This article can also be found in the Premium Editorial Download "Information Security magazine: Inside the Data Accountability and Trust Act and what it means for security."
Download it now to read this article plus other related content.
Every business today depends to some extent on third parties -- it's a reality that's becoming even more pronounced as companies move to more cloud-based services. And in order to effectively provide a product or service, a certain percentage of those third parties will require access to confidential corporate and/or customer information. Obviously, it is incumbent on management to ensure that not only is the third party capable, but also in the course of its operations can ensure that the data entrusted to it remains secure. Traditional vendor management programs have tended to focus to a large degree on "ability to deliver" with data security being an almost secondary consideration. What managers often fail to fully appreciate, especially for large or very visible companies, is that while a third party's failure to deliver would in all likelihood be operationally disruptive, a massive data breach could be devastating.
The challenge for companies is how to ensure protection when they often have little ability to monitor day-to-day operations, evaluate the third party's strength of internal controls or have meaningful input into the third party's risk management systems. While we often talk in terms of keeping the data "secure," the grim reality is that, simply because people need to use it, the data is not secure. Adding an external entity into the equation just makes it that much less secure.
Companies tend to approach vendor management in many different
- CONTRACTUAL PROVISIONS
Assuming clear ownership has been established, the next area covers a set of questions and provisions that the CISO must ensure are being addressed before any contracts are signed and data exchanged.
The first and most logical question is, why? Why does the third party need this data? Is it required for them to provide their product or service? Do they need all of the data or just some of it? Is the business area just being lazy and suggesting it all be sent, rather than taking the time to create more discrete, or sanitized, sub-sets? Ultimately, the related business area must be able to clearly rationalize why the data is imperative to the third party's product or service. This is an area where the CISO may be consulted as a subject matter expert, perhaps facilitating a discussion around what options exist that could reduce the type and quantity of data provided. It is a sad fact that well meaning people often view data (even highly confidential data) as an operational necessity, like bricks to the builder, and not the highly valuable, highly sensitive, corporate asset that it is.
In terms of contractual provisions there are a number of things the CISO needs to ensure are included any time confidential data will be exchanged. These include:
- Standard confidentiality language commensurate with the degree of information shared
- A "right to audit" provision against the third party's system of internal controls
- Clear service level agreements for notification requirements in the event of a data breach
- Financial liability for any expense associated with a data breach
In the end, however, a company needs to remember that while these provisions exist (at least in theory) to prevent an incident, the reality is that they largely exist for recourse. Real prevention will be accomplished through comprehensive due diligence, actively setting and managing expectations and effective monitoring.
- DUE DILIGENCE
- INCIDENT RESPONSE
The first and possibly most critical governance aspect is ownership. Regardless of how the contract and related due diligence is facilitated, one absolutely and irrefutably truth remains: there must be one specific person responsible for the relationship -- not a department, committee, or a vendor group -- a person. In all likelihood, that person will be in the business or operating unit that directly oversees the product or service that the third party provides, be that IT, a line unit, back office, etc. This person, perhaps assisted by others, is specifically and directly responsible, and accountable, for management of that third party. This includes any damages caused by a failure of that third party to adequately protect the data provided to them.
Therefore, the first responsibility of the CISO is to make certain that the company has a process in place to ensure that each third party will have an associated third party relationship manager (TPRM) who is actively involved in the process of managing the relationship. The CISO will likely end up being consulted in the due diligence process where appropriate, but he cannot be the one responsible for managing the third party.
While assigning a TPRM is essential, we need to understand that there is a dilemma here. Even though having TPRMs assigned to all third parties is critical to good governance, there is an unfortunate conflict of interest that exists here. The fact is, assuming that the business wants to use a given third party, the TPRM is somewhat less than motivated to find problems with them. In fact, quite the opposite; they may find themselves looking for reasons to trust the third party, perhaps ignoring subtle, or not so subtle, signs that could be an indication of something suspicious. This is why accountability is so critical -- if TPRMs are responsible for the misdeeds of their third party, they become significantly less incented to turn a blind eye. Therefore, it is also the CISO's role to ensure that TPRMs are taking the contract, due diligence, management and monitoring process seriously and proactively.
All enterprises have skeletons they prefer not to disclose, so there's no reason to assume your vendors don't also have something they'd prefer to keep quiet . Consequently, the third major area that the CISO needs to be actively engaged in is the design of the overall due diligence process. The fact is that companies need to be very deliberate about how they assess and manage their third parties when it comes to data sharing.
When performing third party due diligence, how the information is gathered isn't nearly as important as what is done with that information. (As far as forms go, you can't really beat the BITS Shared Assessment templates, and many major companies have already completed theses forms anyway.) Generally speaking, the information provided by a third party relative to its information security practices should be viewed just like a resume. While it is a form of attestation on the part of the third party, it is not designed to verify adequacy; it's just a tool to start the conversation. The job of the organization, with the CISO's direction and/or assistance, is to get behind all of the wonderfully crafted language and carefully constructed responses. What is the truth about how the third party stores, manages, protects and ultimately destroys the confidential data that you are, or will be, sharing? Where will it reside? Who exactly will have access? How is access granted and revoked? What are their change management practices? What technology is the third party using and does it contain known vulnerabilities? Is it current or obsolete? What independent reviews of the third party's environment are conducted and by who? What were the past results?
This is not a check-off exercise -- it's a gauntlet, and one that should be very difficult to navigate. If the business isn't asking really hard questions, it's not doing its job. It's the CISO's job to make sure that this process is happening, both at contract origination, and throughout the life of the contract.
Another part of the due diligence process should be a mechanism for classifying the data that will be shared. What type of information will be included? What is its level of sensitivity? How much information will be shared and how often, etc.? This provides a baseline for the business so that if the nature of the relationship changes, particularly one which requires a change to what data is shared, the company can reassess the risk based on the new data requirements. The CISO should be able to help develop an agreed upon classification schema that can be used consistently throughout the organization.
An area that is often overlooked is data destruction. When and how will the data be destroyed? How will the third party attest to its destruction and what are the consequences if it is not destroyed? This is a difficult area to manage because, let's face it, proving that data has been completely eliminated is difficult to impossible. Nevertheless, this area must be subject to clear expectations, which the CISO needs to ensure has been documented.
Ultimately, when going through the third party due diligence process, a company should develop a risk profile for all of its third parties that includes a risk rating based on the type and amount of the data being shared. This allows the company to focus its energy and resources on those third parties that represent the most risk, and provides a baseline to reference when either the third party or the nature of the contract changes.
Monitoring and incident response are the most challenging and precarious areas of vendor management. This is simply because monitoring is difficult if not impossible, and recovery from an event is extremely tough.
Nevertheless, despite the limited ability to monitor third parties, there are some areas that the CISO should ensure are addressed. The first represents internal changes. This would typically be a change to the scope of the contract which requires a change to the type, sensitivity, quantity or frequency of the data that is being exchanged. In this case, there must be a process to revisit the risk profile based on the new data requirements, and if a material change is going to take place, then a new due diligence and risk assessment analysis needs to be completed. Otherwise you're applying old rules to a new game.
The other area obviously involves changes with the third party themselves. This would include facility moves, corporate restructuring, business acquisitions, new business lines, etc. Each of these can have an impact on the internal controls related to data protection, and it is the CISO's responsibility to ensure that systems are in place to monitor these third parties for material changes. Changes such as these should prompt, at minimum, a conversation between the TPRM and the third party to understand what impact, if any, these changes will have on the company's data usage and internal controls.
The other, and fairly intuitive, area of monitoring involves media coverage. Should the third party become subject to any degree of regulatory or other third party criticism or, worse, be the victim of some sort of data compromise, then the entire due diligence and risk assessment process must start from scratch. All prior attestations and assumptions are null and discarded.
The CISO will have to manage this area because this is where the TPRMs will often try to take the easy way out for fear of having to switch vendors. Often their response is "Yes, they had a breach, but they say that they have taken care of the vulnerability." O.K., prove it.
Incident response is possibly the most treacherous part of vendor governance. Ideally, there will never be a scenario where data is compromised and somebody needs to clean up the mess. However, we know that it as a statistical certainty that it will happen and, when it does, the company needs to have the processes in place to respond quickly and decisively. The fact is that if you looked at every data breach since the beginning of time, they all share one common attribute -- and that is that time is not on your side.
Certainly, at a minimum, every third party contract must have a provision for notification requirement in the event of a data breach. This should be numbered in hours, if not minutes. On the heels of a data exposure, the initial hours can be critical, particularly where customer information is involved. CISOs needs to ensure that both companies -- their own and the third party -- have a clear escalation and notification strategy so that all parties involved know exactly who needs to be notified and who will take charge in developing and implementing a resolution plan.
These are not details that can be made up at the time of a breach -- they must be clearly established, and tested, well in advance of any live event. And, again, a data incident of any kind should prompt a revisit to the third party's due diligence and risk assessment. If the incident was very minor, very localized and easily corrected, fine. But at a bare minimum, a discussion needs to take place that asks whether the potential vulnerability was previously disclosed and how it has been addressed.
NO SMALL FEAT
Experience has shown that the majority of companies collect only basic information about the third parties with which they will exchange confidential data, tend to do only cursory analysis of that information, take minimal due diligence steps, implement limited monitoring and haven't really thought through their incident response procedures in the event of a major data breach. And yet every single one knows without a shadow of a doubt that it should be doing more and is probably accepting too much risk. Simply put, this is just not acceptable.
The CISO has a substantial task to ensure that all of the systems and controls are in place to ensure third party compliance with information security policies and practices. To quote Ronald Reagan, this is definitely an exercise in "trust but verify" and it is no small task. This further reinforces why the CISO must be in a very senior role with total management access. He or she must work very closely with internal vendor management groups to provide subject matter expertise, program design assistance and direct oversight when necessary. We all like to believe that people will always do the right thing, but this is simply not the case. There are criminals everywhere, and they can disguise themselves as hardworking employees, just looking for an opportunity to strike. But through strong contractual provisions, comprehensive due diligence, detailed documentation, active management, dynamic monitoring and ability to respond quickly, companies can go a long way towards managing their third-party risk.
Eric Holmquist is president of Holmquist Advisory, LLC, which provides consulting to the financial services industry in risk management, operations, information technology, information security and business continuity planning. Send comments on this article to firstname.lastname@example.org.
This was first published in December 2010