Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
1
Vendor Risk ManagementData Privacy & Security - Panel
Sherry Ryan, CISO, JuniperTanya O’Connor, Director, Information Security, Arcadia Healthcare
SolutionsGary Roboff, Senior Advisor, Santa Fe Group - Shared Assessments
Rick Olin, Shareholder, CIPP/US, GTC Law Group (Moderator)
2
Vendor Risk Management – Data Privacy & Security (Panel)
Sherry Ryan, Chief Information Security Officer, Juniper Networks• previously established and led information security programs at Blue Shield of
California, Hewlett-Packard, Safeway and Levi Strauss • Certifications: Certified Information Security Manager (CISM) from ISACA and
Certified Information Systems Security Professional (CISSP) from ISC2 • member of High Tech Crime Investigation Association (HTCIA) and Information
Systems Security Association (ISSA)
Tanya O’Connor, Director, Information Security, Arcadia Healthcare Solutions• responsible for strategic security and privacy planning and implementation,
contract review, continuous monitoring, HIPAA/HITECH compliance, and responding to customer privacy/security assessments
• Oracle Corporation - Compliance Manager and Security Lead• U.S. Department of the Treasury - Information Systems Security Manager• U.S. Navy - Information Security Business Analyst and Information Assurance
Governance Analyst
3
Vendor Risk Management – Data Privacy & Security (Panel)
Gary Roboff, Senior Advisor, Santa Fe Group – Shared Assessments• focuses on payments, risk management, mobile financial services, and information
management• JPMorgan – served 25 years; retired as Senior Vice President of Electronic
Commerce; led effort to return to merchant services business with the founding of Chase Merchant Services LLC (now Chase Paymentech)
• International Security Trust and Privacy Alliance (ISTPA)– Founder• Chemical and Manufacturers Hanover - led development of pinned debit services• served on various Boards of Directors, including: ISTPA, the NYCE network, and
the Electronic Funds Transfer Association
Rick Olin, Shareholder, CIPP/US, GTC Law Group• focuses on transactional matters, including: M&A and technology transfer;
compliance areas such as data privacy and security, and information management matters; as well as general business counseling to GTC’s technology and media clients
• TechTarget, Inc. (NASDAQ, TTGT) - Vice President, General Counsel and Secretary
• Workscape, Inc. (acquired by ADP, Inc.) - Senior Vice President of Corporate Development, General Counsel and Secretary
• SpeechWorks International, Inc. (acquired by ScanSoft, Inc. and now Nuance Communications, Inc.) - Vice President, General Counsel and Secretary
Vendor Risk Management PanelNovember 3, 2017Sherry Ryan, VP/CISO
Why third-party cybersecurity matters
• 41 - 63% of breaches in recent years were traced to third-party vendors
• Cross industry: restaurants, chain stores, pharmacies, construction companies, hotels and medical centers
• Financial impact of breach response plus revenue and share price impact
• Reputational impacts, regulatory exposure, and lawsuits plus job loss for executives, directors and others
CSO Cybersecurity Insights, December 7, 2016
• As dependence on third parties becomes increasingly critical, organizations are being compelled to rapidly “catch up” in enhancing the maturity of their third party governance and risk management processes
• The drivers for third party engagement are progressively shifting from a focus upon cost to a focus upon value
• Third party risk incidents are on the increase
• Increased monitoring and assurance activity over third parties is believed to significantly reduce third party risk
• Organizational commitment to third party risk management is not supported by confidence in the related technology and processes
• Third party risk is starting to feature consistently on Board agendas
• Visits to third party locations are considered the most effective assurance method
• Most organizations are mandating consistent third party governance
• Existing technology platforms for managing third parties are considered inadequate
• Organizations are in the process of deciding between centralized in-house models and external service-provider based models for third party monitoring
The Third Party Ecosystem
Managing Third Party Risk
Third Party Governance
Technology and Delivery Models
Key Findings
Deloitte: Third Party Governance and Risk Management, Global Survey 2016
Due Diligence Tools
• On-site reviews• Assessments and questionnaires• Attestations• Documentation review• Review assessments and certifications• Security risk rating scores• Contractual
Risk-Based Approach
Service risks:• Customer and financial impact• Data sensitivity• Compliance and regulatory• Transaction volumeVendor risks:• Geographic location• Financial health• Prior breaches• Performance record• Extent of work performed
• Organize into high, medium and low risk categories
• Prioritize high risk vendors for greater scrutiny
• Higher risk – On-site reviews and more frequent monitoring
• Moderate risk – telephone reviews and periodic monitoring
• Lower risk – vendor self assessments follow up as required
Risk Factors Vendor Prioritization Level of Due Diligence and Monitoring
Trust But Verify Assessment Model
Thank youThank you
12© 2017 ARCADIA HEALTHCARE SOLUTIONS | NOT FOR REDISTRIBUTION.
November, 2017
PRESENTED BY TANYA O’CONNORDIRECTOR, INFORMATION SECURITY
VENDOR RISK MANAGEMENT PANEL
13© 2017 ARCADIA HEALTHCARE SOLUTIONS | NOT FOR REDISTRIBUTION.
ABOUT ARCADIAARCADIA OVERVIEW
ARCADIA IS AN EHR DATA AGGREGATION AND ANALYTICS COMPANYFOCUSED ON ENABLING OUR PARTNERS TO SUCCEED IN SHARED RISKUSING INTEGRATED AMBULATORY, INPATIENT & ADMINISTRATIVEDATA.
35M PATIENTSMEASURED
50K PROVIDERSMEASURED
3000 PRACTICESIMPACTED
30+ EHR VENDORS
CONNECTED
2002 YEARFOUNDED
250 AWESOMEEMPLOYEES
ARCADIA HAS ANALYZED OVER 35 MILLION PATIENTS NATIONALLY
BOSTON20 Blanchard Rd. #10Burlington, MA
CHICAGO630 E Jefferson St.Rockford, IL
SEATTLE1215 4th Ave. #925Seattle, WA
PITTSBURGH29 West Main Street Carnegie, PA
14© 2017 ARCADIA HEALTHCARE SOLUTIONS | NOT FOR REDISTRIBUTION.
EXAMPLE CUSTOMERSARCADIA OVERVIEW
PROVIDERS HEALTH PLANS
15© 2017 ARCADIA HEALTHCARE SOLUTIONS | NOT FOR REDISTRIBUTION.
BECOMING A TRUSTED BUSINESS PARTNER(FROM THE VENDOR PERSPECTIVE)
ALIGNMENT OF INTERESTS
ØSame rules/liabilities apply to vendors (business associates) and customers (covered entities)ØRequires a partnership approach to securing dataØDriven by HIPAA/HITECH compliance for both parties
DUE DILIGENCE/TRUST BUT VERIFY MODEL
Ø1-5 written assessments monthlyØSubmission of artifactsØFollow-up questionnairesØOnsite visitsØProving downstream vendor compliance
16© 2017 ARCADIA HEALTHCARE SOLUTIONS | NOT FOR REDISTRIBUTION.
BECOMING A TRUSTED BUSINESS PARTNER - CHALLENGES
PRIVACY & SECURITY ASSESSMENTS ARE TIME/RESOURCE INTENSIVE
Ø Steady stream of written and on-site assessments (no two are ever alike!)Ø Often times not relevant to our business model (CAIQ for example)Ø Existing culture shifts burden onto vendor (except large companies like Amazon) to fill out assessment
rather than review existing security controls and submit follow-up questions
MANAGING CLIENT EXPECTATIONS
Ø Resolving differing interpretations of HIPAA requirements, for example:v HIPAA/HITECH doesn’t specific a time frame for audit log retention `v HIPAA/HITECH does not provide specific guidance regarding what content must be logged
17© 2017 ARCADIA HEALTHCARE SOLUTIONS | NOT FOR REDISTRIBUTION.
BECOMING A TRUSTED BUSINESS PARTNER – CHALLENGES (CONT)
PROVING DOWNSTREAM VENDOR COMPLIANCE
Ø Responsible for articulating downstream vendor security & compliancev For AWS, we use ISO Certification, HIPAA security configurations, SOC 3 report, security control
mappings, whitepapers, published information, and more
Ø Verification of downstream vendor security controlsv Done through research, assessments, contractual clauses, etc.
18© 2017 ARCADIA HEALTHCARE SOLUTIONS | NOT FOR REDISTRIBUTION.
ADDRESSING THE CHALLENGES
MOVING TOWARDS AN INDUSTRY-ACCEPTED UNIFIED FRAMEWORK Ø Dramatically reduces the number of assessments, eliminates the multitudes of unique artifacts collected
on a yearly basis, and shifts the burden of oversight to Certification bodyØ Defines control parameters (such as audit log retention timeframe and content) based on best practices
so that there is less conflict when it comes to interpreting grey areas of the lawØ Certification affirms security & compliance of both vendor and downstream vendors
v Arcadia has chosen HITRUST and its common security framework (CSF)* and are working towards certification by next year.
*The HITRUST CSF “is a certifiable framework that encompasses and harmonizes several other compliance frameworks and standards including HIPAA, HITECH, PCI, ISO/IEC, COBIT, NIST RMF and varying state requirements.”
VENDOR RISK MANAGEMENT PANEL
November 3, 2017
Gary S. Roboff, Senior Advisor
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 20
The Shared Assessments Program
Thought Leadership
ü Industry Agnosticü Member-drivenü Annual Third Party Risk Management Summit
Training and Certification
ü More than 650 third party riskprofessionals trained since 2015 (CTPRP)
ResourcesResearch Studies White PapersWebinars Workshops Assessment Tools
ü Actionable, enterprise-wide solution-building ü Industry and technology specific peer working
groupsü Examine the entire TPRM Landscapeü Assessment Tools up-to-date with
regulations and threat landscapeü Licensees incorporate SA Program Tools to
deliver effective ERM solutions to their clients
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 21
Outsourcing Risks
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 22
Assertion Statements
SIG Privacy Tab Example:P.2
For Scoped Data, is personal information about individuals transmitted to or received from countries outside the United States? If yes, list the countries.
P.2.1 Is information directly collected and used about individuals?
P.2.2 Are notices provided (and where required, consents obtained) when information is directly collected from an individual? If yes, describe.
P.2.3 Are there documented policies and operating procedures regarding limiting the personal data collected and its use?
P.2.4 Are there policies and operating procedures for onward transfer of Scoped Data? If yes, describe.
P.2.5Is Safe Harbor /Privacy Shield status maintained with the Department of Commerce with respect to the data protection applicable to the European Union or other legitimizing method such as Model Contracts?
P.2.6 If customer data is directly collected from individuals, does the customer have the ability to opt out?
P.2.7 If customer data of individuals is retained, are there processes and procedures to enable individuals to access, correct, amend, or delete inaccurate information?
P.2.8 Are there documented policies and procedures for cross border data flows of Scoped Data to the US from other countries. If yes, list the countries:
23© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
Virtual Assessments
• Emerging Alternative to On-Site Assessments• Hosted by Third Parties, Either:
– Regularly, as scheduled by third party (e.g., quarterly)– As defined by contract (often annually), typically outsourcer determines timing
• Remotely Connected to Third Party; Vendor Demonstrates Controls, Shows Evidence, etc.
• Assertion Statement Due Diligence/Control Test Results• Most are Interactive by Design• Significantly Less Expensive for Both Outsourcer and Vendor• Yields Perhaps 80% Value Compared to an On-Site Visit
– May not be appropriate for all mission-critical situations
24© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved.
Onsite Control Testing
AUP Privacy Test Procedure Example• P.4 Third Party Privacy Agreements
– Objective: All entities that access, process or store client-scoped privacy data can be a risk to an organization or its clients. Management should ensure that all agreements with third parties contain specific clauses to ensure scoped privacy data is protected and that certain other privacy requirements are included.
– Risk Statement: The absence of privacy agreements with third parties where data is shared may lead to misunderstandings in protection, disclosure and compliance, as well as loss of legal standing, in case there is a disclosure or breach.
– Control: Privacy agreements detail privacy and protection requirements between the organization and its third parties that have access to scoped privacy data.
– Procedure: a. Using the sample of third parties from the list obtained in P.1 Scoped Privacy Data Inventory and Flows, obtain from the organization and selected third parties, via the organization, the privacy and security portions of the agreement with the organization in place for providing services and a representative sample of third party privacy and security sections of the agreements from each third party.
b. Inspect each agreement chosen in the sample for evidence of the following attributes:
1. Third party requirement to protect all scoped privacy data and protected scoped privacy data.
2. Third party requirement to document the flow of scoped privacy data within its organization and to those third parties with whom it shares scoped privacy data.
3. Third party requirement to process scoped privacy data in accordance with the agreement.
4. Etc.
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 25
Continuous Monitoring
Continuous third party risk monitoring is a real-time (or close to real-time) risk management approach designed to improve organizational awareness related to third party risks and potential control weaknesses as they emerge.
Area ActivityBeingMonitored RiskAddressed
Information Technology
Change Management, Network Connectivity
Device Connectivity, Identity Management, Penetration
Testing
Information Security Cyber Hygiene, Patch Management
Confidentiality, Integrity, Availability, Data Leakage,
Vulnerability Exposure
Privacy Data Obfuscation Encryption, Data Protection, Cross Boarder Data Flows
Human Resources
Employee Due Diligence, Background Checks, Access
Management
Insider Threats, Social Engineering, Unauthorized
Access
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 26
Vendor Risk Management Model Maturity Levels
Level 5 Continuous improvement - Organizations that strive toward operational excellence, understand best-in-class performance levels and implement program changes to achieve them through continuous improvement processes.
Level 4 Fully implemented and operational – Organizations in which vendor risk management activities are fully operational and all compliance measures (including metrics reporting and independent oversight) are in place.
Level 3 Defined and established – Organizations with fully defined, approved and established vendor risk management activity, where activities are not yet fully operational and where metrics reporting and enforcement are lacking.
Level 2 Approved road map and ad hoc activity – Organizations which perform third party risk activity on an ad hoc basis, but have a management approved plan to structure the activity as part an effort to achieve full implementation.
Level 1 Initial visioning and ad hoc activity – Organizations which perform third party risk management activities on an ad hoc basis, but are considering how to best structure third party risk activities as part of an effort to achieve full implementation.
Level 0 Start-up or no TPRM activity – New organizations beginning operations or organizations with no existing vendor risk management activities.
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 27
Board Engagement Correlates With Practice Maturity, Yet Most Boards Are Not Highly Engaged
Practice Maturity Level
High engagement/
understanding by the board
Medium engagement/
understanding by the board
Low engagement/
understanding by the board
Eight Category Average 3.6 3.0 2.5
How engaged is your board of directors with cybersecurity risks relating to your vendors? 2017 2016
High level of board engagement/understanding 29% 26%
Medium level of board engagement/understanding 39% 37%
Low level of board engagement/understanding 25% 27%
Source: 2017 Vendor Risk Management Benchmark Study, forthcoming, © 2017 by The Santa Fe Group, Shared Assessments Program, and Protiviti, Inc.
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 28
De-risking: Exiting High Risk Relationships
Over the next 12 months, what is the likelihood that your organization will move to exit or "de-risk" third-party relationships that are determined to have the highest risk?
Extremely Likely 14%
Somewhat Likely 39%
Somewhat Unlikely 24%
Not all all Likely 13%
Don’t Know 10%
Which of the following are reasons why your organization may be more inclined to exit or "de-risk" certain third-party relationships? (Multiple responses permitted.)
It's become imperative from a risk and regulatory standpoint to also assess our vendors' subcontractors
48%
The cost associated to access our vendors properly is becoming too high 29%
We lack the internal support and/or skills for the required sophisticated forensic control testing of our vendors
24%
We will not receive sufficient internal support to "de-risk" our third party relationships 18%
We do not have the right technologies in place to access vendor risk properly 15%
Source: 2017 Vendor Risk Management Benchmark Study, forthcoming, © 2017 by The Santa Fe Group, Shared Assessments Program, and Protiviti, Inc.
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 29
Hot Topics
•GDPR•Fourth Parties•IoT•Open Source Software•Cloud•De-Risking•Resources•Assessment Costs•New York State Cyber Regs
© 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 30
Questions
31
Vendor Risk Management:GDPR Implications for Vendor Management
32
GDPR Implications for Vendor Management • GDPR requires implementing a comprehensive vendor management program
– Vendor due diligence and audits• Controllers may only use processors providing “sufficient guarantees” of their
abilities to implement technical and organizational measures necessary to meet GDPR requirements (Art. 28)
• Existing vendor agreements must also be reviewed– Consider conducting a Data Protection Impact Assessment (“DPIA”) prior to
engaging a vendor (Art. 35)– Long list of mandatory data processing provisions (Art. 28)– Restrictions on sub-contracting (only with controller’s prior consent and on same
terms) (Art. 28)– GDPR’s direct compliance obligations and enhanced liability force processors to
change their approach to data privacy compliance
33
GDPR Implications for Vendor Management (cont.) • Vendor contracts should include (Art. 28):
– Details of data processing (e.g., subject-matter, duration, nature and purpose of processing, types of data, categories of data subjects)
– Processing only on controller’s documented instructions (including international data transfers)
– Individuals processing data must be subject to duty of confidentiality– Requirements to implement adequate security for processing– Assist controller to comply with data subject rights (e.g., right of access, data
portability, right to erasure (“right to be forgotten”), etc.)– Assist controller in reporting data breaches and performing DPIAs– Requirement to return or delete data after processing/end of the agreement– Requirement to respond to controller’s information request and submit to
controller’s audits– Restrictions on engaging sub-processors
34
Thank You