Internal Audit Considerations for
Cybersecurity Risks Posed by Vendors
October 27-28th, 2015
Chicago IIA Chapter’s 2nd Annual IIA Chicago IT Hacking Conference
Who is KirkpatrickPrice?
KirkpatrickPrice is a licensed CPA firm, providing
assurance services to over 400 clients in 46
states, Canada, Asia and Europe. The firm has
over 10 years of experience in information
assurance by performing assessments, audits,
and tests that strengthen information security,
and compliance controls.
Welcome
Joseph Kirkpatrick is a Risk Management Specialist
in Compliance and Information Security helping
organizations anticipate and prepare against
threats.
–
–
–
–
–
Certified Information Systems Security Professional (CISSP)
Certified Information Systems Auditor (CISA)
Certified in Risk and Information Systems Control (CRISC)
Certified in the Governance of Enterprise IT (CGEIT)
PCI Qualified Security Assessor (QSA)
Understanding Risks Posed By
Vendors
• Data Breaches through vendor relationships
– Goodwill’s Point of Sale vendor had malware
– Home Depot’s vendor’s credentials stolen
– Target’s vendor opened a virus-laden email
• An examination of 57 broker-dealers and 49
registered investment advisers revealed that
most had experienced cyber-attacks directly or
through their vendors
(Securities and Exchange Commission—February 2015)
Understanding Risks Posed By
Vendors
• Vendors bring unique compliance
responsibilities
– AT&T fined $25 million for call center vendors’
privacy practices
– The HITECH Omnibus Rule extends responsibility
to Business Associates
Understanding Risks Posed By
Vendors
• Vendors bring unique cybersecurity risk when
given remote access
– “BUT, it’s a secure VPN”
– You are at the mercy of their network security
controls once privilege is given
Quantifying Vendor Risk
• In the past:
– Vendor compliance managed contractually
– Compliance risk/responsibility was transferred
– Compliance activity kept at arms length
Quantifying Vendor Risk
• Now:
– Full chain of custody
– Oversee business relationships with service
providers
– Ensure compliance with the law
– Institute an Effective Process
Quantifying Vendor Risk
• Policies and Procedures
• List of Third Parties to include activities
performed
• Contracts with Third Parties
• Evidence of due diligence
Quantifying Vendor Risk
• WHAT do they do for you?
• WHO are they?
• HOW do they do it?
Quantifying Vendor Risk
Vendor Risk Management
•
•
•
•
Risk assessment
Develop/enhance policies & procedures
Continuous Monitoring
Remediation
Recommended Security Policy
• Do you address 4th party risks (your vendors’ vendors)?
• Do your policies define the permissible uses and disclosures of
sensitive data?
• Do your agreements require vendors to provide evidence of
"appropriate safeguards?" How should they determine what's
appropriate?
• Do you have a defined Incident Response Procedure?
• Do you require the vendors to agree to provide you with all
necessary documentation in case of an audit?
• Does your agreement have teeth? Termination if a violation?
Recommended Security Policy
• 30 percent of 40 banking organizations did not require outside
vendors to notify them of breaches
(New York Department of Financial Services—April 2015)
Let's consider some example Vendors
•
•
•
•
•
Law firm
Cleaning service
Contracted on-site vendor
Co-location facility
Cloud service provider
Recommended Security Measures
for Internal Audit Consideration
• Vendor Policies & Procedures:
–Regulatory compliance
–Compliance training
–Consumer complaints
–Information Security
Recommended Security Measures
for Internal Audit Consideration
• Types of Evidence
–Training logs
–Third Party Security Reports
–Performance Reports
–Audited financials
Recommended Security Measures
for Internal Audit Consideration
• Types of Evidence
– If VPN connectivity is enabled, what additional
controls are considered?
• Access Control Lists
• Penetration Testing
• Network Monitoring
• Security Event Logs
• Jump Boxes
Onboarding and Offboarding
Control Objectives
• Onboarding
– Security Policy
– Data Types
– Access Requirements
– Personnel
– User Accounts and Types
– Required Security Controls
– Training
Onboarding and Offboarding
Control Objectives
• Offboarding
– Removal of user accounts
– Analysis of type of data accessed
– Analysis of access/event logs
– Confirmation of return of data
Example Audit Programs
• Collect Evidence Related to:
– Due Diligence in Vendor Selection
• Financials
• Qualifications/Experience
• Reputation/Litigation
• 4th Parties
• Scope of Internal Controls
• Business Continuity
• IT Management
• Insurance
Example Audit Programs
• Collect Evidence Related to:
– Contractual Issues
• Scope of Services
• Costs/Fees
• Reputation
• Service Level Agreements
• Management Reports
• Right to Audit
•
•
•
•
•
Confidentiality and Security
Business Continuity
Default and Termination
Dispute Resolution
Indemnification
Example Audit Programs
• Collect Evidence (Based on Risk)
Related to:
– Control Environment
• Management Control
• Risk Assessment
• Information Security
Program
• Human Resources
• IT Management
• Network Security
•
•
•
•
•
BCP/Disaster Recovery
Physical Security
Access Controls
Vulnerability Management
Regulatory Compliance
Thank you for attending!
Q&A
For further information contact:
Joseph Kirkpatrick
joseph@kirkpatrickprice.com
800.977.3154 Ext. 101