Vendor Risk Management. Cover the basics of a good … County/IIA OC Presentation...Vendor Risk...

Vendor Risk Management. Cover the basics of a good VRM

program, standards, frameworks, pitfall

and best outcomes.

OC Chapter

Why Assess a Vendor?

� You don’t want to be a Target for hackers via your vendors weak IT

controls

� You may have to comply with various ever increasing regulatory and other

compliance frameworks

� HIPAA

� PCI

� FFIEC

� Many others

Proprietary and Confidential. Do Not Distribute. @ Regents and Park, Inc. All rights reserved

2

FFIEC Announcement

� The appendix highlights that a financial institution’s reliance on third-party service providers to perform or support critical operations does not relieve a financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner. An effective third-party management program should provide the framework for financial institution management to identify, measure, monitor, and mitigate the risks associated with outsourcing. Specifically, a financial institution should ensure that its third-party service providers do not negatively affect its ability to appropriately recover IT systems and return critical functions to normal operations in a timely manner:

� Third-Party Management

� Third-Party Capacity

� Testing with Third-Party Technology Service Providers

� Cyber Resilience


3

Assessment Approch

� Three Key Types of Assessment Approach

1. Spreadsheets and Word Documents

2. GRC (tools such as Evantix, Archer, MetricStream)

3. Onsite Interview and Observation


4

B U S I N E S S C O N T I N U I T Y P L A N N I N G (BCP)

C O N T R O L F I N D I N G S C O N T R O L E V A L U A T I O N M A N A G E M E N T R E S P O N S E

DOI

Questionnaire

Ref #

DOI Questionnaire

Question

Management

ResponseControl Activity Findings Supporting Evidence

Other Audit

Documentation

Used?

Control AssessmentPrevious Audit

Recommendations

Remediation

RecommendationComments Evaluation of Response

E1

Is the business

contingency plan a)

current, b) based on

a business impact

analysis, c) has it

been tested, and d)

address all significant

business activities,

including financial

functions,

telecommunication

services, data

processing services

and network

services?

Y Based on inquiry, and review of company documentation, it

appears that:

1a) Current Business Continuity Plans are maintained and

saved on an internal portal - PaceMaker (PaceMaker Initial

Screen.pdf). They cover both business and technical/IT

aspects of disaster recovery and business continuity. The

samples selected (Claims, IT, and Financial Reporting) include

sections for Maintenance Phase - Mandatory Update As

Required, Quarterly & Semi-Annual Review of Critical

Information, Testing, Recovery Phase - Pre-Activation,

Activation, Critical Operations, Full Recovery, Post Recovery

and Reference Attachments for applicable locations. (Claims

BCP.pdf, Financial Reporting BCP.pdf, IT BCP General.pdf, IT

BCP Hot-Site Implementation Team.pdf, IT BCP Alternative

Office Support Team.pdf, IT BCP Telecommunication Recovery

Team.pdf) A Confidential Crisis Management Plan also exists

and was examined with management. Hard-copy binders

are kept by key executives at off site locations. The IT

department also maintains BCPs for significant

systems/applications and databases on the company's

Sharepoint portal (BCP System Recovery

Procedures.Sharepoint Folder.pdf, BCP Zeus Recovery

Procedures Folder.pdf, BCP Oracle Financials Recovery

Procedures Folder.pdf). The system BCPs outline specific

procedures for recovering the system after a disaster (Control

Procedures IT - BRP Zeus Checks.doc, DBA BCP

Procedures.doc, Forms_10_BCP_Documentation-v3.doc, R12

OAP BCP Process.doc).

PaceMaker Initial Screen.pdf

Claims BCP.pdf

Financial Reporting BCP.pdf

IT BCP General.pdf

IT BCP Hot-Site

Implementation Team.pdf

IT BCP Alternative Office

Support Team.pdf

IT BCP Telecommunication

Recovery Team.pdf

BCP System Recovery

Procedures.Sharepoint

Folder.pdf

BCP Zeus Recovery

Procedures Folder.pdf

BCP Oracle Financials

Recovery Procedures

Folder.pdf

N Based on the information

provided, this control

appears to be at CobiT

Maturity Model Level 4 -

Managed and Measurable.

None None

N/A N/A N/A 1b) Management indicates that a comprehensive business

impact analysis (BIA) has been performed for significant

business areas and are maintained and saved to Pacemaker

(PaceMaker Initial Screen.pdf). The documented BIA examins

areas such as: Background Information - General, Process

Description, Operating Locations, Peak Operating Times &

Cycle Time, Annualized Return, Annualized production Output;

Resource Requirements - General Resource Requirements,

Notes, Key Records, Data, Intellectual Property &

Documentation and Records Management Process, Disaster

Preparedness/Work From Home Capabilities, Dependencies -

Key Customers, Service Level Agreements w/ Customers,

Process Dependencies, Product Dependencies, Technology

Dependencies, Vendor/External Dependencies, Regulatory

Requirements - Regulatory Considerations, Reporting

Requirements and BIA - Recovery Objectives, Reputation

Impairment - Customer and Stakeholder Considerations,

Employees, Cash Flow Interruption, Financial Control and

Reporting Exposure and Contractual Noncompliance (Claims

BIA.pdf, Financial Reporting BIA.pdf). BCP-System RTOs.xls

documents the Recovery Time Objectives for IT Supported

Business Applications per Department/Functional area.

Control Procedures IT - BRP

Zeus Checks.doc

DBA BCP Procedures.doc

Forms_10_BCP_Documentati

on-v3.doc

R12 OAP BCP Process.doc

PaceMaker Initial Screen.pdf

Claims BIA.pdf

Financial Reporting BIA.pdf

Claims BIA.pdf

Financial Reporting BIA.pdf

N/A N/A N/A N/A

Frameworks and Standards

� ISO Version 2013

� Not a Assessment tool more a ISMS but some have changed it to fit VRM

� NIST

� PCI Version 3.1

� HIPAA update 2014

� Shared Assessment

� Licensed version 2015


5

Ques NumSIG Question Text Response Additional Information

AUP 2015

Relevance

ISO

27002:2

013

Relevan

ce

COBIT

4.0

Relevan

ce PCI 3.0 FFIEC

COBIT 4.1

Relevance

Shared Assessments Program Cloud Computing White

Paper Description

SIG Lite

A. Risk Assessment and Treatment

SL.1

Is there a risk assessment program that has

been approved by management,

communicated to appropriate constituents

and an owner to maintain and review the

program?

A.1 IT &

Infrastructure Risk

Governance and

Context

5.1

6.1.2

Leadership &

Commitment,

Information Security Risk

Assessment 12.2

IS.1.3.1

BCP.1.2.1

BCP.1.3.5

MGMT.1.6.1.1

OPS.1.3 PO9.4

B. Security Policy

SL.2

Is there an information security policy that

has been approved by management,

communicated to appropriate constituents

and an owner to maintain and review the

policy?

B.1 Information

Security Policy

Content &

Maintenance 5.1.1

Policies for information

security PO6.1

IT policy and control

environment 5.4, 12.1 IS.1.4.1

PO6.1, PO6.2,

PO6.3, PO6.5,

DS5.2, DS5.3,

ME2.1

SL.3

Have the policies been reviewed in the last

12 months? B.1 Procedure: d 5.1.2

Review of the policies for

information security PO3.1

Technological direction

planning 12.2.b IS.1.4.2.7

PO3.1, PO5.3,

PO5.4, PO6.3,

PO9.4, DS5.2,

DS5.3, ME2.2,

ME2.5, ME2.7,

ME4.7

SL.4 Is there a vendor management program? 12.8N/A N/A

C. Organizational Security

SL.5

Is there a respondent information security

function responsible for security initiatives?

C.3 Security

Organization

Roles/Responsibiliti

es 6.1.1

Information Security Roles

and Responsibilities PO3.3

Monitoring of future trends

and regulations 12.5

IS.1.7.4

MGMT.1.6.1.6

PO3.3, PO3.5,

PO4.3, PO4.4,

PO4.5, PO4.8,

PO6.3, PO6.4,

PO6.5, DS5.1

SL.6

Do external parties have access to Scoped

Systems and Data or processing facilities? 15Supplier relationships 12.8N/A

PO6.4, DS5.5,

ME2.2, ME2.5,

ME4.7

D. Asset Management

SL.7

Is there an asset management policy or

program that has been approved by

management, communicated to appropriate

constituents and an owner to maintain and

review the policy?

D. Assessment

Management 8.1Responsibility For Assets N/A N/A

PO4.14, PO6.4,

PO8.3, AI5.2,

DS2.2, DS2.3,

DS2.4, DS5.1,

ME2.6

SL.8 Are information assets classified? D.1.c.6 8.2.1

Classification of

Information PO2.3 Data classification scheme 9.6.1 N/A PO2, AI2, DS9

E. Human Resource Security

SL.9

Are security roles and responsibilities of

constituents defined and documented in

accordance with the respondent’s

information security policy?

C.3 Security

Organization

Roles/Responsibiliti

es 6.1.1

Information security roles

and responsibilities PO4.6 Roles and responsibilities 12.1

IS.2.M.15.1

MGMT.1.6.1.2

WPS.2.2.1.3.1

PO4.6, PO4.8,

PO6.3, PO7.1,

PO7.2, PO7.3,

DS5.4

Value of a Remote Assessment

� Audit Trail

� Sales or CSO completing the assessment

� Delegation Functionally

� Vendors Vendor!

� Procurement Contract

� RFI

� Provides Attachments

� Questions Scored

� Questions and Sections Weighted

� Cheaper to perform over 100s of Vendors


6

Onsite Assessment

� Interview

� Observation

� Data collection

� Immediate Remediation suggestions

� Ability to gage the honesty of the Vendor management

� Overall Risk Assessment more accurate

� Why note do both !

� Remote followed by Onsite for sub set of overall Vendor pool

� A bit less of Him !

� And more of this !


7

VRM Assessment Process

� Relationship Assessment

� Profile Assessment

� Control Assessment


8

Relationship Assessment


9

High Risk

Med Risk

Low Risk

Profile Assessment


10

Source•D&B

• Experian

• Thompson Reuters

Value•RFP Selector

• Fraud Indicator

Result•Go No-Go

•Onsite

• Reserves against loses

Control Assessment


11

SaaS Assessment

Assess ISO

Result Low Risk Score

Move to Annual Assessment Status

Onsite Assessment

Interview and Observation

Med Risk Score

Move to Remediation Status

Remediation

Opt for 30 / 60 / 90 day plan for remediation of gaps

Re-Assess

Assessment Frequency

� Annual Assessment

� First Year

� Small number of Vendors

� Assessing High Risk Vendors only

� 2 and 3 Year Rotational Plan

� Med and Low Risk Vendors

� To many Vendors to Assess

� Vendor change is service and or supply type


12

VRM Team

� ITS or Security Team

� VRM (Vendor Risk Management) Team

� Procurement

� Out Sourced Professional Services

� Internal Audit

� Independent Review of VRM Results

� CPA Firms

� FDIC


13

Vendors Risks

� Don’t be a Target

� No Contract over your Vendors Vendors

� IP

� Customer DB

� Employee DB

� Out Sourced IT

� GEO

� FCPA


14

� Bankruptcy

� No longer able to

support your need

� Disappearing hardware

and IP

� Risk

� Reputational

� Financial

� Regulatory

Questions


15

Regents & Park VRM Blog

� LinkedIn Blog on VRM

� www.linkedin.com/in/jasonnjames

� https://www.linkedin.com/today/author/381038


16

Regents & Park

� Jason James

� President

� +1 (949) 903-2524

� [email protected]

� LinkedIn Blog on VRM

� www.linkedin.com/in/jasonnjames

� https://www.linkedin.com/today/author/381038


17

Date post:	11-May-2018
Category:	Documents
Upload:	ngokien
View:	221 times
Download:	2 times