Third-parties are an expansion of the corporate network. They’re a necessity providing a range of services which are better off outsourced than to try and do in-house.
Often-times third-parties are less expensive and more efficient which has become attractive to business leaders to maintain or gain a competitive advantage. The expansion of the corporate footprint not only means there are more points of contact, but also the complexity in managing it all can take on a life of its own.
This can draw the ire of security professionals who are already stretched thin managing their own company, let alone third-party businesses where they have less control.
When business units engage third-parties, are they aware of certain risks when entering into an agreement? Without the involvement of legal and security teams, chances are good due diligence security assessments are lacking and present unforeseen risk to the company.
Data is a business asset that is not thought of in the traditional sense by many business units.
How does the third-party protect the shared data assets they’ve been entrusted with, and how does the company who provided the data know? These are simple and critical questions to have answers to prior to the first proof-of-concept (PoC).
The beginning is really important even if there is no formal contractual agreement in place and the service provider is just offering a PoC. Why? What happens to the data when the PoC is over and there is no contract signed? Did the third-party properly destroy the data provided? If a contract is signed, going forward how critical is this third-party to the business and what are their security measures to protect the continuous flow of data they may be receiving? Is there a termination clause based on security incidents?
It is worth noting there have been several announcements made within the past 12-months relating to third-party management in both the finance and healthcare industries.
The Office of the Comptroller of the Currency (OCC) provided guidance in 2013 specifically referencing risk management for third-party relationships. This is an expansion from the 2007-2008 financial crisis, where the Dodd-Frank Act created the Consumer Financial Protection Bureau (CFPB), aimed at enforcing consumer protection with banks, credit unions, payday lenders, and securities firms, to name a few.
The CFPB expects the financial sector to oversee and manage third-party relationships and to protect against consumer harm. As expected, HIPAA is also involved in ensuring third-parties (business associates) are carefully watched as part of the HIPAA Omnibus Rule. As such, businesses should be able to address three questions prior to the first data exchange or service provided. These questions can be seen from the OCC’s Risk Management Life Cycle Illustration provided below.
- What is the third-parties’ security posture and risk of sharing data? (this should be documented and reported)
- Who is managing the relationship and are stakeholders involved? (oversight and accountability)
- How does the company know? (independent reviews)
It’s important to note that third-parties are not just the recipient of sensitive data. It’s very likely a third-party connects remotely to systems within the company to provide a service. The relationships occur in one of two broader scenarios:
- Businesses sharing data or accessing a service externally
- This is the classic scenario mentioned thus far and relies heavily on leveraging an external entity (and sometimes internal company divisions) to provide a service and process data. The risk is the third-party has a security incident which negatively impacts the business due to the initial sharing of intellectual property or non-public information.
- Watering hole attacks are becoming more prevalent because attackers are exploiting less security savvy companies when they can’t yet compromise the victim they are seeking. Rather than go through the trouble of directly attacking the company they want, attackers find that it is easier to compromise a small, less-savvy third-party, of their intended target.
- External entity connecting to the business to provide or obtain service
- It is very common for businesses to rely on third-parties to remotely manage, support, monitor, or process a service for a company. What systems can they access remotely and what data is at risk? This is the case with the infamous Target breach where a third party HVAC contract was compromised which became an enabler for the hackers to leverage their access into the giant retailer. With stolen credentials, hackers were able to breach Target’s system based on the trust relationship with the third-party.
Developing third-party process and procedures is required to ensure a top-down effective process. Regulated or not, businesses must have a process in place to manage data flow from their own network and external connections. The steps include:
- Building a foundation with executive management for third-party management. This includes governance, policies, procedures, and standards.
- Determine risk tolerance for the business. What is the business willing to share or provide as a service to other entities.
- Assign ownership and align with stakeholders. Third-party relationships are driven by business needs and key stakeholders must be aware and involved from the beginning.
- Strong legal contract language is imperative. This may include the right to audit, full visibility into independent security reviews, and clause to terminate if the vendor fails to meet requirements.
Fortunately, there are vendor management solutions available to help organizations maintain and manage all of the relationships they have. The following is a list of solutions which businesses can turn to in order to help better manage the process.
- Shared Assessments Framework – Since 2005 Shared Assessments, a consortium of Big 4 accounting firms, leading financial institutions, and key service providers, have created a framework. The framework is designed to streamline the vendor risk assessment process through consistent standards with speed, efficiency and cost savings. Simply put; Shared Assessments is a trust but verify framework which uses the following tools.
- Standard Information Gathering (SIG) – The SIG, is the trust element of the program, is a questionnaire that allows organizations to obtain information about a third-parties technology, privacy, and data security controls. The SIG allows organizations to gather information through a series of questions to better understand how the relationship may impact their security posture.
- Agreed Upon Procedures (AUP) – The AUP provides for verification of the program based on answers obtained from the SIG. For onsite assessments, the AUP is recommended. Furthermore, the AUP allows organizations to focus on control areas during on the onsite assessment and what procedures should be followed and sample-sets to be used.
- Vendor Risk Management Maturity Model (VRMMM) – The VRMMM’s purpose is to refine the third-party management program. Through its use of vendor risk management best practices, the model can be used to assess the current and future state.
- Third-Party Security Rating – What is a third-parties risk rating to the business? What if the rating was good around the time of contract signing but one month later would raise a red flag due to a change in security posture and more importantly, how would the business know? Rating third-parties with a score which is continuously monitored, is the approach some solution providers are taking. The rating is similar to credit scores used in the financial industry for lending and to benchmark the level of risk loaning money. For example:
- BitSight Technologies analyzes data feeds to and from the third-party and examines botnet events, spam, malicious code, IP reputation, and social media, just to name a few.
- CloudeAssurance provides standards (ISO, PCI, HIPAA, etc.), risk and threat-based (Top 20, benchmarking, etc.) third-party assurance for cloud and non-cloud environments.
- Evantix is also providing a risk rating SaaS-based product to map across many regulatory requirements.
- Navex Global offers risk rating status on-demand through their SaaS-based product suite.
Our dependence on third-parties isn’t going to slow down and managing third-parties is no easy task, but with the proper structure in place, it can be more effective. Developing a plan will help manage the process through:
- Develop policies and involve the business
- Identify data flow and access requirements
- Evaluate program tools and assign dedicate resources
- Implement remote access segmentation and monitoring of third-parties
- Continuously monitor the security posture of third-parties