangement between a bank and another entity, by contract or otherwise” “The Office of the Comptroller of the Currency (OCC) expects a bank to practice effective risk management regardless of whether the bank performs the activity internally or through a third party. A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.” OCC 2013-29 17

18 An effective risk management process throughout the life cycle of the relationship includes: Plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party. Proper due diligence in selecting a third party. Written contracts that outline the rights and responsibilities of all parties. Ongoing monitoring of the third party’s activities and performance. Clear roles and responsibilities for overseeing and managing the relationship and risk management process. Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management. Independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks. OCC 2013-29 18

19 In 2009, the HITECH Act extended compliance requirements explicitly to “Business Associates” Business Associates are persons or entities using PHI to perform services for a covered entity. PHI – Medical-related PII Many third parties in healthcare have access – very difficult to perform substantive activities without access to PHI Can impose fines on Covered Entity (insurer, hospital, etc.) for actions of a delegate HIPAA - HITECH 19

20 Massachusetts General Employee – took some work home Accidentally left 192 patient billing records on subway HHS imposed $1,000,000 fine HHS imposed three-year corrective action plan What would have happened had this been vendor? Would there be a difference depending on due diligence? Fines seem to be directly related to how lackadaisical oversight was HIPAA Example 20

21 Many different laws Almost all laws have provisions requiring notification within certain period after detection Detection by whom? Most appear to make no distinction between losses caused by an entity and losses caused by an entity’s vendor Penalties Up to $500,000 in civil penalties per breach for failure to notify timely (Florida) $5,000 “per violation” if not received within 10 days. Every subsequent day “not received” is a separate violation (Louisiana) State Data Breach Laws 21

22 What Does It Look Like? 22 Third Party Risk Management

23 1.Initial Risk Review 1.Based on risk tier 2.Documentation review 3.On-site review 4.Business process documentation 5.Inherent risk/residual risk 6.Remediation plan 2.Ongoing Monitoring 1.Both for changed risks and for changes at vendor 3.Recurring Reviews 1.Based on risk tier What TPRM Looks Like - Process 23

24 “The Four RMs” 1.Risk Measurement 1.Linked to ERM 2.Measures the risk of both the activity itself and of the vendor in particular 2.Risk Management 1.Standard mechanisms for dealing with risk: accept, decline, transfer, modify 3.Risk Monitoring 1.New/evolving risks 2.Vendor changes 4.Response Management 1.Incident response, both on your part and the vendor’s 24 What TPRM Looks Like - Elements

25 Using OCC 2013-29 as framework – “Banks should consider the following:” Legal and regulatory compliance Financial condition Qualifications, backgrounds and reputations of company principals Risk management Information security and management (including physical and logical security) Incident reporting and management Reliance on subcontractors Contract language, including right to audit and metrics What TPRM Looks Like - Assessment 25

26 RandomCo – 300 employee, midsized, technology-oriented company Specialized in document management and OCR Being considered for an engagement that required high levels of data security, operational reliability, and performance Would be subject to HIPAA requirements Case Study 26

27 Reviewed SAS 70 (Type 1) Reviewed architectural documentation Reviewed online reputation Reviewed legal entanglements Reviewed summary financials Nothing significantly negative was found Stage I – Case Study 27

28 Glass-sided stand-alone office building, surrounded by public, ungated parking lot Scanned for wireless networks. They had “RandomCoProd” SSID WEP encryption Unlocked front door No security cameras “Netgear” wireless router bolted to wall in stairwell Unlocked server room and networking closet RandomCo– Case Study 28

29 Data center served by single internet feed “Some” systems were RAID 5 Some “servers” were recycled desktops running Linux Disaster Recovery Plan never tested Backup Plan Network admin drove to data center Network admin took tapes out of servers Network admin threw the tapes in his trunk Network admin drove tapes home RandomCo – Case Study 29

30 Not because particularly bad In fact, not the worst Many smaller vendors lack controls Many vendors will be 25-200 person companies (28M small bus.) No full-time IT, let alone IT Security Never would have known without on-site “Vendor Development” Why this story? 30

31 Vendor tiering or stratification Tier 1 – Critical vendors (10%) – PII + critical systems Tier 2 – Major vendors (40%) – PII OR critical systems Tier 3 – Vendors (50%) – commodities/low risk purchases Workflow tools Capability Maturity Model Vendor scorecards (maintained by business owner of vendor) Tools 31

32 Shared Assessment Group (Santa Fe Group) – Shared Information Gathering Tool (SIG) Current version costs $5000 Version 6.0 freely available, but dated Lite and full versions – provides flexibility Vendor research tools Dunn & Bradstreet Supplier Risk Manager Lexis Nexis Research and monitoring tools Variety of checklists available online Contracting language – right to audit, required reporting, standards Tools 32

33 Level 0 No processes exist Level 1 Initial Processes exist, but are ad hoc and unpredictable Level 2 Managed Processes are reactive, “hero driven” and project specific Level 3 Defined Level 4 Quantitative Level 5 Optimized Risk Capability Maturity Model Processes are organized, formalized and documented Processes are formalized, measured empirically and controlled Processes are highly mature, and emphasize system feedback and improvement Are the vendor’s risk management processes: Defined? Comprehensive? Repeatable? Measured? Reliable? 33

34 Very cost-effective way to manage risk One day on-site often is all that is required Complete review (including on-site) can cost less than $1,000 Lots of “low-hanging fruit” Emphasis area: Test data Emphasis area: Data retention & lifespan management Emphasis area: Physical security Emphasis area: Cloud reliance and architecture Often you get more pushback from internal parties. Many vendors appreciate the “free consulting” Personal Observations 34

35 70% of companies do not adequately do this now, yet over 90% say they will INCREASE their use of third parties. Data breaches caused by third parties cost $43 per record more than other breaches, yet account for over 40% of all breaches. Effective TPRM involves combination of oversight and review of the external partner AND implementation of internal controls and processes. Given the risk exposure and costs involved, TPRM can be the single most cost-effective risk management program that a company can implement, and Internal Audit and InfoSec can contribute in many significant ways. Summary 35

36 Third-party risk management failures contributed to attacks Vendor used FREE Malwarebytes Anti-Malware software The free version is only an on-demand scanner. No real-time scanning. Target did not require vendors to use multi-factor authentication If vendor used free anti-malware, what is probability that it required users to take security training? Or implement enterprise email system that might have caught phishing attack? But Target also left vast amounts of sensitive data about vendors on unsecured systems. This is also about vendor management. Ariba is vendor too. Was testing/scanning for SQL injection and architecture reviewed? How was Ariba monitoring for unusual activity? Target Breach - TPRM 36

37 Questions? 37

38 1. admissions admissions 2. care/pdfs/2013/HC-2013-AIHA-wp-HIPAA-rule-data-control- concerns.ashx care/pdfs/2013/HC-2013-AIHA-wp-HIPAA-rule-data-control- concerns.ashx 3. 29.html 29.html 4. decisions-cause-63-of-data-breaches decisions-cause-63-of-data-breaches 5. aftermath-study.pdf aftermath-study.pdf 6. possible-lowes-data-breach/2014-05-26 possible-lowes-data-breach/2014-05-26 References 38

39 1. 10-us-companies-neglect-third-party-risk 10-us-companies-neglect-third-party-risk 2. data-breach-global-analysis data-breach-global-analysis 3. 4. bin/wa.exe?A3=ind1112&L=SECURITY&E=base64&P=1183182&B=-- _003_BF662A4EE06D844081EA3B2DB8CCF22B1FDD3423B4SSUMPEXCLU S01_& excel;%20name=%22SIGv6.2.xls%22&N=SIGv6.2.xls&attachment=q bin/wa.exe?A3=ind1112&L=SECURITY&E=base64&P=1183182&B=-- _003_BF662A4EE06D844081EA3B2DB8CCF22B1FDD3423B4SSUMPEXCLU S01_& excel;%20name=%22SIGv6.2.xls%22&N=SIGv6.2.xls&attachment=q 5. 6. 7. breach-at-target/ breach-at-target/ 8. References 39

Download ppt "Cincinnati ISACA – September, 2014 Christopher Dorr."

Similar presentations

Ads by Google