Trust But Verify - Third Party Risk Management

intelligent information securityANITIAN

TRUST BUT VERIFYMANAGING THIRD PARTY RISK


MEET THE SPEAKER – ANDREW PLATO

• President / CEO of Anitian • 20 years of experience in IT & security• Completed thousands of security

assessments & projects• Discovered SQL injection in 1995• Helped develop first in-line IPS engine

(BlackICE) • Co-developed RiskNow™ - Rapid Risk

Assessment approach • Championed movement toward practical,

pragmatic information security solutions


Vision Security makes the world a better place. Mission Building great security leaders.

We deliver security and threat intelligence via a range of services:• Risk assessment • Compliance (PCI, HIPAA, NERC, etc.)• Application security • Penetration testing• Incident response / forensics• Security controls integration• Managed threat intelligence and risk assessment

ANITIAN


OVERVIEW

Intent • Discuss the challenges of third party risk management• Define strategies to inventory, classify, and assess third parties

Assumptions• This is a gigantic topic, we cannot cover it all• Our focus is IT-centric, but the concepts apply everywhere• Our approach is innovative and new


THE CHALLENGE


63%OF BREACHES ARE CAUSED

BY THIRD-PARTY SECURITY FAILURES


THEY’RE EVERYWHERE!

THIRD PARTIES


LURKING THREAT


OUTSOURCED,WHERE?


CHECKBOX = FAIL


DEPENDENCY


RELATIONSHIPS

ARE VALUABLE


WORKS


THE THIRD PARTY RISK CHALLENGE

• How do we: • Trust better?• Verify that trust, honestly• Manage the complexity of third party vendors

• Answer: Trust, but verify


RELATIONSHIPS VS REGULATION

Third Party TRUST Management • Foundation of trust• Values relationships• Flexible, but structured• Trusts, but verifies

Third Party RISK Management• Foundation of suspicion• Values compliance• Rigid, creates impediments• Does not trust, attempts to verify


TRUST MANAGEMENT BASICS

Inventory / Classify

Define Trust Levels

Assess (So What?)

1

2

3


INVENTORY


WHAT DO YOU HAVE?

Services• Developers• Resellers • Managed services • Contractors and contingent staff • Consultants • Financial services / payment processors • HR services (benefits, recruiters, background checks) • Legal, accounting, marketing, etc.


WHAT DO YOU HAVE? (2)

• Cloud• SaaS (Office365, Salesforce, Airwatch, etc.)• IaaS / PaaS (AWS, Rackspace, Azure, etc.)• Storage (Box, OneDrive, etc.)

• Traditional Software• Hardware• Development components (libraries, Wordpress, etc.) • Business partners (IR providers, telecom, etc.) • Business alliances • Facilities


CLASSIFY

• Gather initial list to produce a “best guess” inventory• Organize into logical categories

• Software• Hardware• Services• Vendors• Facilities

• Who...• Owns them?• Uses them?• Manages them?

• Why do you have them?


YES YOU MUST TALK WITH PEOPLE

? !


LET’S TALK ABOUT INVENTORY

• Have discussions with business process owners to validate items• Why do we have this relationship (rationale)?• How important is this relationship to the company? • Validate the owner and relevant custodians• What access do they have? Need? • What do you share with them?• How could they hurt us?• Are there service level agreements? What are they?• Who are the contacts? • How was the vendor selected?• How much leverage do we have with them?

• Avoid sending around spreadsheets


THIRD PARTY INVENTORY

• Document all your data in a matrix • This is just for documenting the vendors, not for risk assessment• Typical data you want to capture in this inventory:

• Add to this as you see fit

• Name• Type • Description• Rationale • BPO• Custodian• Importance• Access

• Trust level • Controls • SLAs • Term • Applicable regulations


TRUST LEVELS


TRUST LEVELS?

• A simplified classification of trust relationships • Helps organize and assess risk more efficiently• Easy to communicate• Key questions:

• How important to the business is the vendor? • How sensitive is their access?


PLOT ACCESS VS IMPORTANCE

Trusted Strategic Partner

Informal Partner

Sensitivity of Access

Impo

rtan

ce to

Bus

ines

s

Low AccessLow importance

High AccessLow importance

High AccessHigh importance

Low AccessHigh importance


RISK MANAGEMENT ACTIVITIES

• Risk assessment efforts mapped to each level• Examples

• Independent risk assessment • Request for information (RFI)• Technical testing (penetration testing, code review, etc.) • Contractual assurances • On-site walk through• Named insured • Third party assurances (SOC2, ISO, etc.) • Compliance certifications (PCI, HIPAA/HITRUST, NERC, etc.) • Review cycle • Financial guarantees (bonds, etc.)


MAP RISK ACTIVTIES TO LEVELS

Strategic Partner

• Independent risk assessment

• Technical testing

• Contract assurance

• Quarterly review

• Monitoring plan

• Named insurance

Partner

• Table-top risk assessment

• In-house technical testing

• Contract assurance

• Annual review

Trusted

• RFI• Contract

assurance• Biannual

review

Informal

• None• Biannual

validation


FLEXIBILITY IS IN THE PLOT

Trusted Strategic Partner

Informal Partner


Impo

rtan

ce to

Bus

ines

s

Low AccessLow importance

High AccessLow importance

High AccessHigh importance

Low AccessHigh importance


INDEPENDENT TESTS AND CERTIFICATIONS

• Compliance standards are useful (PCI, HIPAA) • Frameworks (ISO, NIST) • Financial audits • Third party assessors (like Anitian) • Security tests (penetration tests)

• Are they honest?• Do they add up? • Does the level of risk match the importance of the relationship


QUESTIONNAIRES / RFI

• Never ask YES/NO questions• Make them describe how they do things

Question Description Answer

Data protection

Describe the methods used to encrypt sensitive data?

Access Control

How do you enforce least privileged access rights on users?

Background Checks

How do you conduct background checks on employees? How often?


ASSESS(SO WHAT?)


RISK DIMENSIONS

What applies to the TPP? • Compliance • Financial • Operational• Security / Privacy • Reputational • Relational • Transactional• Physical • Legal


WHAT ARE YOUR TOLERANCES?

• How important is the relationship to the business?• How much impact do they have on you?• How much leverage do you have?

• Don’t like how Big Company does things – tough• Worried that Little Company is bankrupt – can you change

that? • Does the access match the importance? • Who decides that? • Does that person understand the risk?


DOCUMENT THE TOLERANCES

Dimension Risk Description Tolerance Remedy

Compliance High Vendor is not PCI compliant. They also have no independent certifications.

Temporarily Require PCI compliance attestation within one year.

Terminate vendor if not met by 6.15.2016

Reputational Low Vendor is not in an industry that could cause the business much reputational risk

Yes None


RISK REDUCTION STRATEGIES

• More insurance• More assurance• Reduced access • Alternative partners• Data / service redundancies • Require certifications • Independent testing• Drop vendor• Accept the risk


RISK BRIEF

• Quick summary for leadership• Information to present:

• Keep it under one-page

• Vendor name• Description of what they

do• Value of relationship• Overall risk ranking• Trust level • Access required

• Sensitivity of access• List of top risk dimensions• Risk reduction

recommendations• Date of assessment• List of artifacts (optional)


BALANCE

TRUST

Value of Relationship


Impact to Business

Leverage


DO I NEED A GRC PLATFORM?

• Archer, Lockpath, Metricstream, Rsam, etc. • No, you can run an entire Third Party Risk program with

spreadsheets and emails• GRC platforms help with data management• Do not buy one until you have a program in place• Extremely time-consuming to setup • Remember, questionnaires are your least trustworthy source of

information


FINAL THOUGHTS

• This is an immense challenge, but we do it everyday• Independent validations = most reliable source• Questionnaires = least reliable source• Ask how and why questions, not yes/no• Get out and speak to people face to face

• It is okay to tolerate risk• Anitian can help you build this program• Trust, but verify


THANK YOU

EMAIL: [email protected]: @andrewplato

@AnitianSecurityWEB: www.anitian.comBLOG: blog.anitian.comSLIDES: bit.ly/anitianCALL: 888-ANITIAN

Trust But Verify - Third Party Risk Management

Technology

Transcript of Trust But Verify - Third Party Risk Management