This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Top 10 Tips for Effectively Assessing Third-Party Vendors
Tom Garrubba, CISA, CRISC, CIPP/ITSenior Privacy Manager, Information Governance & Privacy - Legal | CVS Caremark Office 412.967.8196 | Cell 724.689.6386 620 Epsilon Drive, Pittsburgh PA 15238 [email protected]
Top 10 Tips2. Determine what data is in-scope for assessment
Who?• Regulators (FTC, Federal Reserve, HHS, FDIC, etc.)• Industry (PCI)• Customers• Own criteria
What Information?• Customer Information• Employee information
Why?• You are compelled to perform due diligence by law, regulation, standard• Your customers demand it as you are putting their info at risk by giving it to another company.
1. One size doesn’t fit all … and it isn’t free2. Determine what data is in-scope for assessment3. Accurately & thoroughly describe how the data will flow
Top 10 Tips3. Accurately & thoroughly describe how the data flows
Precisely and completely, describe: • Services the vendor will provide; • Customer, employee, & company data and information the vendor will
collect and/or have access to• What the vendor will do with this data and information. • Where this data and information will be processed & stored• How the data will get to the vendor• Any subcontractors to be used
1. One size doesn’t fit all … and it isn’t free2. Determine what data is in-scope for assessment3. Accurately & thoroughly describe how the data will flow4. Triage risk – High, Medium, & Low
1. One size doesn’t fit all … and it isn’t free2. Determine what data is in-scope for assessment3. Accurately & thoroughly describe how the data will flow4. Triage risk – High, Medium, & Low5. Start with an assessment & data collection instrument
Top 10 Tips5. Start with an assessment and data collection instrument
Assessment - A due diligence activity to gain a level of comfort with the overall security, privacy, data protection posture of the vendor
Send a questionnaire to them and have it returned for analysis• Use an existing questionnaire such as the Shared Assessments SIG
“Standard Information Gathering”; Industry standard questionnaire developed by members of the Shared Assessments (www.sharedassessments.org) program• Covers all domains of ISO 27002 as well as HIPAA-HITRUST, PCS-
DSS, CoBIT, NIST, GLBA, Privacy & Cloud, and BYOD • Develop & send your own questionnaire
Have qualified people assess their responses• CISA, CRISC, CISSP, CIPP/US/G/C/IT/IT, …
Top 10 Tips5. Start with an assessment and data collection instrument
• Update BU and Vendor Management
• Track CI’s• File BU/Vendor Docs• Remediate CI’s
• Risk Scoring• Re-evaluate Data
Type• Reevaluate
Location
• Perform Kickoff• Obtain BU and
Vendor Docs• Acquire SIG
Responses• Perform AUP• Document CI’s
• Define Scope• Define Data in
use (CSTUPID)• Distribute
questionnaire
Phase 1:Pre-
AssessmentPhase 2:
Assessment
Phase 3: Post-
Assessment
Phase 4: Re-Assessment
14
Top 10 Tips
1. One size doesn’t fit all … and it isn’t free2. Determine what data is in-scope for assessment3. Accurately & thoroughly describe how the data will flow4. Triage risk – High, Medium, & Low?5. Start with an assessment & data collection instrument6. Trust but Verify - Collect evidence
1. One size doesn’t fit all … and it isn’t free2. Determine what data is in-scope for assessment3. Accurately & thoroughly describe how the data will flow4. Triage risk – High, Medium, & Low?5. Start with an assessment & data collection instrument6. Trust but Verify - Collect evidence7. Accept or remediate non-compliant findings
Top 10 Tips7. Accept or remediate non-compliant items VAP Phase 3: Assessment• Contingent Items (aka: issues, findings, observations, etc.)• You can accept the risk associated with a particular item or…• You can require remediation of the item – • Require remediation by the vendor or business unit
• Risk-rate and prioritize as such• Actively monitor until they are closed• Escalate to appropriate levels of management if timelines are not met• Adjust the timelines if the vendor cannot reasonably meet the target dates
• Contingent Items – 3 Types of CI’s• Contractual
• Contracts, SOW’s, NDA’s, BAA’s; DPSR’s, DSA’s; Med-D Waivers; IRB Waivers• These are usually incomplete or out of date
• HR-Related• Drug testing; Background checks; Credit checks
Top 10 Tips1. One size doesn’t fit all … and it isn’t free2. Determine what data is in-scope for assessment3. Accurately & thoroughly describe how the data will flow4. Triage risk – High, Medium, & Low?5. Start with an assessment & data collection instrument6. Trust but Verify - Collect evidence7. Accept or remediate non-compliant findings8. Identify & assess critical, downstream vendors/subcontractors
Top 10 Tips8. Identify and assess critical, downstream vendors, and subcontractorsDown Stream Vendors/Subcontractors • If you have a contract with them…
• See if you’ve already assessed them; if not…then assess them!• Request the same documentation as if they were a primary vendor
• If you don’t have a contract with them…• Work with the primary vendor to obtain documentation• Have the primary vendor set up a call to see what the DSV/subcon is willing
to provide• Use the same assessor if possible (they know the scope of work)!
Top 10 Tips1. One size doesn’t fit all … and it isn’t free2. Determine what data is in-scope for assessment3. Accurately & thoroughly describe how the data will flow4. Triage risk – High, Medium, & Low?5. Start with an assessment & data collection instrument6. Trust but Verify - Collect evidence7. Accept or remediate non-compliant findings8. Identify & assess critical, downstream vendors/subcontractors9. Determine if/when an on-site review is necessary
Top 10 Tips1. One size doesn’t fit all … and it isn’t free2. Determine what data is in-scope for assessment3. Accurately & thoroughly describe how the data will flow4. Triage risk – High, Medium, & Low?5. Start with an assessment & data collection instrument6. Trust but Verify - Collect evidence7. Accept or remediate non-compliant findings8. Identify & assess critical, downstream vendors/subcontractors9. Determine if/when an on-site review is indicated10. Determine when a reassessment should be performed
Top 10 Tips1. One size doesn’t fit all … and it isn’t free2. Determine what data is in-scope for assessment3. Accurately & thoroughly describe how the data will flow4. Triage risk – High, Medium, & Low?5. Start with an assessment & data collection instrument6. Trust but Verify - Collect evidence7. Accept or remediate non-compliant findings8. Identify & assess critical, downstream vendors/subcontractors9. Determine if/when an on-site review is indicated10. Determine when a reassessment should be performed and … 11. Retain all assessment data, decisions, & records
Top 10 TipsBONUS #1: Manage Your External Assessors
They are an extension of your VAP team and should be treated as such• Discuss their progress at least weekly• Ensure they pull you in when the assessment begins to “look bad” - no surprises!• Participate in closing meetings for key/offshore vendors
Make sure vendors will accept their NDA’s• Be prepared for the legal departments to red-line the document!• Be prepared to adjust start/end dates
VRB status monitoring• Assessments assigned to assessors• Internal/external assessments open• Pre-assessment review
Stage gates monitoring• Assessor kickoff• How long it takes to get the questionnaire back• How long it takes to resolve AUP items (questions, documentation)• Assessments in management review• Contingencies due in the past 30/60/90/>120 Days