Add to collection(s) Add to saved
  1. Business
  2. Management

Top 10 Tips for Effectively Assessing Third-party Vendors

advertisement 
Top 10 Tips for Effectively Assessing
Third-Party Vendors
Tom Garrubba, CISA, CRISC, CIPP/IT
Senior Privacy Manager,
Information Governance & Privacy - Legal | CVS Caremark
Office 412.967.8196 | Cell 724.689.6386
620 Epsilon Drive, Pittsburgh PA 15238
thomas.garrubba@cvscaremark.com
Top 10 Tips
1. One size doesn’t fit all … and it isn’t free
2
Top 10 Tips
1. One size doesn’t fit all … and it isn’t free!
The Role Players
•
•
•
•
•
Regulators & Standard Setters
Customers
The Corporation and the Business Units
The Vendor
Subcontractors/down stream vendors
Who does the real work?
•
Employees, 3rd party, mix, other …
Program Initiation and Alignment
•
•
•
•
3
Formula for Implementation
Centralized
Decentralized
Who pays for it
Top 10 Tips
1.
2.
4
One size doesn’t fit all … and it isn’t free
Determine what data is in-scope for assessment
Top 10 Tips
2. Determine what data is in-scope for assessment
Who?
•
•
•
•
Regulators (FTC, Federal Reserve, HHS, FDIC, etc.)
Industry (PCI)
Customers
Own criteria
What Information?
• Customer Information
• Employee information
Why?
• You are compelled to perform due diligence by law, regulation, standard
• Your customers demand it as you are putting their info at risk by giving it to
another company.
5
Top 10 Tips
1. One size doesn’t fit all … and it isn’t free
2. Determine what data is in-scope for assessment
3. Accurately & thoroughly describe how the data will flow
6
Top 10 Tips
3. Accurately & thoroughly describe how the data flows
Precisely and completely, describe:
• Services the vendor will provide;
• Customer, employee, & company data and information the vendor will
collect and/or have access to
• What the vendor will do with this data and information.
• Where this data and information will be processed & stored
• How the data will get to the vendor
• Any subcontractors to be used
7
Top 10 Tips
1.
2.
3.
4.
8
One size doesn’t fit all … and it isn’t free
Determine what data is in-scope for assessment
Accurately & thoroughly describe how the data will flow
Triage risk – High, Medium, & Low
Top 10 Tips
4. Triage Risk - High, Medium, & Low
Why?
• Focus limited resources
• Reduce vendor’s efforts
How?
• Short questionnaire – 10 + questions
Who?
• Business owner & vendor
Other Benefits
• Shape/reduce longer assessment
9
Top 10 Tips
1.
2.
3.
4.
5.
10
One size doesn’t fit all … and it isn’t free
Determine what data is in-scope for assessment
Accurately & thoroughly describe how the data will flow
Triage risk – High, Medium, & Low
Start with an assessment & data collection instrument
Top 10 Tips
5. Start with an assessment and data collection instrument
Assessment - A due diligence activity to gain a level of comfort with the overall
security, privacy, data protection posture of the vendor
Send a questionnaire to them and have it returned for analysis
• Use an existing questionnaire such as the Shared Assessments SIG
“Standard Information Gathering”; Industry standard questionnaire developed
by members of the Shared Assessments (www.sharedassessments.org)
program
• Covers all domains of ISO 27002 as well as HIPAA-HITRUST, PCSDSS, CoBIT, NIST, GLBA, Privacy & Cloud, and BYOD
• Develop & send your own questionnaire
Have qualified people assess their responses
• CISA, CRISC, CISSP, CIPP/US/G/C/IT/IT, …
11
Top 10 Tips
5. Start with an assessment and data collection instrument
VAP Phase 1: Pre-Assessment
• Obtain all information regarding the scope of work
• Find out the data that will be CSTUPID’ed
• Collect
• Store
• Transmit
• Use
• Process
• Interface
• Destroy
• Converse with the assigned BU and/or the vendor contacts to fully understand
what, where, and how’s
• If applicable, determine if the assessment will be handled by an internal or
external assessor
• Send the vendor the questionnaire to be completed
12
Top 10 Tips
5. Start with an assessment and data collection instrument
• Define Scope
• Define Data in
use (CSTUPID)
• Distribute
questionnaire
Phase 1:
PreAssessment
Phase 4:
Re-Assessment
13
• Risk Scoring
• Re-evaluate
Data Type
• Reevaluate
Location
Phase 2:
Assessment
• Perform Kickoff
• Obtain BU and
Vendor Docs
• Acquire SIG
Responses
• Perform AUP
• Document CI’s
Phase 3:
PostAssessment
• Update BU and
Vendor Management
• Track CI’s
• File BU/Vendor Docs
• Remediate CI’s
Top 10 Tips
1.
2.
3.
4.
5.
6.
14
One size doesn’t fit all … and it isn’t free
Determine what data is in-scope for assessment
Accurately & thoroughly describe how the data will flow
Triage risk – High, Medium, & Low?
Start with an assessment & data collection instrument
Trust but Verify - Collect evidence
Top 10 Tips
6. Trust but Verify – Collect evidence!
VAP Phase 2: Assessment
• Have a meeting with the BU and vendor to discuss contacts, deliverables,
and timelines
• Request/Review pertinent documentation from:
• The BU - Contracts, SOW’s, NDA’s, BAA’s
• The Vendor - SSAE-16 Type II documents; ISO 27001/2 cert, CMM
level, NAID, …
• Review the returned questionnaire responses
• Note “contingent items” (non-compliant items, findings, etc.)
• Update BU and Vendor Management
• Track Contingent Items
• Compose the assessment report
• File BU/Vendor Documents
• Track through remediation all contingent items
15
Top 10 Tips
1.
2.
3.
4.
5.
6.
7.
16
One size doesn’t fit all … and it isn’t free
Determine what data is in-scope for assessment
Accurately & thoroughly describe how the data will flow
Triage risk – High, Medium, & Low?
Start with an assessment & data collection instrument
Trust but Verify - Collect evidence
Accept or remediate non-compliant findings
Top 10 Tips
7. Accept or remediate non-compliant items
VAP Phase 3: Assessment
• Contingent Items (aka: issues, findings, observations, etc.)
• You can accept the risk associated with a particular item or…
• You can require remediation of the item –
• Require remediation by the vendor or business unit
• Risk-rate and prioritize as such
• Actively monitor until they are closed
• Escalate to appropriate levels of management if timelines are not met
• Adjust the timelines if the vendor cannot reasonably meet the target dates
• Contingent Items – 3 Types of CI’s
• Contractual
• Contracts, SOW’s, NDA’s, BAA’s; DPSR’s, DSA’s; Med-D Waivers; IRB
Waivers
• These are usually incomplete or out of date
• HR-Related
• Drug testing; Background checks; Credit checks
• Technical/Operations
• Typical IT/operations-related issues/findings/observations
17
Top 10 Tips
1.
2.
3.
4.
5.
6.
7.
8.
18
One size doesn’t fit all … and it isn’t free
Determine what data is in-scope for assessment
Accurately & thoroughly describe how the data will flow
Triage risk – High, Medium, & Low?
Start with an assessment & data collection instrument
Trust but Verify - Collect evidence
Accept or remediate non-compliant findings
Identify & assess critical, downstream vendors/subcontractors
Top 10 Tips
8. Identify and assess critical, downstream vendors, and
subcontractors
Down Stream Vendors/Subcontractors
• If you have a contract with them…
• See if you’ve already assessed them; if not…then assess them!
• Request the same documentation as if they were a primary vendor
• If you don’t have a contract with them…
• Work with the primary vendor to obtain documentation
• Have the primary vendor set up a call to see what the DSV/subcon is
willing to provide
• Use the same assessor if possible (they know the scope of work)!
19
Top 10 Tips
1.
2.
3.
4.
5.
6.
7.
8.
9.
20
One size doesn’t fit all … and it isn’t free
Determine what data is in-scope for assessment
Accurately & thoroughly describe how the data will flow
Triage risk – High, Medium, & Low?
Start with an assessment & data collection instrument
Trust but Verify - Collect evidence
Accept or remediate non-compliant findings
Identify & assess critical, downstream vendors/subcontractors
Determine if/when an on-site review is necessary
Top 10 Tips
9. Identify and assess critical, downstream vendors, and
subcontractors
Have the Primary vendor identify its vendors that:
• Will process, have access to or potential access to, transport, store, …
protected data
• Are in another country
Determine how the vendor assesses, contracts with, and monitors
these vendors
• You might have to do some work here – Conference call interview, other
Q & A’s, …
Determine if your staff or External Assessors will be needed!
21
Top 10 Tips
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
22
One size doesn’t fit all … and it isn’t free
Determine what data is in-scope for assessment
Accurately & thoroughly describe how the data will flow
Triage risk – High, Medium, & Low?
Start with an assessment & data collection instrument
Trust but Verify - Collect evidence
Accept or remediate non-compliant findings
Identify & assess critical, downstream vendors/subcontractors
Determine if/when an on-site review is indicated
Determine when a reassessment should be performed
Top 10 Tips
10. Determine when a reassessment should be performed
VAP Phase 4: Re-assessment
• Start planning by determining “what criteria”?
• Based on type of data (PCI, PHI, etc.)? Suggestions include:
• PCI = Annual
• PHI = Annual
• PII = Annual (?)
• Company confidential (i.e., strategic) = ???
• Based on the geographic location?
• Onshore
• Offshore
• Offshore but with safe harbor agreements
• Based via scoring system?
• Risk Rating (“Scholastic Score”)
• SIG
• Other GRC tool
• In house tool
• Combination of the above?
23
Top 10 Tips
24
Top 10 Tips
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
One size doesn’t fit all … and it isn’t free
Determine what data is in-scope for assessment
Accurately & thoroughly describe how the data will flow
Triage risk – High, Medium, & Low?
Start with an assessment & data collection instrument
Trust but Verify - Collect evidence
Accept or remediate non-compliant findings
Identify & assess critical, downstream vendors/subcontractors
Determine if/when an on-site review is indicated
Determine when a reassessment should be performed
and …
11. Retain all assessment data, decisions, & records
25
Top 10 Tips
11. Retain all assessment data, decisions and records
Why?
• You are going to need them later!
• Regulatory, internal or other audit
• Something goes wrong (e.g., negative assessment)
• Reassessment
How?
• GRC system, SharePoint, or some other centralized system.
Back It Up (Murphy’s Law!)
26
Top 10 Tips
And if you call right now…
27
Top 10 Tips
BONUS #1: Manage Your External Assessors
They are an extension of your VAP team and should be treated as such
• Discuss their progress at least weekly
• Ensure they pull you in when the assessment begins to “look bad” - no surprises!
• Participate in closing meetings for key/offshore vendors
Make sure vendors will accept their NDA’s
• Be prepared for the legal departments to red-line the document!
• Be prepared to adjust start/end dates
28
Top 10 Tips
BONUS #2: Use Operational Metrics
VRB status monitoring
• Assessments assigned to assessors
• Internal/external assessments open
• Pre-assessment review
Stage gates monitoring
•
•
•
•
•
29
Assessor kickoff
How long it takes to get the questionnaire back
How long it takes to resolve AUP items (questions, documentation)
Assessments in management review
Contingencies due in the past 30/60/90/>120 Days
Top 10 Tips
30
Related documents
Quick Tips
Quick Tips
PUBLIC SPEAKING ACADEMIC VOCABULARY QUIZ
PUBLIC SPEAKING ACADEMIC VOCABULARY QUIZ
KAHPERD The First 9 Weeksx
KAHPERD The First 9 Weeksx
Time Management for Middle School Students
Time Management for Middle School Students
PSSA Tips
PSSA Tips
KS1 Reading Information - Worlebury St.Paul`s C of E VA Primary
KS1 Reading Information - Worlebury St.Paul`s C of E VA Primary
February 2013 Dear Rising Seniors: As many of you know, we
February 2013 Dear Rising Seniors: As many of you know, we
Name (first and last - Gull Lake Community Schools
Name (first and last - Gull Lake Community Schools
BREAKTHROUGH CAMBRIDGE LESSON
BREAKTHROUGH CAMBRIDGE LESSON
Download
advertisement