Vendor Management: It's a Risky Business, Part 2!!
April 10, 2017
By John Brady, CISO, Secure-24
In my previous blog on this topic, we reviewed:
• Risks of poor vendor management
• Explored reasons why vendor management is often ignored
• How to get a vendor management program started
• Recommendations on how to assess a vendor
In this blog, I will address more details on how to succeed in managing vendor information security risks.
• And don’t forget the SLAs!
Reviewing SOC Reports and Other Third Party Assessments
• Overlooked Complementary Controls
On Site Reviews—What, Why, When, and How?
• How to reduce the expense
When are Penetration Tests Needed?
• Who should perform the pen test?
Organizations often fail to recognize that one of the most important ways to protect the organization relative to a vendor breach is assuring that the contract has certain key clauses that provide assurance.
A. Confidentiality—the vendor must protect the data they hold for the organization so that unauthorized persons cannot access it except with permission of the
organization and as required by regulation or law enforcement.
B. Privacy—the vendor must abide by all applicable privacy regulations and laws. Remember that each state has its own privacy laws!
C. Subcontractors—subcontractors to the vendor are bound by A and B.
D. Information Security Program—the vendor must have an information security program that meets regulatory requirements for stored data. This is an opportunity
to make any special secure data handling requirements that are important to your organization.
E. Right to audit—the organization has a right to come on site and audit the vendor for following the information security requirements stipulated in D, including
policies, procedures, audits, security awareness and other areas.
F. Breach Notification SLA—require that breaches of the data being held by the vendor for the organization are reported in 24, 48, 72, or whatever hours fit the
importance of the data to the organization.
G. Security Reporting SLA—list and schedule of reporting of incidents, attacks, network security performance, vulnerabilities, etc.
H. Attestation of Compliance (AOC) – If credit card data is being held, require that they provide evidence of an AOC at least bi-annually.
I. Summarized Results —of regular third party penetration testing (see below for more info on this topic).
J. Provision of Third Party Assessments—require that a SOC2 report be provided in its entirety every year. In certain circumstances the vendor may not have a
SOC2, so an equivalent third party assessment should be provided.
Which leads us into our next topic, SOC reports…
Service Organization Controls Audit
A SOC audit is performed by a CPA firm. For vendor risk management, the SOC 2 report is preferred, because it focuses on the vendor’s controls as they relate to security, availability, processing integrity, confidentiality, and system privacy, as opposed to the SOC 1 audit, which focuses on financial reporting controls. What to look for:
Auditor’s Opinion—this statement is near the beginning of the report. If the auditor issues a qualified opinion, it means they have significant concerns that the vendor is not adhering to its own controls. Discuss this with the vendor and get written assurance that the issue is resolved or will be resolved in the next few months ,depending on the impact of the finding.
Management Assertion—review this to get an understanding of the organization structure and the controls that the vendor has requested to be audited.
Subcontractors/Data Centers—the Opinion and Management Assertion often contain the names and locations of subcontractors, including data centers that the vendor uses. Request the vendor to provide a SOC2 for any subcontractors that hold or process data owned by your organization as well as, data centers that they use that they do not own. If they cannot, request that they provide a copy of their own vendor risk management program and the most recent schedule for their vendor reviews. Also, request that they provide assessments and information about the data protection practices of the subcontractor or data center.
Complementary Controls—this easily overlooked section provides the vendor’s requirements that your organization must fulfill in order to fully protect data. Make sure that the owner of the relationship with the vendor conducts an internal audit to assure that your organization has all of the complementary controls in place. In the case of a breach, evidence of the enforcement of the complementary controls would be crucial in legal actions.
Audit Results—Review this section closely. Any variances in the current report should be compared to the variances in the previous year’s report. If a variance is repeated, contact the vendor’s management to get written assurance that actions have been taken to prevent this from happening a third time.
Which is a great segue into On-Site Reviews…
One reason to conduct an on-site review of a vendor’s policies and procedures is because they have a qualified SOC opinion or the same variances show up every year. Other reasons for on-site reviews include:
- Multiple “near breaches”
- Fines or sanctions by regulatory agencies
- During the finalist approval in the selection process
- New owner
How to save money in the on-site review process:
- Use web conferencing to review policies and procedures if feasible.
- o A vendor should NOT be sending you policies, procedures or detailed network diagrams as that could expose some very sensitive data to the Internet
- Prepare a list of concerns and questions and conduct as much of the review over secure conferencing as possible.
- Prepare a detailed agenda in advance, so that the vendor is prepared.
- Conduct reviews in the same geographical area at the same time to save travel time and cost.
What to include:
- Issues and concerns from SOC audits or other sources identified above
- Information Security Policies, Procedures, Standards and Controls to determine if they are comprehensive, reviewed at least bi-annually, approved by management and assure protection of data
- Vendor risk management program
- Secure software development practices, if applicable
- Change management processes and evidence of same
- Data destruction
- Physical security—were you able to walk right into the vendor’s office without being asked to sign in?
- DR tests
- Backup tests
- Evidence of security logs and appropriate actions
- Server hardening and vulnerability scans.
- Patch management and evidence that security patching is up to date
- Data center environmental controls, maintenance, and redundancy in power, carriers, etc.
- Evidence that employees are receiving at least annual security awareness training
- Evidence of user access reviews
- Certifications and continuing education of information security staff
- Industry specific concerns
Once the on-site review is finished, be sure to document the results and follow up items. Require a written remediation plan if necessary. Do the follow-up until all the issues are closed.
I recommend that the contract is written to require the vendor to conduct at least annual penetration testing of their environment by a qualified third party. Depending on the sensitivity of data, quarterly testing is preferred. A summary showing the number of high, medium and low risk issues found is sufficient, as a vendor should not reveal the details of the issue, which could be inadvertently or intentionally disseminated. Internal penetration testing by an entity separate from IT in lieu of third party testing is acceptable, but not recommended. If the company is not willing to pay for third party testing, make sure the contract allows your organization to hire a third party tester to conduct the test at your cost.
This is a high-level overview of Information Technology Vendor Risk Management. There are many good resources from ISC2, IAPP, and others. If you do not have staff with this expertise, there are numerous firms that will assist you with vendor risk management. Do not ignore this important aspect of information security, especially in light of the exponential growth of IT outsourcing.
John Brady, CISSP, is the Chief Information Security Officer for Secure-24.