Performing Vendor Security Risk Assessments

Performing Vendor Security Risk Assessments Presented by: Frank Roppelt, CISA, CISM, CRISC, CobIT, ITIL VP, Corporate Data Security – Risk Management, Bank of Tokyo-Mitsubishi UFJ, Ltd. December 18, 2012

Objective: • Demonstrate a proven method to obtain the right information from cloud vendors

and service provides. Identifying strengths and weaknesses with vendor controls and communicating security risks and recommendations back to business.

Outline: • A common scenario

• Scoping Your Assessment

• Independent Reviews and Audits

• General Controls (Physical, Logical, and Administrative)

• Website and Application Controls

• Business Continuity and Disaster Recovery

• Writing the Vendor Security Risk Assessment Report

• Questions

Objective and Outline

Without integrating information security into the vendor selection process, the scenario below usually occurs.

A Common Scenario

Decision is under-way, legal in involved, reviewing contracts, and all is looking as a go to start in two weeks when… someone mentions, did anyone speak with the security person or department?

When security gets involved, it identifies security controls and requirements were not involved in the RFP. Vendor selection did not take into account information security and business continuity management controls.

Business decides to outsource a business process to (you fill in the rest). The business starts initial conversations with vendors, reviews services, and discusses contracts.

Vendor selection is halted, business plans and processes are delayed, and additional costs may be incurred.

Who is responsible for making sure this does not happen again?

Security Department

Security Risk Assessment is the identification of: • Threats to information systems, networks, infrastructure, or threats

directed through vendors which we do business with • Vulnerabilities internal and external to information systems,

networks, and infrastructure • Impact (i.e., harm) to information systems, networks, or infrastructure

that may occur given the potential for threats exploiting vulnerabilities • Likelihood that harm will occur. The end result is a determination of

risk (i.e., the degree of harm and likelihood of harm occurring) • Controls to mitigate risk to acceptable level

The approach of the Security Risk Assessment process is to:

Vendor Security Risk Assessment Introduction – what is

Assess

Mitigate Monitor

Assess – Identify threats and vulnerabilities, determine impact and likelihood regarding information systems, networks, and infrastructure via security assessments Mitigate– Risk is determined based on the results of compliance and vulnerability scans, pentests. Address key risk , provide controls and best practices to mitigate risks and vulnerabilities via standards and industry best practice Monitor – Verify planned risk responses are implemented, continuously track open risk items post production, perform ongoing annual vendor risk evaluations

Scoping your Assessment Scoping the Security Risk Assessment starts with the Business needs •Criticality of the service being outsourced to the vendor

•Are any services that are being outsourced regulated

•What risk to process or company would be incurred due to vendor process failure

•How long can the business process survive without the vendor?

•Does the vendor leverage any offshore components or elements

•Does the vendor leverage any 3rd party contractors or vendors

•Will vendor have access to employee, customer, or sensitive company

information, what volume, and what is being done with the data

•Does  the  vendor  need  access  to  company’s  network  or  systems

•How will users access the data provided by the vendor?

•What data will be sent and received to and from the vendor

Independent Reviews of Service Provider

Reviews of business, financial, physical, administrative, and technical controls performed by an objective and independent party. There are many types of independent reviews, which ones to request: • SSAE 16 (Statement on Standards for Attestation Engagements) (previously

SAS 70) • SOC 1 (Service Organization Controls) *

• General controls • SOC 2 *

• Information Systems controls *  Type  I  and  II  are  available  for  both  SOC’s.    Type  II  is  preferred

• ISO 27001 Certificate – Security Controls specific

• ISO 22301 Certificate – Business Continuity specific

• Independent Pentest of Networks and Applications – with results

Performing a review of the general controls in place for the selected vendor provides you with a good sense of their operational abilities. These controls include:

General Controls (Physical, Logical, and Administrative)

Risk Assessments Human Policies Organizational

Physical Environmental Information Access Control

Security

Management & Organization

Regulation and Training

Notice & Consents

Collection, Use, and Storage

Monitoring & Enforcement

Access, Correction, and Deletion

Sharing and Data Transfer

Quality and Accuracy

Privacy

Communication and Operations Mgmt

Systems Lifecycle Management

Incident Management

Business Continuity

Compliance Management

System Change Controls

Maintenance and Support

Disaster Recovery

Application Controls Prior to engaging with a vendor to leverage their applications and systems, review the following: • Application, System, and Overall Network Architecture

• Authentication and Authorization Controls

• Configuration and Change Management

• Default Privileges and is it customizable

• Accounts and Password management and is it customizable

• File System Permissions

• Session Management

• Auditing and Logging features and functionality

• Encryption at rest and transit within internal systems and external to you

• Data Leakage controls

• Communications and supporting protocols

• Error Handling

Website Controls The vendor website needs to comply with requirements listed below:

• Session time out = 15 minutes or less

• SSL session mandatory for all websites

• If cookie is used then cookie SSL flag ALWAYS checked.

• Web site supports source IP where company staff access from network only

• User password resets are performed via email

• Password complies with password policy

• Account lockout after 3 or 5 consecutive attempts

• User required to enter current password to reset to new password

• Requires users to reset default password upon initial login

• User access and entitlement reports are readily available via GUI

• User transactions log readily available via GUI, or provided by vendor

• No caching of User ID and password on browser, i.e.: Internet Explorer

Business Continuity and Disaster Recovery Vendor must show strong BCP and DRP practices, including:

• Clearly identified risks and vulnerabilities related to location, geography, climate, surrounding area, etc.

• Documented Business Impact Analysis (BIA) for all business processes

• Written BCP and DRP Policies, and detailed procedures

• Clearly defined RTO (Recovery Time Objective) and RPO (Recovery Point Objective) Note – RTO and RPO must be less than your business processes, cannot be the same amount of time.

• Redundant Datacenter more than 50KM from primary

• Replication Methods and validation testing

• Regular testing of BCP and DRP under multiple scenarios and with backup staff, as well as customer engagement

• DR Datacenter needs to be certified by independent 3rd party

• Primary site evacuations procedures

• Secondary full time staff in DR site

• Customer escalation procedures

Vendor Security Risk Assessment Report When writing the vendor security risk assessment report there are critical components that need to be included, including: • Executive Summary – vendor service overview, scope of assessment, and summary of

risks identified • Assessment Details – Who performed the assessment, timeframe of assessment, paper-

based or onsite visit, controls reviewed during the assessment, documentation received, independent reviews, detailed listing of risks and recommended controls to mitigate risk

• Application Controls – Review of controls on applications and application services

• Website Controls – Documentation of controls in place and areas of concerns

• Access and Account Administration Controls – Documentation on how application and websites are accessed and what account administration functions are available

• Business Continuity and Disaster Recovery – Controls regarding BCP and DRP and outcome of tests.

• Security Risk Assessment Analyst Opinion – Provide insight on the assessment and recommendation as well as risks associated with vendor

• Summary

Questions