IT Vendor Assessments

How safe is your data after it

leaves your control?
Howard Haile
Bill McSpadden

Topics Covered
Why conduct a vendor audit?
Organizing the internal processes
Identifying who needs to be
involved
Get information about your
vendors
Survey and assess the vendors
Monitor and remediate

Potential Problem Areas

Industries
banking
healthcare

Business Processes
Employee processes (Payroll, 401k)
Customer Service

IT processes
Cloud computing
Backup/recovery
Help Desk

Why Audit Your

Vendor?
You cant control information once
it leaves your control
You are putting a great deal of
control in the hands of your
vendors
Your vendor may pass your data to
other people who you dont know
and who have no obligation to you

 A hack on your vendor may leave

your organization as exposed as if
you had been hacked.

Why Not a SAS70?

SAS70 does not specify a pre-determined
set of control objectives or control
activities that service organizations must
achieve.
SAS70 is used for financial reporting
compliance not other compliance
requirements (HIPAA, GLB, etc.).
May not cover some important areas like
Disaster Recovery, etc.
May not be available (too small, out of US)

Other 3 Party Reviews?

rd

You may be able to use results of

other 3rd party reviews to reduce the
burden of 1st party inspection.
However, your organization should
perform its own risk assessment!
Shared Assessments new
organization which supports a
standardized set of assessment
criteria

Other Types of Reviews

ISO 17799 (info security)
ISO 9000 series (quality)
Trust Services (security oriented
including availability)

Get Everyone On Board

Develop standards and procedures

surrounding data
Make sure it covers

Vendor management (purchasing, etc.)

IT

Field offices

Employee Awareness

Purchasing
Get 'right to audit' in contract
Spell out obligations
Proactive (not just penalties for failure)
Prescribe necessary precautions

Make the obligations part of the

solicitation and scoring
Include claw-back provisions in the
contract for expenses incurred as a result
a breach.

IT
Information classification needs to be
emphasized
Heightened awareness required, particularly
involving data repositories
Strong change request process is very useful
Need heightened awareness involving
encryption
Direct access to your network heightens the risk
as it potentially exposes ALL of your data!!!

Field Offices
What is their ability to contract
independently
How de-centralized is IT?

Employee Awareness
Employees need to be aware of
data sensitivity
Reminder that email attachments
(spreadsheets, cut/paste lists, etc.)
are covered
Provide a point of contact for
questions
Periodic reminders

Data classification
Sensitive data needs to be
identified
Remember combinations of data
Don't send unnecessary data, e.g.
account numbers

Discussion Questions
1. Should you hold your vendors to the
same information security specs as your
own?
2. Do you hold your vendors to the same
information security specs as your own?
3. What would it take to satisfy you of the
vendors security over information?
4. What is your organization doing to
satisfy themselves with regard to vendor
security?

Assessment Process
1.
2.
3.
4.
5.
6.

Rank the risk

Identify the vendors (all or some?)
Survey vendors
Score the survey
Identify weaknesses
Decide on remediation process

Pre-Survey Steps
Does the vendor know what is expected
in detail?

Do you have a good contact at the

vendor, if permitted?

What sort of tracking system do you

need?

Who is responsible for devising,

administering and scoring the survey?

Survey Process

Develop the survey

Devise a scoring system (Keep it simple!)
Design the questions to be gradable
Have all vendors complete a standard
questionnaire.
Review and score questionnaire use
same criteria.
Use 'skepticism' when grading
Evaluate by predetermined score

Survey Considerations
Once high risks vendors are completed
are you comfortable with results? If not,
keep going until you begin to feel
comfortable
Evaluate risks against questionnaire
score
High risk data/processes necessitate high
vendor score
Determine if additional info, including
site visit, is needed

On-site inspections?
High risk vendors may require onsite inspection
High risk implies sensitive data
and/or questionable safeguards
Set up a schedule based on risk
assessment. The higher the risk,
the greater the frequency.
Might be a good opportunity for
employing consultants whose
presence overlaps your vendors

Vendor - Background
Info

Nature of service provided

Frequency that information is
supplied to vendor
List of date elements provided
(selection criteria is not essential)
How data is transported (transport
method and encryption technique)

Vendor - Background
(contd)

Will any of the data reside outside

of the US?
Are any of the services provided
further outsourced? (If so, more
detailed information on nature,
location, etc. is required)

Vendor Oversight
Regulatory or other Governance the
vendor must follow (HIPAA, PCI,
banking, SOX, SAS70, etc.)
Is your data/processes covered by those
compliance processes? If so, can those
regulatory bodies affect your
organization?
Employee policies (confidentiality
agreements, background checks,
termination process within systems,
etc.)

Vendor Process
Inventory
Provide a specific list of servers,
databases, and networks where
data will reside or be processed
Provide information on each
(location, operating systems, age,
etc.)

Vendor - Security
Questions
Describe security policies
Provide data classification grid
How does your vendors
classification match your data
classification scheme
Technical/logical system controls

Vendor Physical Risks

Physical security of facilities
(accessibility by public)
Data Center
Off-site data storage is your data
going to yet another vendor?
Call center services (if in scope)
Identity theft monitoring process

Vendor Business Continuity

Business Continuity plans (may not be in scope
depending upon nature of the services
provided)
What is the recovery timeframe for your data
and equipment?
Does response time match your need?
Does the response time match your contract?
Has your data and equipment recovery been
specifically tested?

Handling 3 Parties
rd

What processes are further subcontracted to a 3rd party?

NOTE: same assessment process
needs to be followed for the 3rd
party
What are your rights with regards
to 3rd party inspections or ability to
have primary vendor inspect?

Vendor Documentation
Any documentation from third party
reviews (PCI, SAS-70, BITS)
Organization chart (especially
showing security responsibility and
hierarchy)
Outline or listing of security policies
and procedures in place (an index
or table of contents, etc.)
Process documentation or results of
any security risk assessment

Vendor Doc (contd)

Employee background check
template to verify scope
Floor plan diagram showing security
devices (i.e. cameras, badge readers,
etc)
Access control list for the data center
(if applicable)
Account password settings (screen
shot of settings for systems

Vendor Doc (contd)

Audit/logging policies for systems
processing/protecting
Data retention and secure purging
related policies and procedures.
eDiscovery program
Incident response plan is your
organization notified promptly?
A sample of the change control process
sign off form or document recording
approval for system/software changes
Org chart

Managing Deficiencies
Prioritize the deficiencies
Ensure that purchasing and
business unit is aware of vendor
deficiencies and potential impact
Work with vendor and purchasing to
develop a reasonable timeline to fix
If necessary, begin enforcing
contractual penalties

One More Thought (or

so)
If you are provide outsourced services:
What are you doing to provide this
info?
Are you meeting your obligations?
What is the processes for keeping
your clients informed?
What do you outsource that might
create a problem?

Call to Action
Assess the process for managing
information flow to outside parties
Identify the risks for data residing
outside your direct control
Evaluate external organizations
ability to secure your data

More Information
Shared Assessments
http://sharedassessments.org/
Agreed Upon Procedures
Standard Info Gathering
Questionnaire
Low/high risk questionnaire
Business Continuity questionnaire
Privacy Continuity questionnaire

Questions & Contact

Info
Bill McSpadden
(BMcSpadden@Chanllc.com)
Howard Haile
(HHaile@Chanllc.com)