Security plays a significant role in today’s corporations and mitigating risks to a company’s most valuable asset, data, is important. With data breaches, such as the one experienced by Target, the Department of Homeland Security as well as the Internal Revenue System, it is becoming increasingly obvious that no one is immune. Securing data is complex and with the advent of cloud services where information is now gathered and stored in various locations throughout the globe, securing that data continues to be a challenge.
Even as we implement policies and procedures to secure our environment, we are now partnering with many companies and vendors that must also follow the same guidelines to ensure a company’s assets. While company’s work to secure their environments, the external vendors they partner with are viewed as extensions of their business. With the increasing popularity of cloud services, partnering with external vendors is growing at a fast rate and many business units are signing contracts with these vendors without any IT security involvement. How secure are these companies?
Do they have the same robust security programs? When were they last hacked? Are we sharing infrastructure with other companies? Are those other companies sharing our infrastructure also our competitors? Many questions arise as we continue to broaden our landscape outside of the walls of the data centers. How do we go about ensuring that our partners are following the same standards we are? “The US Office of the Comptroller of the Currency (OCC) and the Board of Governors of the US Federal Reserve System released updated guidance on the risk management of third-party relationships.
This guidance signals a fundamental shift in how financial institutions need to assess third-party relationships. ” (Vendor Risk Management Demystified) (ISACA JOURNAL Volume 4, 2015) External vendors must be vetted properly following industry standards with appropriate process and procedures in place in order for a company to sign off and “approve” these vendors. As such, it is imperative that a process is developed and documented for associates and business units to follow. As part of this project, I reviewed some of those industry standards and documented a process for the company to follow when reviewing / approving a potential vendor.
This process will need to continue to grow and mature with the continued enhancements as standards and processes change with the newer technology and work with vendors’ progress. In order to ensure vendors are vetted appropriately, we must review industry standards and ensure these are incorporated into a vendor management process as it relates to security and compliance to ensure the vendors are adhering to compliance expectations and security requirements.
But how do we know where to start? What can we use as a reference? For this project, we will be reviewing the different cyber security frameworks (NIST, ISO, & COBIT 5. as well as reviewing research from IT industry research and advisory leader Gartner. ** What is NIST? NIST stands for The National Institute of Standards and Technology. It is a non-regulatory government agency that develops technology, metrics and standards for innovation. It encompasses best practices across a range of industries at US based organizations. A widely adopted NIST standard is the NIST Cybersecurity Framework which is based on best practices from several security documents, organizations, and publications. This is a framework for federal agencies that require stringent security measure to follow.
As these standards are endorsed by the government, companies comply with NIST standards as it helps them comply with other regulations such as HIPAA, FISMA and SOX. What is ISO? ISO, the International Organization for Standardization, is an organization comprised of experts from various countries to help develop and publish International Standards that address global challenges. Within the ISO security framework, the ISO/IEC 27000 group provides guidance for global organizations and provides requirements for information security management systems. What is COBIT?
ISACA is an international professional association for Information Technology management that focuses on IT Governance. COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance. The COBIT framework is respected and used by many organizations for its guidelines. While these frameworks are These are the organizations and frameworks will be referenced as part of the review for the vendor management program.
In developing the vendor management program, these different cyber security frameworks (NIST, ISO, & COBIT 5. were leveraged. The program was designed to meet the many different requirements in a global organization. The cross referencing between the cyber security frameworks supports the depth needed to provide a successful program. What is SOC 2? The AIPCA, the American Institute of Certified Public Accounts, created SOC reports. SOC, Service organization Controls, is a series of accounting standards used to measure the control of a financial information for a service organization. The report covers Security, Availability, Processing Integrity, Confidentiality or Privacy.
The reports were created due to the rise in outsourcing traditional services such as payroll, medical claims, tax processing and Human Resource services. This along with the expansion of cloud services, the flow of submitting confidential and personal customer information to these services identified liability for the service organization regardless of where the information is leaked. The SOC 2 verifies that an external auditor, a qualified third party, has validated that valid controls are in place to protect the organization and are an excellent resource for vendor management programs.
In order to understand if a company has followed the appropriate guidelines and has the appropriate processes and procedures in place to be a trusted partner, a request for the results of an SOC 2 can dramatically shorten the timeframe in approving a vendor. This should be the first step in the process in reviewing a vendor. Process Requests may come in several different avenues. If the business is reviewing their business design and are evaluating vendors to contribute to an architectural design, they may require that the vendor be reviewed and approved by the Security team.
If the business is merely contracting for a specific service, they may also request a review be completed by security before proceeding. Groups or business units may also approach the procurement department first before requesting a security review especially if they are in the process of requesting information for a final decision. In that scenario, the request will come from procurement for one or more of those potential vendors. Once the request is in the Security queue, the first step will be to contact the vendor and request a SOC 2 final report for review.
If the vendor has not had a SOC 2 review done, the Security team will provide a questionnaire to be completed and submitted for review to the security team. The team will then review the document to identify any gaps in the reporting that must be addressed. If gaps are identified, the Security team will reach out to the vendor to review and discuss. Updates are made to the questionnaire until no further information can be provided or the form is complete. Once this is done, the Security team will complete a “Findings” document and determine if the vendor is “Approved” or “Denied”.
If a vendor is “Approved”, then the procurement department is notified if the request originated from them. If the request did not originate from procurement, they are engaged for further steps outside of the scope of this process. If the vendor is “Denied”, this will need to be escalated to “Security Management” team for further discussion. This is the end of the process flow for the scope of this exercise but a determination would need to be made by Security Management on the next steps in agreement with the requestor.