Home > Uncategorized > Third Party Vendor Risk Management

Third Party Vendor Risk Management

12/11/2009 Leave a comment Go to comments

You can outsource the responsibility of risk, but not the accountability


Introduction

Today’s business demands fast services and readily available information.  Sharing information among businesses promotes higher quality services, better research and it allows businesses to focus on their primary business objectives without having the responsibility and necessity of certain departmental staffs (IT, Accounting, Support, etc).  When businesses utilize these third parties to assist in their business needs, they increase their risk profile.

The primary reason third party risk management demands serious consideration is when a company shares its information assets with another company, the potential for a compromise increases.  Specifically, it is the added risk associated with the information existing in another environment, under a different set of controls.   These controls are out of the primary company’s scope and their adequacy, enforceability and coverage are all unknown.

A business is still responsible for its information assets when it is in the custody of a third party service provider.A business is still responsible for its information assets when it is in the custody of a third party service provider.  Businesses attempted to hide behind indemnity clauses, but it has been roundly accepted that indemnity agreements do not insulate an institution from responsibility to conduct banking, healthcare or any other business in a secure manner.

This gives rise to the art of third party risk management.  To successfully navigate the waters of this discipline, the key elements must be identified.  Like any information-centric security assessment, the risks must first be identified and then ways to mitigate, transfer, avoid or accept these risks must be developed.

Risk

Risk is a factor that has the potential to have a negative influence on an organization.  There are several ways to view risk when relating it to concerns that should be considered and addressed when working with a third party service provider.  Organizations cannot rely on an indemnity agreement to release them from the responsibility of their informational assets when they are in the custody of a non-controlled entity.

Risks that must be considered include:

1.      Operational Risk

The Office of the Comptroller of the Currency Administrator of National Banks defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. The definition includes legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes the exposure to litigation from all aspects of an institution’s activities.

2.      Compliance Risk

Federal, state and SEC regulations dictate standards and minimum levels of security organizations must implement to protect their informational assets including personally identifiable information (PII), patient healthcare information (HPI), and company financials.

These regulations include Sarbanes-Oxley, HIPAA, PCI-DSS, Grahm-Leach-Bliley and Massachusetts Identity Theft Law.  These regulations issue financial penalties and delisting for organizations negligent to comply with them.

When an organization partners with a third party organization they are extending these requirements to their partner organizations.  An organization invites the risk to become non-compliant with these regulations, not by fault of their own internal controls and policies, but by the third parties negligence.

3.      Other Risk

Additional risks that must be given consideration when working with third party service providers include reputational, strategic, and credit risk.  These risk are difficult to quantify, but easy to understand.  If an organization is associated with bad business practices, even if it was not the organizations direct fault, it could pose irreversible damage.

An example of this risk materializing occurred on 7/13/2009.  Network Solutions, a third-party ecommerce merchant partner, reported a breach resulting in the disclosure of 573,928 credit cards information.  4,343 of networks solutions merchants had to report to their affected clients, they [the merchant], had disclosed the customer’s credit card information to an unauthorized party.  Network Solutions security issue directly resulted in reputational damage to 4,343 organizations.

TSP Relationship Quality Assessment

There are several methods that businesses can implement to evaluate a third party service providers control quality and maturity level for managing the security of informational assets.  These methods have been developed to address the unmanageable task of having each third party service provider’s client audit the information security controls.

Each approach holds benefits as well deficiencies.  These approaches, which are not an exclusive, include:

1.      WebTrust / SysTrust

WebTrust and SysTrust are offerings certified CPA’s employ to provide assurance testing for web applications and information systems, respectively.  These services are developed in part by the American Institute of Certified Public Accountants (AICPA), and leverage a common framework based on Trust Services Principles and Criteria, to address risk in IT.  Entities that employ an independent vendor to certify a system and/or attributes of a web application are afforded the opportunity to publicly assert the element that was certified is in compliance with WebTrust and/or SysTrust.

The WebTrust service meets different needs for e-commerce businesses.  These needs include consumer protection, online privacy and certification authorities.   When a web application or website has been successfully audited through the WebTrust service, a seal can be publically posted, asserting the system is in compliance.  There are 6 seals, each corresponding to its respective compliance status.  These seals include: Privacy, Security, Business Practice/ Transaction Integrity, Availability, Confidentiality, Non-repudiation.

A WebTrust certification audit can only be performed by a certified CPA.  A CPA does not directly align with a technical background or understanding, but a CPA must receive authority and certification in WebTrust assurance offerings prior to offering the service.  The AICPA has defined guidelines on additional knowledge a CPA should have to be prepared to properly offer this form of service.  According to the AICPA website:

The SysTrust professional service audits and certifies a system.  The four attributes of a system that are included in a full SysTrust audit are security, availability, maintainability and integrity.  All four components can be audited independently or altogether.  “SysTrust for system reliability” implies all four components are in-scope for the audit.

A system relative to a SysTrust evaluation consists of five key components organized to achieve a specified objective.  The five components are:

  1. Infrastructure (facilities, equipment, and networks)
  2. Software (systems, applications, utilities)
  3. People (developers, operators, users, managers)
  4. Procedures (automated and manual)
  5. Data (transaction streams, files, databases, tables)   (AICPA and CICA, 2006)

A system that has been evaluated and its controls have been deemed as operating effectively is authorized to display a SysTrust seal.  The SysTrust offering is a traditional security assessment reviewing the critical elements: confidentiality, availability, integrity.

The service offerings are independent which lend credibility into the objectiveness of the audit, but only certified CPA’s are authorized to perform audits bringing into question the subject level expertise in appropriately testing technical elements.

2.      SAS70

SAS 70’s is the statement audit standard for service organizations.  There are two types, TYPE 1 and TYPE 2.  Type 1 includes a list of controls and Type 2 is operating effectiveness testing of the controls.

They are useful because they afford a business the knowledge of knowing whether a service provider is providing good internal controls and security.  They are typically used to show compliance when used as a tool for audits for such regulations as Sarbanes-Oxley, Grahm-Leach-Bliley and HIPAA.

SAS 70’s do have faults worth considering.  Only CPA’s are authorized to conduct SAS 70 audits.  This presents a question of confidence in the quality of the audit.  CPAs do not have technical backgrounds, so they are unprepared to look for what is missing.  Audit reports are typically favorable as if there is no control stated, than no control in place will match successfully.  This would be misleading to an individual relying on the report for quality of third party security controls.

3.      BITS

The BITS Shared Assessment methodology can be used independently or in parallel with other assessment methodologies.  It provides rigorous standards for security in industry and its evaluation technique is repeatable and objective.

BITS Shared Assessment works by using two tools, the Standardized information gathering questionnaire tool (SIG) and the Agreed Upon Procedures tool (AUP).   The SIG addresses control areas in ISO27002 and the AUP is objective and consistent in how its procedures are to be performed under each control area during an onsite assessment.

My Selection

I would select a BITS Share Assessment approach for evaluating my third party service providers in an ideal situation with a SAS70 Type II report to address controls not covered by BITS. (I state ideal as BITS is not a mandatory assessment methodology, and not all service providers would possess a completed a SIG and/or AUP).

The BITS Share Assessment has the credibility and developed confidence of the Big 4 accounting firms behind it.  This support and buy-in gives me assurance that the approach is sound and comprehensive.  The BITS is tailored for financial institutions, but it provides high-value controls aligned across multiple standards.

Conclusion

Third party risk management is critical for any organization that partners with third-parties, concerned with regulatory compliance, informational asset security and is serious about maturing into a strong, successful organization.  Without taking this risk into consideration, the total risk profile is not being taken into consideration, and an organization is gambling with its security posture.

There are several methodologies designed to assist service providers with handling the requests from organizations for documented evidence of security controls.  The costs and manageability would be prohibitive for service providers to not leverage some form of audited assessment.

These methodologies have faults and are not a guarantee that a service provider will avoid a compromise.  Service provider evaluation should include review of the documented evidence of security control policies and procedures, the quality of the controls and their enforcement.  In addition, an evaluation should take into consideration the methodology leveraged for the evaluation and determine the risk tolerance for the methodology.

Bibliography

AICPA and CICA. (2006). Trust Services Principles, Criteria and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (Including WebTrust and SysTrust). Retrieved 11 4, 2009, from WebTrust.org: http://www.webtrust.org/principles-and-criteria/item27818.pdf

AICPA. (2003). FAQs about WebTrust. Retrieved November 4, 2009, from American Institue of Certified Public Accountants: http://infotech.aicpa.org/Resources/Trust+Services/FAQs+About+WebTrust.htm

Chartered Accounts of Canada. (2008, June 30). Trust Services. Retrieved November 14, 2009, from WebTrust.Org: http://www.webtrust.org/

Comptroller of the Currency Administrator of National Banks. (2003, July 2). Supervisory Guidance on Operational Risk Advanced Measurement Approaches for Regulatory Capital. Retrieved November 14, 2009, from US Department of Treasury – Comptroller of the Currency Administrator of National Banks: http://www.occ.treas.gov/ftp/release/2003-53c.pdf

Jr, R. M. (2009). Managing Third Party Risk. Retrieved November 16, 2009, from System Experts: http://www.systemexperts.com/assets/tutors/SystemExperts-ThirdPartyRisk.pdf

Mills, E. (2009, July 27). Network Solutions breach exposes nearly 600,000. Retrieved November 18, 2009, from CNET: http://news.cnet.com/8301-27080_3-10296817-245.html

Santa Fe Group. (2009). Shared Assessments Web Site. Retrieved November 14, 2009, from Shared Assessments: http://www.sharedassessments.org/

US Senate Committee on Banking, Housing, and Urban Affairs. (1999, November 1). Information Regarding the Gramm-Leach-Bliley Act of 1999. Retrieved November 14, 2009, from Grahm-Leach-Bliley Act of 1999: http://banking.senate.gov/conf/

Advertisement
Categories: Uncategorized Tags: , , , ,
  1. No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.