ensuring data security at third-party providers

© If appropriate, Insert your organization’s copyright information

Session # D5

Ensuring Data Security at Third-Party Providers

Thursday, May 12, 20111:30 – 2:45

Peter Hand, CISA, CRISCSr. Auditor


About your presenter

Peter Hand

– Bachelors Degree in Computer Information Systems

– CISA and CRISC certified

– Former Computer Programmer who actually did coding for Y2K, and has to say that the movie Office Space hit what it was like right on the head

– Currently a Sr. IT Auditor for a Chicago based company who performs Data Security audits at third party providers


Key Points

Defining security requirements for third-party business partners in line with corporate policies

Creating and maintaining an inventory of third-party providers with services performed

Using your Internal Audit and Information Security teams to perform monitoring through audits and site visits

Linking corporate information security standards to third-party business partners requirements


Assumptions

In order to reach the true goal of lockdown Data Security the following should be considered as part of your reality:

– The Earth, Sun, and Moon are all aligned

– There is an unlimited budget and resources are readily available

– 3-6-9-23-35-44 will be the winning lottery numbers

– The Chicago Cubs will win the World Series


Importance of Third Party Data Security

Why is Data Security so important?

– The trust factor

• Reputational impact• Business impact



Why is Data Security so important? (cont’d)

– The financial impact of a data breach (aka the bottom line)

• Per a study performed by the Ponemon Institute and Symantec the cost of a data breach is an average of 7.2 million dollars per incident. This is a 7% increase from the previous year

• According to a Bloomberg.com article dated March 8, 2011, one breach incident cost a company $35.3 Million dollars



Why is Data Security so important? (cont’d)

– The average cost of a breached record

• A malicious or criminally compromised record costs a company an average of $318

• A compromised record at a third party costs an average of $302



The value of data & why would anyone attempt to break into a system

– Tough economic times

– SSN = $1

– Medical Identity Information = $50



What happens if a breach occurs at the Third Party Business Partner?

– Who is responsible and who gets the “black eye”?



YOUR COMPANY


The Four Areas of consideration

The path to ensuring Data Security at Third-Party Providers can be found in four areas:

– Internal Initiation / Setup / Standards

– External Relationship Initiation / Implementation

– Production State

– Termination State


Internal Initiation / Setup / Standards



Understand and maintain up to date documentation of your Third Party Business Partners with, at a minimum, the following:

– Policies & Procedures for defining contractual, technical, and business rule requirements before a relationship is initiated

– Business Partner Inventory

– Services rendered & performance Service Level Agreements (SLA’s) of engaged Business Partners

– Costs



Policies & Procedures for defining contractual, technical, and business rule requirements should exist before a Business Partner relationship is initiated

– Policy & Procedures should be in place defining expected security requirements, SLA’s, and any other expectations for Business Partners

– All of these expectations should be clearly defined and documented so that relationship expectations are clearly understood and can be communicated before beginning a relationship



Business Partner Inventory

– A comprehensive list needs to be maintained of all existing Business Partner relationships including the following:

• Internal relationship owner• Primary Business Partner contacts• Services performed• Production implementation date• Business instrument expiration / renewal date



Services rendered & performance SLA’s of engaged Business Partners

– Understanding the services performed by Business Partners allows you to determine if this relationship can be leveraged for your needs, or if a new Business Partner relationship should be implemented

– Understanding the SLA’s, and whether or not they are being met, will also allow you to determine if a relationship can be leveraged for new needs as well as whether or not the relationship should be terminated or re-negotiated



Costs

– Understand the costs associated with the existing population to determine if it is cheaper to leverage an existing relationship or establish a new one

– When establishing a new relationship consider not only new work, but also transferring existing work if efficiencies and / or savings can be realized



Other considerations

– Clearly defined Production State parameters:

• Regularly scheduled status meetings• Regular reporting on SLA achievement versus target• A dedicated team in place for the “managing” of the

relationship



Other considerations

– Clearly defined Relationship Termination parameters:

• How data will be handled upon relationship termination• How final resolution of data storage will be handled• How will data destruction be accounted for


External Relationship Initiation / Implementation



Understand requirements for engaging, pricing, testing, and implementing Business Partner into production.

– Policies & Procedures for:

• Initiating contact• Request for Information (RFI) requirements• Request for Pricing (RFP) requirements• Security standards• Implementation standards

– Contractual requirements– Site visits



Initiating contact

– Central point of contact for handling Business Partner initiation, such as a procurement department

– A central business area contact, responsible for maintaining relationship and keeping open communication channels

– A central technical area contact, responsible for working with Business Partner in all technical aspects of relationship duringthe entire relationship lifecycle



Request for Information (RFI)

– Documentation which outlines Business Partner requirements for services requested as well as security and business processing requirements

– Specific parameters outlining expected deliverables for RFI



Request for Pricing (RFP)

– Documentation which outlines Business Partner requirements for services requested as well as security and business processing requirements

– Parameters defining number of iterations of process or control execution expected during a defined time period, such as monthly or weekly



Security Standards

– Documentation outlining the security standards which outlines Business Partner requirements for services requested as well as security and business processing requirements



Security Standards (cont’d)

– Some security standards to consider include:

• An assigned contact, such as a Security Officer, responsible for ensuring compliance with any and all regulations, including industry standards such as HIPAA

• Defined Policies & Procedures for the technical and administrative controls for the handling of data



Security Standards (cont’d)

• Continual Security Monitoring & Issue Reporting

• Monthly Performance Reporting

• Incident Response procedures, including breach notification procedures

• Employment screening for new employees who will interact with your data, this can include new or existing employees



Implementation Standards

– Standard testing Policies & Procedures outlining all test cases and expected results

• This should include communication, security, and access testing

– Dependent on the size of contract, site visits should be performed at Third Party Data Centers to ensure physical access security



Implementation Standards (cont’d)

– Review different reports that may be available:

• SAS70 – Statement of Auditing Standards No. 70

– Allows service organizations to disclose their control activities and processes to their customers in a uniform reporting format.




• Service Organization Control Reports (SOC) – Provides a framework to examine controls and to help management understand related risks. There are three reporting options:

– SOC1 – Also known as SSAE16 (Statement on Standards for Attestation Engagements No. 16, Reporting of Controls at a Service Organization). This focuses on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statement.




– SOC2 – A report that specifically addresses one or more of the following five key system attributes:

Security Availability Processing Integrity Confidentiality Privacy




– SOC3 – A general-use report that provides only the auditor’s report on whether or not the system achieved the trust services criteria.



Contractual Requirements

– Right to Audit clause

– Service Level Agreements defining expectations of services performed and expected delivery timeframes

– Business language requiring any use of subcontractors by the engaged Business Partner must be approved before their engagement



Contractual Requirements (cont’d)

– Defined security requirements based upon defined and tested security parameters

– Defined escalation procedures in the case of incidents / breaches

– Defined parameters for the handing of data in the case of relationship termination


Production State


Production State

Production State reporting and monitoring

– Periodic business partner reviews should be performed by a defined team. Some requirements to consider when performing the review:

• Review of audit documents such as SAS70 or SSAE16• Annual site visits to a selection of business partners based

on a pre-defined criteria, such as risk level or performance


Production State

Production State reporting and monitoring (cont’d)

– Regularly scheduled meetings to discuss business partner performance against defined SLA’s

– Regular planning and status meetings for any new projects / implementations / upgrades


Termination State


Termination State

Relationship Termination processing

– Previously defined parameters should be enacted to account for data handling

– Negotiated time parameters regarding processing cut-off date

– Final meeting to discuss official end of relationship


Summary

Conclusions

– There is no 100% guarantee of data security, because you are not monitoring 24 X 7

– In order to achieve a high level of data security most of the work is performed by the company outlining their expectations and requirements before engaging a third party business partner


Summary

Conclusions (cont’d)

– An inventory of business partners, and services performed, should be maintained for multiple purposes

– Regular contact should be maintained and a dedicated team should be established with members of all parties involved

– Most of the work needed to ensure some, not absolute, comfort around Data Security happens before the external Business Partner is engaged


Questions


Helpful articles and websites

Bloomberg Article - http://www.bloomberg.com/news/2011-03-08/security-breach-costs-climb-7-to-7-2-million-per-incident.html

Ponemon and Symantec 2010 Data Breach Study -http://www.symantec.com/content/en/us/about/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_costofdatabreach

American Institute of Certified Public Accountants, inc –www.aicpa.org

SAS70 – www.SAS70.com SSAE16 – www.SSAE16.com Identity Theft information – www.theidentityadvocate.com ISACA – www.isaca.org MIS Training Institute – www.misti.com Institute Internal Auditors – www.theiia.org


More helpful websites

United States Computer Emergency Readiness Team (US-CERT) – www.us-cert.gov

Carnegie Mellon Software Engineering Institute – www.cert.org Dark Reading – www.darkreading.com


Contact Information

Thank you for your time!

If you have any question please feel free to contact me at [email protected]

ensuring data security at third-party providers

Technology