Post on 30-Apr-2018
transcript
Third Party Risk Management:
How to Identify and Manage Data
Security Risks from your Vendors
Presenters:
Allie Russell, Conexxus
Kara Gunderson, DSSC Chair, CITGO Petroleum
Sam Pfanstiel, DSSC SME, Solution Principal, Coalfire
Agenda
• Housekeeping
• Presenters
• About Conexxus
• Presentation
• Q & A
HousekeepingThis webinar is being recorded and will be made available in approximately 30 days.
• YouTube (youtube.com/conexxusonline)
• Website Link (conexxus.org)
Slide Deck • Survey Link – Presentation provided at end
Participants• Ask questions via webinar interface
• Please, no vendor specific questions
Email: info@conexxus.org
Presenters Conexxus Host Moderator
Allie Russell Kara Gunderson
Conexxus Chair, Data Security Committee
arussell@conexxus.org POS Manager, CITGO Petroleum
kgunder@citgo.com
Speakers
Sam Pfanstiel
Solution Principal, PCI
Coalfire Systems, Inc.
sam.pfanstiel@coalfire.com
About Conexxus• We are an independent, non-profit, member driven
technology organization
• We set standards…– Data exchange
– Security
– Mobile commerce
• We provide vision– Identify emerging tech/trends
• We advocate for our industry– Technology is policy
2017 Conexxus Webinar Schedule*Month/Date Webinar Title Speaker Company
July 27, 2017Third Party Risk Management: How to
Identify and Manage Data Security Risks from your Vendors
Sam Pfanstiel Coalfire Systems
August 31, 2017Using the NIST Cybersecurity Framework
to Guide your Security ProgramChris Lietz Coalfire Systems
September 21, 2017Things & Impact of Bring Your Own Device
to the WorkplaceBradford Loewy
Jeff GibsonDover FuelingControlScan
November, 2017New Technologies for Addressing Payment
Risk: A Survey of Payments Security Landscape
Ravi RaghavanCoalfire Systems
(other DSSC member(s) TBD)
December 2017 Conexxus: EB2B White Paper Presentation TBD EB2B WG
2018 Conexxus Webinar Schedule*Month/Date Webinar Title Speaker Company
January 2018Securing and Penn Testing your Mobile
Payment AppDenis Sheridan Citigal
February 2018Unified threat management: What is it
and why is it important?Thomas Duncan Omega
March 2018Penetration Testing: How to Test What
Matters Most
Sam Pfanstiel & Coalfire Lab Personnel
Coalfire
May 2018 QIR Program Update Chris Bucolo ControlScan
8
At the NACS ShowOctober 17-20, 2017
Chicago, ILBooth 4384
SpeakerSam Pfanstiel
MBA, CISSP, CISM, QSA(P2PE), ETA CPP
Solution Principal, PCI
Coalfire Systems, Inc.
20 years in IT Management, Payments, and Security
Works directly with Coalfire payments teams across marketing, sales, product, and delivery to help demystify complex risk and compliance requirements, communicating effective cyber security solution strategies to stakeholders throughout the enterprise.
Former CEO, CIO, VP, and Director in charge of payment solutions
Part of team that built 1st North American PCI-P2PE solution (2014)
Part of team that built 1st S.N.A.P. EBT mobile POS terminal (2007)
Conexxus: Third Party Risk Management9
Third Party Risk Management
• Definitions
• Why TPRM matters to every enterprise
• Best Practices in TPRM
• TPRM and PCI DSS
• TPRM in Petroleum Retail
• Resources
Conexxus: Third Party Risk Management
Definitions
• TPRM – Third Party Risk Management
• TPRM vs. SRM vs. VRM
• TPSP – Third Party Service Provider
• 3rd Parties
• 4th Parties
Conexxus: Third Party Risk Management
Examples
• Oil Brand
• Retailers
• Distributors
• Service Providers
• Suppliers
• Fourth-Parties
• Gateway/Processor
• Backup Storage
• Managed Service Providers
• Web-Hosting
• Service Services
• Fraud Detection
12 Conexxus: Third Party Risk Management
WHY TPRM MATTERS
Conexxus: Third Party Risk Management13
Why TPRM Matters – RisksThird Parties are critical to all areas of business, handling core functions of business:
• Vendor Performance Standards– Disruption, SLAs
• Conflict of Interests– Ownership of Data
• Business Continuity
• Security / Data Protection
• Revenue Impact
Conexxus: Third Party Risk Management
Why TPRM MattersData Breaches Primary due to Vendor Security
• Major Big Box Retailer: HVAC vendor
• Major Home Improvement Store: Stolen vendor credentials
• Major Ecommerce Network: Stolen Vendor Credentials
• Snowden / NSA Leak
• Sweden Leak
• C-Stores are “most susceptible to data breach”1
Source: Risk Based Security, 2015
VRMMM Survey Results
The 2016 Vendor Risk Management Maturity
Model (VRMMM) Survey had the following
findings:
• Third Party Risk Management “front burner”
issue
• Board engagement on cybersecurity is
growing – but not with respect to vendor risk
• Vendor assessment maturity is growing
• Numerous areas were identified for
improvement
Source: Shared Assessments, Protiviti 2016
BEST PRACTICES
Conexxus: Third Party Risk Management17
TPRM Methodology Development
“The Four RMs”
1. Risk Measurement
– Linked to ERM
– Measures the risk of both the activity itself and of the vendor in particular
2. Risk Management
– Standard mechanisms for dealing with risk: accept, decline, transfer,
modify
3. Risk Monitoring
– New/evolving risks (including Vendor changes)
4. Response Management
– Incident response, both on your organization’s part and the vendor’s
Conexxus: Third Party Risk Management
TPRM Best Practices
TPRM program activities can be grouped into 3 categories:
• Governance
• Operationalization
• Program Management
Source: Coalfire, 2017
TPRM MethodologyGovernance
Program Management and Maintenance
Define ImplementDevelop
Current State Assessment
Policies and Procedures
Third Party Profiles
Third Party Screening
Risk Assessments
Audit and Validation
Tools/Technology Selection
Risk Scorecards/ Dashboards
Training and Awareness
Risk Measurement
Risk Monitoring
Risk Response
Source: Coalfire, 2017
Operations
TPRM Best Practices - Governance
• Set the Tone at the Top
• Formalized Governance Model
• Enterprise Risk Mgmt
• Established Roles
– Internal Audit
– Vendor Relationship Manager
Conexxus: Third Party Risk Management
TPRM Best Practices - Operations
• Full Vendor Inventory & Profiles
• Review Policies, Procedures, Processes
• Establish Standard Contract Template
– PCI DSS 12.8.2
Conexxus: Third Party Risk Management
TPRM Best Practices - Operations
• Develop a Third Party Risk Categorization Process
• Conduct
• Define Security Requirements for each Third Party
• Processes for Monitoring and Ensuring Security of
Vendors
Conexxus: Third Party Risk Management
TPRM Best Practices - Operations
• Phased Implementation, If Needed
• TPRM Risk Management Software Platform
• Establish Standard Contract Template
• Maintain Secure Repository for Contracts
Administration
Conexxus: Third Party Risk Management
TPRM Best Practices
Program Management and Maintenance
• TPRM Issue Management Software
• TPRM Training Materials
• Periodic Assessment
• Reporting and Review
Conexxus: Third Party Risk Management
TPRM Case Study
Background• Publicly-traded
• 1000s of TPSP
• Board involvement
• CISO maintained
standards, audited
handful of vendors
• Internal Audit engaged
to review
Findings• Many vendors outside
program
• Inconsistent standards
• Inadequate contract
provisions
• Insufficient vendor
security audits
• Vendors not held
accountable
Corrective Actions• Joined industry association for
access to TPRM best practices
• Rewrote policies to risk-rank
vendors and absorb previously
excluded vendors
• Standards updated for emerging
threats
• Vendor accountable for 4th party
• Contracts updated
Conexxus: Third Party Risk Management
TPRM IN PCI DSS
27 Conexxus: Third Party Risk Management
TPRM in PCI DSS
• Req 12.8 - Vendor Management
• Req 6 – Vendor Systems and Applications
• Req 8.1.5 & 12.3 - Vendor Remote Access
• Responsibility Matrix
• Vendor Documentation throughout
• Vendors are critical to all areas of PCI DSS
28 Conexxus: Third Party Risk Management
TPRM in PCI DSS – 12.8.1
29
• List of Vendors
• Description of Services
• Up-to-date
Conexxus: Third Party Risk Management
TPRM in PCI DSS – 12.8.2
30
• Agreement Acknowledges PCI Responsibility
Conexxus: Third Party Risk Management
TPRM in PCI DSS – 12.8.3
31
• Processes for Due Diligence
Conexxus: Third Party Risk Management
TPRM in PCI DSS – 12.8.4-5
32
• Monitoring Vendor Compliance and Controls
Conexxus: Third Party Risk Management
TPRM in PCI DSS – 6
33 Conexxus: Third Party Risk Management
TPRM in PCI DSS – 8.1.5, 12.3.9
34 Conexxus: Third Party Risk Management
Vendor Logging
• AFD Service Technicians (9.9)
• DSD (Direct Service Delivery) if they
enter the C-Store CDE or secured area
• Log everything (whether required or not)
35 Conexxus: Third Party Risk Management
TPRM in PCI DSS – Resp. Matrix
Source: Information Supplement: Third-Party Security Assurance and Shared Responsibilities36
• Clear Communication of Responsibility by Control
TPRM in PCI DSS – QSA Perspective
Typical Gaps
• Vendor inventory
• Incomplete vendor documentation
• Ambiguous responsibility assignment
• Missing AOCs, or services not covered on AOC
37 Conexxus: Third Party Risk Management
RESOURCES
38 Conexxus: Third Party Risk Management
Resources
• Information Supplement: Third-Party Security Assurance and Shared Responsibilities
• Shared Assessments
– Framework
– Shared Information Gathering (SIG)
• NIST CSF 1.1 – Cybersecurity Framework
• Contact Coalfire Cyber Risk Advisory or consultant to assist with TPRM / risk assessment
39 Conexxus: Third Party Risk Management
Conexxus: Third Party Risk Management
• Website: www.conexxus.org
• Email: info@conexxus.org
• LinkedIn Group: Conexxus Online
• Follow us on Twitter: @Conexxusonline
Conexxus: Third Party Risk Management