Upstream compliance, cyberthreats, geographical location, financial assets, and reputation are five of the top vendor risks most organizations face. But different industries also face vendor risks challenges that are unique to their business sector. For example, the healthcare industry has HIPAA regulations it must follow, and the insurance industry is subject to reporting and auditing standards from various state regulators. When investigating vendors, many companies focus on what they offer and whether it will help them work better and faster. Few conduct a thorough security assessment that's needed to ensure that third-party vendor systems won’t open up holes in their own security or introduce new threats into their network. At ComplyScore, we have successfully helped companies in a variety of industries assess and manage their vendor risks. Based on our experience, these five top industries must up their vendor risk assessment game now to ensure their vendors’ security standards are as robust as the ones they have in place themselves. Entertainment The entertainment industry uses many third-party vendors but has no mandated vendor risk regulations it must meet. The industry must initiate vendor risk assessments on its own. While vendor risk management is important to all entertainment businesses, video game companies face enterprise-specific challenges from practices such as outsourcing production elements to countries that represent higher security risks. Comprehensive risk assessment can help the industry avoid expensive litigation while preserving reputation and stakeholder value. Insurance The insurance industry has long outsourced business processes and utilized third-party software solutions. Regulators like the OIG, OCC, FFIED, CFPB, and others require insurance companies to identify possible third-party risks, verify the vendors they do business with are compliant, and regularly monitor changes that may create new risks. A risk assessment platform helps automate risk rating and reduce the amount of time spent managing vendor risk. Healthcare Most healthcare organizations have a strategy in place to comply with the Health Insurance Portability & Accountability Act (HIPAA) but with each new technology and practice, fresh risks abound. Third-party risks cost the healthcare industry nearly $24 billion per year and many providers are hard-pressed to adequately assess and understand the risks their vendors pose. A cloud-based platform and end-to-end vendor risk assessment managed services can help meet each provider’s unique needs and ensure compliance requirements are met. Financial Services A favorite target for cybercriminals, the financial services sector must continuously monitor third-party risk, adopt policies that go beyond regulatory compliance, and devise an organization-wide approach to vendor risk management. From deciding whether a vendor is a good fit to establishing a cybersecurity culture, a broad vendor risk assessment process protects critical financial and PCI data and helps organizations avoid catastrophic breaches. Pharma Pharmaceutical, biotechnology, and medical device companies face many regulatory compliance requirements related to areas like trial designs, geographic location, and/or specific expertise. Geographic expansion is a particular challenge the life sciences industry faces, as is meeting anti-bribery regulations. An advanced 3rd party assessment solution streamlines the vendor assessment process while ensuring analytic consistency and significantly reducing overhead. Third-party vendors are a risky necessity that can be made safer by using a cloud-based risk assessment solution and vendor risk assessment managed services. ComplyScore’s CyberScore is designed to help top industries manage third-party relationships in accordance with increased and expansive regulatory expectations while mitigating the risks posed by third-party vendors throughout the lifecycle of the relationship. This blog was originally posted on https://complyscore.com/blog/top-industries-that-need-to-up-their-vendor-risk-assessment-game/
0 Comments
Contracting the right vendors, monitoring their performance, and managing associated risks—they all pose significant challenges that too many organizations are still ill-equipped to deal with. In today’s uncertain business environment, a comprehensive vendor governance program is more important than ever for helping businesses cope with increasing risk levels and other vendor governance concerns. These key elements will make your organization’s vendor governance program as thorough and effective as possible. Build the Team Choosing the right vendors to work with can be difficult and many organizations still trust their gut when going with one vendor over another, continuing with an existing vendor for the sake of familiarity. Metrics and data help you make more educated vendor selection decisions. Research Vendors Before creating a vendor governance program you need to research and identify who your vendors are. Keep in mind that a “vendor” is any third-party, associate, or contractor your organization does business with. Other critical components of the vendor governance process include: - Obtaining pricing quotes and/or bids - Establishing vendor capabilities - Researching turnaround times and quality of work Careful Contract Negotiation “Standard” vendor contracts come with potential risks and costs. In organizations with a high volume of third-party vendors, some contract details may get overlooked. All contracts should be carefully scrutinized and negotiated to make sure they: - Adhere to industry best practices - Are mutually beneficial After all the hard work of research and contract negotiation, it makes sense to monitor and manage vendor performance. Performance incentives should be considered, KPIs established, and penalties defined. Collaboration and Transparency Frequent collaboration helps vendors understand what they need to do to meet your organization’s goals. So, too, does mutual transparency which lets vendors know not only when they’re not meeting expectations, but when they’ve done a good job. In order to make sure any established compliance procedures and checks are not being missed, vendors should regularly update you on changes to their processes as well. All disputes should be swiftly addressed and resolved to facilitate a strong relationship. Financial Matters Clear terms of invoicing and payments should be established upfront and should be structured to your organization’s benefit. A dispute resolution process should be put in place and terms should be regularly reviewed to optimize cash flow. Risk Management and Compliance It’s important to know when any of your vendors pose a risk to your organization. While there’s no one-size-fits-all solution to third-party risk management, two factors are crucial to any vendor governance program: - Identify risks using assessments. Data-driven reports let you know how well a vendor is performing and whether they’re meeting their contractual obligations. - Mitigate risk by applying the right controls. Internal and external controls ensure contract terms are performed accurately and efficiently and that issues are flagged before they become huge problems. They also give you greater confidence in data security, minimize fallout from breaches, and allow for business continuity. Develop Long-Term Vendor Relationships To fulfill organizational missions and goals, it’s almost always advantageous to work with good third-party vendors in a long-term, mutually beneficial way. Whether your goal is cost savings, improved vendor delivery, procedural standardization, or a combination of all three, the right vendor governance program goes beyond essential procurement functions to deliver strategic value. It also brings transparency to vendor evaluation and selection and helps ensure the way you select third parties to work with is based on value, not sentiment or habit. ComplyScore offers comprehensive vendor governance solutions that simplify the entire vendor management process including risk assessment, due diligence, and contract performance tracking. We’re committed to providing you with the expertise, technology, and processes you need to transform your vendor management strategy, enhance security, and mitigate compliance risks. Contact us to learn how we can add value to your vendor governance program. This blog was originally posted on https://complyscore.com/blog/key-elements-of-comprehensive-vendor-governance-program/ Risk remediation is a crucial part of the vendor risk assessment cycle. If incorrectly executed, it will dilute and diminish the effort put into the assessment. A detailed and relevant questionnaire, a thoroughly executed assessment, is a wonderful precursor to mitigation tracking. At ComplyScore, we have been performing almost 3,000 assessments annually. Our vast experience providing it vendor management services and performing assessments across various industries and working with vendors globally has given us a good perspective on how to effectively track risk remediation. I will be sharing my insights and best practices implemented by us in the following sections. All clients have different policies and guidelines which must be followed when handling company data. Thus, ComplyScore risk assessments and mitigation tasks vary depending on the client. Slight variations to the assessment don’t change the way one should follow up with a mitigation task. After an assessment is reviewed, a gap report or mitigation plan is sent to either the client or vendor contact. The amount of time allotted to respond depends on the inherent risk of the vendor, the severity of the gap and the policies of the client It is always preferred to have the ability to track mitigation tasks automatically as the more assessments you need to track, the harder it becomes to track it manually. Working with Vendors for Mitigation Gaps & mitigation tasks must be first confirmed by the vendors. Allowing the vendor to clarify mitigation tasks is an important step in the process as well. There are compensating controls that may cancel out the mitigation task. Typically, we offer 2 weeks to the vendor to do the same. We see that 2-3 follow-ups are required before the vendors confirm. An automated process helps. We send an email before the expiry of 2 weeks that the mitigation tasks would be assumed to be accepted if not confirmed within the allocated time. This evokes a quick response. Within a week of that email, we see a spike in acceptance or clarification of mitigation tasks. Mitigation tasks that are high risk should be closed quickly. For a tier 2 vendor, ComplyScore provides a due date of 60 days for high-risk findings, the medium should be closed out in 90 days and low risk 120 days. Tracking all communications in one place is critical. Tracking clarifications, adjustments to impact, or any other aspect of the mitigation task must be captured online. Emails or phone calls do not provide the audit trail that is required in the future. Also, negotiating on completion date is common. Smaller companies tend to think they are the exception to the rule because they have fewer employees or work from their home. Of course, exceptions can be made after reviewing all factors and ensuring that the company data will be protected. We do not expect everyone to have an ISO or SOC2 Type 2 report like larger companies. Still, things like multi-factor authentication, which is not determined by the size of your company, can be expected at a minimum. Periodic communication with the vendor is key. ComplyScore sends out email reminders at the midpoint of the task and close to the completion date. While these reminders are critical, what we have found is that a personal email following up on these emails, or even a phone call, helps keep the vendors focused on the tasks. Once the tasks are closed, vendors must upload supporting documents or present the documents in an online meeting. Besides sending automated email reminders, setting up such meetings is also very important. The more the human touch, the higher the rate of response. While these add extra efforts, the return is high. Overall, I feel that managing mitigations are as critical as conducting assessments, and consistent communication is the key to get the tasks completed on time and result in a successful it vendor risk management outcome. Contact us to learn more about our vendor management solutions. This blog was originally posted on https://complyscore.com/blog/risk-remediation/
The Shift to Online Audits
Recent events related to COVID-19 have had a huge impact on the way organizations operate and function. Along with posing many challenges, it has also opened many possibilities and ideas to a new way of doing things. Auditing, a traditionally very hands-on and in location process, adopted by organizations to ensure that the vendors they work with have a comprehensive and robust security posture, to ensure that the data shared with the vendor is protected with maximum security at all levels and services provided, if any, can continue without fail. With social distancing norms and advisory in place, in-person auditing has become a challenge and auditors have been forced to adapt to a remote process. Some companies have just started implementing various changes to accommodate this new demand as these uncertainties may repeat. ComplyScore, as always, has been a few steps ahead of the game. We have been offering Online Audits as part of our supplier risk assessment services for the last 3 years. We have done numer
ous vendor audits as well as ISO 27001 surveillance audits.
The Transition has Generally Not Been Easy
ComplyScore as a vendor risk management company has performed online audits for three years now, and has mastered this process when the world has just begun adapting to this new change and process. While the online audit process is a new process and a forced change rather than a self-adopted one, it poses significant challenges to auditors. Below are a few challenges experienced on the road to performing an online audit:
• Validating the controls and their operating effectiveness over a period of time remotely can be challenging
• Evaluating risks associated with data collection, processing, and compliance
• Covering the entire security posture and all controls in a limited amount of time
• Identifying all strategically important activities and bringing them under security scrutiny remotely can often prove to be a challenge
Exponential transformation, innovation, and advancement in technology, their implementation in the organization and the impact on the informational and operational security can be another piece of the puzzle that requires great attention especially when conducted remotely
Recent development of remote work in organizations has posed a completely new challenge where every employee can be considered as a sub-entity with many times access to sensitive and confidential information while being in a non-company managed network and workplace.
It is Important to Establish Comprehensive Processes
Highly qualified staff trained especially for the process of online audit and the experience of several audits has ensured that these audits are performed by the most experienced experts on the subject within ComplyScore. An elaborate and comprehensive process to verify and validate the implementation of controls is established through online screenshare where all controls are validated, documents are reviewed, evidence is gathered, and operating effectiveness is also checked by timestamped evidence from past to the present. Additionally, collection of pictures, videos, and a mobile screenshare during the audit provides the ability to further validate the presence of controls. ComplyScore auditors fully understand the nature of business engagements between two entities and hence can determine all the controls that would need to be implemented which are checked and mapped against various security standards such as ISO/NIST/SOC etc. The auditors with their expertise and experience are able to analyze the risks that the data faces at every junction in the network from source to the destination while it is at rest and in transit by completely evaluating the data flow diagrams and mode of transportation. Complyscore questionnaire, which is another part online audit process, provides additional controls in addition to the standard audit process to further evaluate the completeness of security controls implemented in an organization. Regular security and vulnerability training provided to auditors on innovation and advancement in technologies keeps them at par with the newest technology and vulnerabilities, the knowledge of which proves to be highly beneficial during such audits. Our vendor risk management solutions include remote assessments developed by experts in ComplyScore and incorporated as a part of online audit, keeping in mind the security threat and vulnerabilities related to organizations working remotely has helped immensely to assess the controls implemented by such organizations to safeguard process and data.ComplyScore has especially trained staff and the technology to support this process. This new module of online audit is helpful to organizations in many ways. One of the most important and biggest advantages of this process is the reduction in cost. Traditionally where audits require an auditor to travel to the location, stay at hotels, take Uber and taxis to reach the destination and perform the audit, online audits cut all these costs and save organizations a lot of money. As is said time is money and online audit saves a lot of time on both ends which further saves costs. Online audit further allows the organizations' staff to continue with their work and does not engage them all at once, and hence does not take away time from your staff who could have spent a productive day doing regular work.
While online audit does prove very beneficial for organizations, it does pose a challenge to the auditor in terms of increased workload and effort. The job to verify all security controls remotely is an elaborate task. Looking for evidence and artifacts can be time consuming and can demand extra effort from the auditing team. All the additional steps undertaken to ensure control completeness, their implementation and effectiveness in an organization, and steps undertaken to overcome the challenges listed above add a bit of an extra workload on auditors. Utilizing remote assessment, checking for additional controls as compared to standard audit controls through ComplyScore questionnaire, verifying pictures and video footage, etc. is expected to further increase the overall workload. In totality, all this has resulted in a 20% increase in the workload and effort of an auditor. Many such online audits have been successfully completed till date and organizations have been helped to save a lot of unnecessary costs without compromising with the quality.
ComplyScore has Been an Early Adopter of Online Audits
The audit process is an elaborate process and hence involves a lot of looking around to find the gaps and loopholes in the information security posture of the organization. ComplyScore has adopted a very well-defined online audit process that covers from the most granular controls to the most explicitly important and standard controls. Here are the few highlights of the online audit process:
• Vendor and data classification (CIA) based on business engagement.
• Preparing scope and agenda for online audit.
• Prepare a list of documents, policies, artifacts, and evidence required to verify the implementation and effectiveness of a control and share it with the vendor.
• Send meeting invites to all participants and if necessary designate individual parts of the audit to specialists.
• Perform the online audit (Screenshare, policy review, effectiveness of controls, certifications and test results, etc., collect artifacts and evidence)
• List all the observations, findings, and recommendations.
• Prepare Closeout Report
ComplyScore also ensures that the answers provided by the vendor are validated to be most accurate and we also ensure that the collection of misguided information can be reduced to maximum extent with our experienced staff performing several rounds of cross-checks to validate a control. A single control is evaluated in more than one place and in more than one way.
As this is a new process that the world is looking to master, ComplyScore has been ahead in the game and has already initiated the identification of challenges and problems faced in this process. We have been coming up with ideas and solutions to counter these challenges and iron out the fault lines, which would help us provide improved and better services with increased accuracy and finesse.
This blog was originally posted on https://complyscore.com/blog/shift-to-online-audits/
What is SCRM? Supply Chain Risk Management is “the implementation of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity.” Supply Chain Management is an essential part of vendor governance, and involves the entire life cycle from procuring the raw materials required for a product until it reaches the consumer. Supply chain management consists of identifying the vendors involved in producing a finished product and the risk these vendors pose to the entire chain. While sourcing, contract management, and supplier management are some of the critical elements of SCM, in this article, I will focus on vendor risk management. A supplier’s risk to the supply chain cannot be conducted in isolation but needs to be conducted along with cyber risk, financial, reputational, legal, risks. For example, a supplier with weak cyber operational controls will pose a significant risk for the entire chain. Supplier management needs to be meticulous, thorough, data-driven, and also include a list of back up suppliers to minimize the impact in the event of a disruption. Today, almost all organizations rely on hundreds if not thousands of suppliers across all areas to function. In many cases, the overwhelming volume of suppliers and the massive load of data associated with them, are some of the reasons for organizations to defer looking into starting the process of supplier management. At ComplyScore, as a vendor risk management company, we have helped multiple companies reduce their supplier risk by implementing industry best practices. I have listed a few of them below.
2. Inherent Risk on each supplier– First, assess the “impact” of the vendor across multiple areas. These areas are: a. Financial Impact What will be the monetary impact on your business if the supplier is unable to deliver due to any reason? E.g., Bankruptcy? b. Operations impact Will a delay/disruption from a particular vendor affect your production directly and indirectly? c. Legal Impact Will, there be a legal impact, and how much will it be a lawsuit if the supplier does not comply with regulations? d. Information Security impact Does business with a particular supplier put your security posture at risk? e. Reputation impact Will, the goodwill and reputation of your organization, be impacted by doing business with the supplier f. Assess the sensitivity of the supplier‘s failures across internal & external factors:
3. Putting it together –
a. Monitor the supplier‘s metrics
b. Monitor the external factors
This blog was originally posted on https://complyscore.com/blog/supply-chain-risk-management/
Risk assessment questionnaires play an important role in an organization’s vendor governance program. Questionnaires based due diligence is essential to understanding how your third-party vendors manage cybersecurity risks as well as the investments they have made to mitigate exposure across people, processes, and technology.
Yet for all their value, questionnaires can have shortcomings. They are often open for interpretation, and create questions of their own. In addition, there is always the question that do the answers reflect the reality. How do you know the answers given are accurate and helpful?
ComplyScore performs thousands of third party vendor risk assessments every year. Based on our experience and discussions we have had with industry experts, here are what we consider to be the best practices to enhance your third-party risk management strategy while getting the most value from your organization’s vendor risk assessment questionnaires.
How Reliable are Vendor Risk Questionnaires?
Third-party vendor management programs rely on trust and verification. Questionnaires play a big role in establishing both but assessing third-party risk does have some challenges.
It is our belief that asking the right questions is the start to getting the right answers. Just like no two organizations are alike, each vendor comes with their own environment and risks. When creating questionnaires it’s important to:
• Know the scope of what’s being asked. A good questionnaire is thorough but intentional. That means only asking questions you need to be answered.
• Factor in inherent bias. Because questionnaires are answered by the vendor being assessed, the responses will never be fully objective.
• Customize to get better results. Generic questionnaires that ask questions irrelevant to the vendor relationship frustrate the vendor and waste your time. Drilling down on the specifics of the risks associated with environments particular to the vendor ensures getting the best picture of potential risks.
Validation Best Practices
To ensure accuracy, organizations should establish assessment processes and guidelines on how to gather data, review answers, and remedy pending issues. Specific controls should be used to evaluate the vendors’ environments. For example, if your third-party vendor hosts on AWS, AWS-related best practices questions should be asked instead of generic cloud ones. For vendors who use multiple operating environments, each system should have its own set of questions.
ComplyScore uses proven practices to evaluate and verify the accuracy of vendor responses. Questions are separated by asset types such as datacenter network, corporate network, and log management for different device types. To gain clear direct insights into the specifics, questions are kept simple and direct, and clubbing multiple questions into a single question is avoided.
Once you are confident that you are asking the right questions thus enabling the right answers, it is time to move on to other techniques to validate the answers.
The practices used to validate answers include:
• Documentation review
- Verifying the scope of security-related certifications like ISO 27001 and SOC2 and ensuring they are properly renewed.
- Checking the quality of documentation, verifying consistency of style across documents, and cross-checking for consistent policies.
- We find that documents that have not been deployed in practice, lack specificity and generally have a different style than mature documents
- It’s a good idea to drill down on these documents if they address critical areas of info security
• Discovering, mapping, and scoring a vendor’s digital footprint to identify threat models and defend against fraud.
- Digital review of a sample of the vendor’s online assets reveals if the documents are put in practice.
- Multiple open-source tools can be used for this purpose.
- Areas that you can analyze are the existence of malware, patching cadence, previous history spam/ virus originating from the vendor & social standing
• Assessing a vendor’s website to discern company health, GDPR and other regulatory compliance, and security patch level.
- The overall rating of the website will reveal things like commitment to details, compliance with regulations, adequacy of resources, and general security related culture.
• Conducting a quick 10 to 15-minute interviews at the start of the vendor assessment process reveals the level of security talent heading the infosec program, the confidence of the vendor in their program, openness, and other key traits. We have found these personal interactions reveal a significant amount of information leading to the inference of the infosec program maturity.
Trust and Verify
Information security, aka InfoSec questionnaires provide valuable insight into a third-party vendor’s risk and security culture. To get the most out of a questionnaire, it is important to ask precise questions of each vendor. Empowering vendors to provide specific answers reduces ambiguity and improves the validation process. ComplyScore’s vendor risk management solutions are designed to streamline the validation process and help you get the most from your vendor questionnaires.
For more information or an evaluation of your company’s questionnaires, don’t hesitate to contact us here.
This blog was originally posted on https://complyscore.com/blog/reliability-of-questionnaires-how-to-validate-answers/
A successful vendor management program needs to invest heavily in managing risks associated with 3rd party vendors. While doing TPRM, we generally assess risks such as Information Security and Compliance Risk. However, a one size fits all approach for vendor risk management is not optimal. The program needs to be tailored to the risks associated with the specific engagement(s). This risk, which is associated with the nature of the engagement, is called the Inherent Risk. Inherent risk is the risk associated with a given engagement regardless of the control/s that the vendor has implemented. It gives you an indication of the level of due diligence you need to do on the vendor.
For an engagement with low inherent risk you may choose to assess basic controls while for a high inherent risk engagement, you may want to do an onsite audit and validate all controls. What is Inherent Risk? Mathematically, Risk = Likelihood * Impact. It is the likelihood of a breach happening multiplied by the impact of the breach on the business. To explain this better, let us consider 2 scenarios. In scenario 1, your client is sending sensitive data to Amazon. In scenario 2, they are sending the same sensitive data to a little-known offshore company. Is the inherent risk the same in both scenarios? In the above case, where sensitive data was sent to 2 different vendors, the impact was high regardless of the vendor. (If data for Likelihood is not available, you may choose to go with the same likelihood across all engagements. If you are being conservative, you will prefer to go with high likelihood). The likelihood of data being breached at Amazon is low while the likelihood of data being breached at an offshore company is high. The result is that the inherent risk in scenario 2 is higher than scenario 1. Inherent risk is different from Residual Risk. Residual risk is the risk that remains after assessing the controls that are implemented to mitigate the risks. This is calculated by multiplying inherent risk with the effectiveness of the control. In this article, we are going to focus on Inherent Risk. Let’s start with the basics: IMPACT and LIKELIHOOD: Impact - will help you figure out the kind of data that can be compromised and how much of a data can be compromised. It gives you a sense of the extent of damage you will incur and the kind of impact it will have on your business. In some cases, it will be the financial loss that will be incurred whereas, in others, it might be a reputational loss. What kind of loss will be more harmful to you? How much of a damage can you survive? These are some areas you will get clarity on. Likelihood- This will help you figure out the probability of a breach happening. Determining the likelihood depends on several factors. You can take the highest rating if you want to be conservative or you can take an average. Where is the data being accessed from? The rating is typically considered low if the data is being accessed from inside your office. The risk is considered medium if the access is offsite from a country with low CPI (Corruption Perception Index) and it is high in all other offsite access. How is the data being accessed and/or transferred? The risk is inherently high if the access and transfer are manual, to factor in for human error. In the case of automated access, the rating is considered low. In cases where the data is accessed by VDI but there is no transfer of data, the rating is inherently medium. CATEGORIES of RISK Inherent risk can be categorized into different areas: Technology – the risk you face due to a failure in the vendor’s technology, Compliance- is the vendor being compliant in the manner in which the data is handled, Finance- the risk you might incur if the vendor fails to deliver, Legal- the risk you face when the vendor does not keep up with the laws and regulations, Privacy- the risk you face if your vendor does not put sufficient controls in place to protect the privacy, and BCP (Business Continuity Process) – the risk you face if the vendor goes out of business. Since the risk area assessed depends on the type of engagement between the vendor and the client, once the type of engagement is determined, an inherent rating is provided. For each area/category of risk to be assessed, you will need to develop specific factors to calculate the impact and likelihood. We had seen earlier for Cyber Security risk the impact depends on the type of data and the volume of data accessed. The likelihood depends on the how the data is accessed. Develop similar factors for each area. QUESTIONS TO ASK: In this part, we will cover the bare minimum questions you need to ask to help you calculate the inherent risk. You need to know: Access to the data: Is the access to sensitive data being separated by roles and responsibilities? Is there hierarchical access and ownership of data? Or is it, free for all.
Storage and protection of data: Is it in a place with open access? Are there controls in place to safeguard it?
Physical controls: Are there physical controls in place? Is the room hosting the data locked? Is there keycard access in place? Here is a snapshot of some of the questions posed by our vendor risk management solutions to assess our client’s risk. Contact us to learn more about Complyscore’s it vendor management services.
This blog was originally posted on https://complyscore.com/managing-inherent-risk-in-third-party-risk-management/
Background:
Information Security (InfoSec) professionals realize that their infosec program is only as strong as the weakest link. 3P (Third Party) vendors with access to sensitive data are generally regarded as the weak link, hence the focus on securing the 3P. However, given the scope and possible costs on securing this link, and the doubts regarding the assessment methodology, it is easy to doubt the value of the third party vendor risk management (TPRM) program. InfoSec managers are often challenged by their seniors to prove the value of the TPRM program.
As a leading vendor risk management company, at ComplyScore we manage thousands of assessments annually and are asked to assist in showing the value of the program. Here are some points that I would like to share with you.
Let us first consider what happens if you don’t have a strong it vendor management program. Let us look at instances where companies suffered because of their vendors.
Visser Precision: In Feb of 2020, a data breach at Visser compromised contract data, pricing and other highly sensitive details of companies like Tesla, Lockheed Martin and SpaceX.
LabCorp: In august 2018, a data breach at LabCorp’s vendor American Medical Collection Agency (AMCA) compromised data of almost 7.7 million patients
Home Depot: In 2014, a data breach compromised credit card details of almost 56 million customers. Hackers used stolen credentials from third party vendors to gain access.
Target: In 2013, almost 40 million customer credit and debit card details were compromised during a breach. The culprit? Again, a third party that had privileged access.
These are just a few of the reported incidents I have used as an example. The above examples demonstrate that even though there is an increasing awareness regarding cybersecurity and even though companies are spending a huge amount of money on security, third party breach is still one of the weakest links.
Now, let us look at the impact of these incidents.
Visser has taken a hit in reputation with this breach. The magnitude and the details are still being assessed but sensitive contract details like pricing and manufacturing details are compromised.
LabCorp spent almost $2.5 million after the breach to ramp up their security. A class-action lawsuit is pending
Target- $18.5 million in lawsuits. CEO had to resign
Home Depot – $25 million in settlement.
On average (from what I have read, it is $3.92 million), companies have spent over $ 4 Million in settlements. Additionally, there is the damage to the reputation, customer confidence, countless hours spent in investigations and lawsuits and even forced resignation of the CEO.
That is a steep price to pay.
These incidents remind us about the potential impact if you do not have a methodical approach to TPRM.
General Consensus
A recent survey published in Allianz Risk Barometer 2019, consistently ranked cyber incidents as the top 3 areas of concern. Another interesting insight comes from Deloitte. In the survey conducted by Deloitte between March - July 2018 with respondents from 94 financial institutes around the world, almost 67% of the respondents named cybersecurity as one of the top 3 challenges they will face and a risk that they feel is only going to increase in nature. The more interesting fact is that the Deloitte survey showed that respondents felt more confident in being able to handle breaches due to disruptive attacks, financial loss, and loss of data by customers. But they did not feel as confident if the breaches occurred due to nation states and risks from third party providers. The survey along with the examples shows that we need to be proactive in addressing the issue and we need to be proactive NOW.
Now that we have enough data to convince the leadership that TPRM is essential as part of a robust vendor management system, and needs to be done, let us talk about the cost and ROI. In short, let’s talk numbers:
With data breaches, the losses are generally in millions of dollars. Companies take a hit in their reputation; some have had to file for bankruptcy. Now if we compare the cost, they would have incurred had they been proactive. Assessments are proportional to the level of risks. ComplyScore does vendor risk assessments for as little as $200 per assessment. So if you spend between $250K to $500K, you can assess and secure a major part of your supply chain and de-risk your company to a great extent. Now that’s a significant ROI.
Value of assessments
You might ask “How reliable are the questionnaire-based approach?” I have seen that a lot of clients are initially apprehensive about the process and reliability. For those with questions and apprehensions, these are ways and means that you can use to ensure that the assessments are answered honestly. The security rating agencies add value as well. ComplyScore will cover the topic on the value and reliability of the questionnaires and how to validate the answers in our upcoming blog.
I hope that I have been able to cover some talking points that you can use to address the benefit of TPRM with your leadership. Cyber incidents are only going to be more frequently seen in the future. You need to secure your organization by diligently including TPRM and supplier risk management in your organization’s vendor governance program. Address it now, contact us and request your demo today.
This blog was originally posted on https://complyscore.com/value-of-a-third-party-infosec-assessment-program/
Organizations often fail to anticipate the risks associated with 3rd party vendors. The threats they have exposed their own data to, and possibly their customers’ data, are realized, on many occasions, only after the breach has happened and all they can do at that point is damage control.
Without a proactive approach to vendor risk management, your organization can open itself up to increased levels of risk that can have a negative impact on its financial standing, compliance posture, and overall ability to serve its customers. If you want to drive competitive advantage and sustain future growth, the focus must be on vendor risk management that is proactive, not merely reactive.
Proactive Vendor Risk Management
While anticipating and assessing all potential vendor risks may be tedious and even seem impossible, proactive vendor risk management is really a discipline that must be integrated into your organization’s overall risk management culture.
Traditional IT vendor management solutions take a reactive approach, using programs that assess, report, and mitigate risks after they happen. The emphasis is placed on reducing fallout and minimizing damage to the business. This focus on events that have occurred instead of leveraging predictive digital tools such as AI, data analytics, and process automation can be compared to the proverbial barn door that’s closed after the horse escapes.
For most businesses, 24/7 coverage of IT systems is not financially feasible. It is advisable to partner with a vendor risk management company that:
• Provides end to end services including distribution, completion, and evaluation of assessments
• Creates customized assessments based on the company’s exclusive vendor profiles
• Immediately identifies potential issues before they turn into critical security breaches
Working with a managed service provider to move from reactive to proactive enterprise vendor risk management helps ensure that your vendors have the right controls in place to properly serve your organization. It also allows your business to improve compliance with regulatory demands, prepare for unexpected risk events, and maintain its reputation.
Putting Proactive Vendor Risk Management to Work
Adopting a vendor risk management strategy that uses the right tools to evaluate vendors and their processes improves your company’s ability to manage and/or avoid existing and emerging risks. Internal IT staff can also adapt more quickly to unwanted events or crises while building an understanding of how to assess and mitigate risks. Your organization then has a better view of potential future risks, how they might impact your business, and how to keep those risks at bay.
ComplyScore’s managed third party vendor risk assessment solutions help your organization approach risk management and vendor governance proactively and effectively at the enterprise level. By using a more forward-looking approach to vendor risk management, your business avoids unexpected events and expenses. That, in turn, results in improved compliance, a greater business value, and ensured sustainability. The bottom line? When choosing an MSP for your organization’s unique vendor risk management needs, look for one that can maintain a proactive approach that evolves as your organization’s vendor landscape unfolds and grows.
This blog was originally posted on https://complyscore.com/blog/enterprise-vendor-risk-management-is-your-organization-proactive-or-reactive/
An effective vendor risk assessment is the cornerstone of every successful third-party risk management program. While the essential elements of an assessment should, in theory, be easily determined, the ever-evolving IT security landscape and threats is making the process more complex.
Addressing Platform-Specific Risks
Some recent incidents have shown that even respected security solution providers are not immune to breaches in information security. One such recent misstep by a well-known cybersecurity leader resulted in exposed Amazon Web Services (AWS) credentials. This allowed hackers to steal information on customers who used its Cloud Web Application Firewall (WAF) product. This incident underlined the importance of drilling down on the specifics of the platforms used by the 3rd party vendors during the security evaluation.
Organizations focused on good vendor governance need a thorough understanding of each vendor’s security posture to mitigate and manage risks from exposure. Most 3rd party providers host and maintain core tech infrastructure in the cloud. While existing third party assessments all focus on governance, processes, and security controls, the questionnaires employed do not adequately address platform-specific risks. Since the majority of 3rd party providers build on AWS and/or Azure, we believe it's in our clients' best interests to be able to drill down and address controls that are unique to the platform used.
Best Practices for AWS Security
AWS offers multiple tools that allow organizations to effectively manage security. Identifying the tools a third-party vendor uses gives a good indication of that vendor’s security posture. For example, does the vendor create VPC flow logs to capture IP traffic information? Is Trusted Advisor used to optimize the AWS environment for performance, cost, and fault tolerance? Are malicious and/or unauthorized activities continually monitored with AWS GuardDuty?
For successful vendor risk management for our clients, we’ve developed a list of best practices for vendors who host on AWS.
Five risk mitigation best practices for vendors who host on AWS include:
1. Security of the root account including disabling API access, alert set-up for root access use, and activating MFA (multi-factor authentication).
2. Access management techniques that include using groups to assign permissions, quarterly rotation of access keys, enabling MFA for accounts that have console access, and assigning unique IAM (identity and access management) usernames for each user.
3. Network restrictions that include using security groups to control inbound and outbound traffic.
4. Monitoring, encryption, and other controls that help build resilient IT architecture. This includes 24/7 monitoring of AWS account activity, conducting risk assessments of the AWS environment, and enabling server-side encryption (SSE), VPC flow logging, S3 Bucket access logging, AWS configuration in all regions, and logging for all resources.
5. Metric and composite alarms for events such as configuration changes, unauthorized API calls, non-MFA management console sign-in, storage policy changes, and changes to Network Access Controls Lists and network gateways.
Information gleaned on whether third-party vendors implement these best practices helps identify and measure 3rd party risks while delivering highly accurate risk intelligence that enables an organization to make more informed IT vendor management decisions.
Based on the above best practices, our vendor risk assessment questionnaires assess the 3rd party vendors utilizing AWS solutions, against a checklist of controls. This checklist is designed to make the process of assessing the security posture of these vendors simpler and more agile, and in the interest of minimizing breaches, we are making this list publicly available.
Check out the list here, and do not forget to contact us for any clarification!
Stay tuned for the best practices based checklist for Azure coming soon.
This blog was originally posted on https://complyscore.com/blog/aws-security-best-practices-for-third-party-3p-infosec-risk-assessments/
|
AboutComplyScore is a suite of GRC, Information Security and Vendor Governance solutions that help organizations stay compliant and keep their information systems secure. ComplyScore's robust, web-based solutions integrate governance, risk and compliance management across Core Business Areas, Vendor Management as well as Information Security. ComplyScore's web-based solutions integrate risk, compliance, and audit in a unique way that eliminates redundancies and streamlines the process of managing compliance and risk. |