300 likes | 447 Views
Top 10 Tips for Effectively Assessing Third-Party Vendors Tom Garrubba, CISA, CRISC, CIPP/IT Senior Privacy Manager, Information Governance & Privacy - Legal | CVS Caremark Office 412.967.8196 | Cell 724.689.6386 620 Epsilon Drive, Pittsburgh PA 15238 thomas.garrubba@cvscaremark.com.
E N D
Top 10 Tips for Effectively Assessing Third-Party VendorsTom Garrubba, CISA, CRISC, CIPP/ITSenior Privacy Manager, Information Governance & Privacy - Legal | CVS Caremark Office 412.967.8196 | Cell 724.689.6386 620 Epsilon Drive, Pittsburgh PA 15238 thomas.garrubba@cvscaremark.com
Top 10 Tips • One size doesn’t fit all … and it isn’t free
Top 10 Tips 1. One size doesn’t fit all … and it isn’t free! • The Role Players • Regulators & Standard Setters • Customers • The Corporation and the Business Units • The Vendor • Subcontractors/down stream vendors • Who does the real work? • Employees, 3rd party, mix, other … • Program Initiation and Alignment • Formula for Implementation • Centralized • Decentralized • Who pays for it
Top 10 Tips One size doesn’t fit all … and it isn’t free Determine what data is in-scope for assessment
Top 10 Tips 2. Determine what data is in-scope for assessment Who? • Regulators (FTC, Federal Reserve, HHS, FDIC, etc.) • Industry (PCI) • Customers • Own criteria What Information? • Customer Information • Employee information Why? • You are compelled to perform due diligence by law, regulation, standard • Your customers demand it as you are putting their info at risk by giving it to another company.
Top 10 Tips • One size doesn’t fit all … and it isn’t free • Determine what data is in-scope for assessment • Accurately & thoroughly describe how the data will flow
Top 10 Tips 3. Accurately & thoroughly describe how the data flows • Precisely and completely, describe: • Services the vendor will provide; • Customer, employee, & company data and information the vendor will collect and/or have access to • What the vendor will do with this data and information. • Where this data and information will be processed & stored • How the data will get to the vendor • Any subcontractors to be used
Top 10 Tips • One size doesn’t fit all … and it isn’t free • Determine what data is in-scope for assessment • Accurately & thoroughly describe how the data will flow • Triage risk – High, Medium, & Low
Top 10 Tips 4. Triage Risk - High, Medium, & Low • Why? • Focus limited resources • Reduce vendor’s efforts • How? • Short questionnaire – 10 + questions • Who? • Business owner & vendor • Other Benefits • Shape/reduce longer assessment
Top 10 Tips • One size doesn’t fit all … and it isn’t free • Determine what data is in-scope for assessment • Accurately & thoroughly describe how the data will flow • Triage risk – High, Medium, & Low • Start with an assessment & data collection instrument
Top 10 Tips 5. Start with an assessment and data collection instrument • Assessment - A due diligence activity to gain a level of comfort with the overall security, privacy, data protection posture of the vendor • Send a questionnaire to them and have it returned for analysis • Use an existing questionnaire such as the Shared Assessments SIG “Standard Information Gathering”; Industry standard questionnaire developed by members of the Shared Assessments (www.sharedassessments.org) program • Covers all domains of ISO 27002 as well as HIPAA-HITRUST, PCS- DSS, CoBIT, NIST, GLBA, Privacy & Cloud, and BYOD • Develop & send your own questionnaire • Have qualified people assess their responses • CISA, CRISC, CISSP, CIPP/US/G/C/IT/IT, …
Top 10 Tips 5. Start with an assessment and data collection instrument • VAP Phase 1: Pre-Assessment • Obtain all information regarding the scope of work • Find out the data that will be CSTUPID’ed • Collect • Store • Transmit • Use • Process • Interface • Destroy • Converse with the assigned BU and/or the vendor contacts to fully understand what, where, and how’s • If applicable, determine if the assessment will be handled by an internal or external assessor • Send the vendor the questionnaire to be completed
Top 10 Tips 5. Start with an assessment and data collection instrument
Top 10 Tips • One size doesn’t fit all … and it isn’t free • Determine what data is in-scope for assessment • Accurately & thoroughly describe how the data will flow • Triage risk – High, Medium, & Low? • Start with an assessment & data collection instrument • Trust but Verify - Collect evidence
Top 10 Tips 6. Trust but Verify – Collect evidence! • VAP Phase 2: Assessment • Have a meeting with the BU and vendor to discuss contacts, deliverables, and timelines • Request/Review pertinent documentation from: • The BU - Contracts, SOW’s, NDA’s, BAA’s • The Vendor - SSAE-16 Type II documents; ISO 27001/2 cert, CMM level, NAID, … • Review the returned questionnaire responses • Note “contingent items” (non-compliant items, findings, etc.) • Update BU and Vendor Management • Track Contingent Items • Compose the assessment report • File BU/Vendor Documents • Track through remediation all contingent items
Top 10 Tips • One size doesn’t fit all … and it isn’t free • Determine what data is in-scope for assessment • Accurately & thoroughly describe how the data will flow • Triage risk – High, Medium, & Low? • Start with an assessment & data collection instrument • Trust but Verify - Collect evidence • Accept or remediate non-compliant findings
Top 10 Tips 7. Accept or remediate non-compliant items • VAP Phase 3: Assessment • Contingent Items (aka: issues, findings, observations, etc.) • You can accept the risk associated with a particular item or… • You can require remediation of the item – • Require remediation by the vendor or business unit • Risk-rate and prioritize as such • Actively monitor until they are closed • Escalate to appropriate levels of management if timelines are not met • Adjust the timelines if the vendor cannot reasonably meet the target dates • Contingent Items – 3 Types of CI’s • Contractual • Contracts, SOW’s, NDA’s, BAA’s; DPSR’s, DSA’s; Med-D Waivers; IRB Waivers • These are usually incomplete or out of date • HR-Related • Drug testing; Background checks; Credit checks • Technical/Operations • Typical IT/operations-related issues/findings/observations
Top 10 Tips • One size doesn’t fit all … and it isn’t free • Determine what data is in-scope for assessment • Accurately & thoroughly describe how the data will flow • Triage risk – High, Medium, & Low? • Start with an assessment & data collection instrument • Trust but Verify - Collect evidence • Accept or remediate non-compliant findings • Identify & assess critical, downstream vendors/subcontractors
Top 10 Tips 8. Identify and assess critical, downstream vendors, and subcontractors • Down Stream Vendors/Subcontractors • If you have a contract with them… • See if you’ve already assessed them; if not…then assess them! • Request the same documentation as if they were a primary vendor • If you don’t have a contract with them… • Work with the primary vendor to obtain documentation • Have the primary vendor set up a call to see what the DSV/subcon is willing to provide • Use the same assessor if possible (they know the scope of work)!
Top 10 Tips • One size doesn’t fit all … and it isn’t free • Determine what data is in-scope for assessment • Accurately & thoroughly describe how the data will flow • Triage risk – High, Medium, & Low? • Start with an assessment & data collection instrument • Trust but Verify - Collect evidence • Accept or remediate non-compliant findings • Identify & assess critical, downstream vendors/subcontractors • Determine if/when an on-site review is necessary
Top 10 Tips 9. Identify and assess critical, downstream vendors, and subcontractors • Have the Primary vendor identify its vendors that: • Will process, have access to or potential access to, transport, store, … protected data • Are in another country • Determine how the vendor assesses, contracts with, and monitors these vendors • You might have to do some work here – Conference call interview, other Q & A’s, … • Determine if your staff or External Assessors will be needed!
Top 10 Tips • One size doesn’t fit all … and it isn’t free • Determine what data is in-scope for assessment • Accurately & thoroughly describe how the data will flow • Triage risk – High, Medium, & Low? • Start with an assessment & data collection instrument • Trust but Verify - Collect evidence • Accept or remediate non-compliant findings • Identify & assess critical, downstream vendors/subcontractors • Determine if/when an on-site review is indicated • Determine when a reassessment should be performed
Top 10 Tips 10. Determine when a reassessment should be performed • VAP Phase 4: Re-assessment • Start planning by determining “what criteria”? • Based on type of data (PCI, PHI, etc.)? Suggestions include: • PCI = Annual • PHI = Annual • PII = Annual (?) • Company confidential (i.e., strategic) = ??? • Based on the geographic location? • Onshore • Offshore • Offshore but with safe harbor agreements • Based via scoring system? • Risk Rating (“Scholastic Score”) • SIG • Other GRC tool • In house tool • Combination of the above?
Top 10 Tips • One size doesn’t fit all … and it isn’t free • Determine what data is in-scope for assessment • Accurately & thoroughly describe how the data will flow • Triage risk – High, Medium, & Low? • Start with an assessment & data collection instrument • Trust but Verify - Collect evidence • Accept or remediate non-compliant findings • Identify & assess critical, downstream vendors/subcontractors • Determine if/when an on-site review is indicated • Determine when a reassessment should be performed and … 11. Retain all assessment data, decisions, & records
Top 10 Tips 11. Retain all assessment data, decisions and records • Why? • You are going to need them later! • Regulatory, internal or other audit • Something goes wrong (e.g., negative assessment) • Reassessment • How? • GRC system, SharePoint, or some other centralized system. • Back It Up (Murphy’s Law!)
Top 10 Tips And if you call right now…
Top 10 Tips BONUS #1: Manage Your External Assessors • They are an extension of your VAP team and should be treated as such • Discuss their progress at least weekly • Ensure they pull you in when the assessment begins to “look bad” - no surprises! • Participate in closing meetings for key/offshore vendors • Make sure vendors will accept their NDA’s • Be prepared for the legal departments to red-line the document! • Be prepared to adjust start/end dates
Top 10 Tips BONUS #2: Use Operational Metrics • VRB status monitoring • Assessments assigned to assessors • Internal/external assessments open • Pre-assessment review • Stage gates monitoring • Assessor kickoff • How long it takes to get the questionnaire back • How long it takes to resolve AUP items (questions, documentation) • Assessments in management review • Contingencies due in the past 30/60/90/>120 Days