Risk management, compliance, and security are a shared burden between your organization and your vendors. Standards such as NIST (Publication 500-292) and regulations like HIPAA and PCI-DSS provide considerations for compliance and security but do not account for the nuances of your unique business or your infrastructure. Guidelines are written as though one party is responsible for compliance and security, but you rely on multiple vendors. Outsourcing can lead to ambiguous delegation of compliance responsibilities, lack of data governance and security practices, and difficulty in achieving data protection—ultimately risking non-compliance and leaving your infrastructure vulnerable.
Join our expert panel as they share insights into closing the gap on who’s responsible for what in data security and best practices for improving your security posture.
Takeaways:
Who owns the responsibility of compliance and security?
How to find and mitigate hidden risks in a 3rd party ecosystem
How to map your requirements to owners, policies, and controls
Expert recommendations for PCI, HIPAA, FERPA, FISMA and more.
2. Agenda
• Introduction
• Compliance and Security Landscape
• Evolution to a 3rd Party Ecosystem
• Data Risks and Challenges
• Deep Dive Into Shared Responsibilities
• Best Practices
• Q&A
3. Speakers
Chad Kissinger
Founder
OnRamp
OnRamp is a leading HITRUST-certified data center
services company that guides businesses through
the complexities of data security and compliance.
Our solutions help organizations in healthcare,
financial services and education services meet
compliance standards.
OnRamp operates multiple enterprise-class
SSAE16/AICPA SOC 2 Type 2 and SOC 3 data
centers, where we deploy hybrid computing
solutions that enable our customers to blend
secure cloud computing, managed hosting, and
colocation service to best meet their unique
requirements. Our team’s consultative approach
helps you develop the right mix of solutions to
free your resources to focus on agility and
differentiation in your industry.
4. Speakers
Maria Horton
CEO
EmeSec
EmeSec uses cybersecurity and privacy practices to
build competitive advantage in today’s connected
world for clients.
Our intuitive, adaptive and game-changing
solutions are designed to help organizations
protect their reputation and growth engines while
harnessing the power of security and automated
technologies. The company is an accredited Third
Party Assessor (3PAO) under the Federal Risk and
Authorization Management Program (FedRAMP).
EmeSec Incorporated is a Woman-Owned Service
Disabled Veteran Owned Small Business (SDVOSB),
founded in 2003. EmeSec holds certifications in ISO
9001:2015, ISO 20000-1:2011, ISO/IEC 27001:2013,
ISO/IEC 17020:2012.
5. Speakers
Michael Casey
Managing Director & Chief
Payments Officer
EPMG Advisors
EPMG Advisors was founded in 2008 with
the purpose of providing clients the best
payments management and advisory
services with boutique customer care. Our
firm is driven to provide our clients with the
understanding and ability to build and
maintain a truly transparent payments
environment.
Whether your objective is to identify new
opportunities for growth or to maximize
profits from existing operations, EPMG
Payment Advisors can deliver the
enterprise-wide solutions you require.
6. Current Landscape
Ponemon Institute, Cost of Data Breach Study: 2017 Global Analysis
https://healthitsecurity.com/news/mobile-security-at-center-of-2.5m-ocr-hipaa-settlement
The average consolidated cost of a data
breach reached $3.62 million in 2017
50%
$4M
2017
The risk of non-compliance is
significant. Ignorance is not
excused.
Pennsylvania-based
CardioNet agreed to a $2.5 million
OCR HIPAA settlement stemming
from improper safeguards of PII
data.
50% of organizations don’t know who has access to their data, how
they’re using it, or what safeguards are in place to mitigate a security
incident.
7. Multi-Vendor
Management
Agility and
Responsiveness
Retaining Talent
Patient or
Customer
Engagement
Team Skillsets
Cybersecurity
Managing
Budgets
Evolution to 3rd Party Ecosystem
Ability to Innovate &
Differentiate
Leadership offloads
their IT infrastructure
and computing
needs in order to:
• Increase
Operational
Efficiency
• Rely on Subject
Matter Experts
• Gain a
Competitive
Advantage
• Reduce Costs
C-LEVEL RESPONSIBILITIES
8. Compliance regulations are written as though
one party is responsible for compliance and
security.
Regulators Leadership Talent
Providers/
Suppliers
THE PLAYERS
Where is the Breakdown?
9. Data Risks and Top Challenges with Shared
Responsibilities
• Confusing Guidance
• Insufficient Policies and Processes
• Unclear Roles and Responsibilities
• No Accountability
• Lack of Due Diligence (Choosing &
Monitoring 3rd Parties)
• Insufficient Technology
THE FUMBLES
10. Guidance is Not Prescriptive
www.hhs.gov;
https://www.pcicomplianceguide.org/faq/http
s://www2.ed.gov/
NIST publications
(800-145, 800-66,
800-52); FIPS 140-2
Office for Civil Rights
(OCR)
HIPAA
FISMA
Cloud Council
Security Rule
Breach Notification Rule
PCI Data Security
Standards (DSS)
U.S. Department of
Education- FERPA (20
U.S.C. § 1232g; 34 CFR
Part 99)
The Privacy Act
FedRAMP
THE PLAYBOOK: GOVERNING BODIES AND FRAMEWORKS
Guidance is vague and up
for interpretation.
(i.e. "reasonable and
appropriate ” measures
for HIPAA
Certain regulations do not
require or recognize
audits or certifications.
(i.e. FERPA)
11. Establishing the Right Policies and Processes
• Aren’t able to determine the number of
3rd parties with access to confidential
information.
• Lack of confidence in third parties’ data
safeguards, security policies and
procedures.
• Rarely conduct reviews of vendor
management policies and procedures to
ensure they address 3rd party data risk.
• Rely on contractual agreements instead
of audits and assessments to evaluate
the security and privacy practices of
their vendors.
Standard Policies
• Information Classification
Policy
• Risk Management Policy
• Information Systems
Security Policy
• Ongoing Management
• Clearly Defined Roles
Symptoms
12. Why Are Companies Unable to Determine Who Has
Access to Their Data?
• No accountability
for 3rd party risk
management
• No one
department or
function owns this
responsibility
• Not a priority
• Lack of resources
to track third
parties
• Complexity in
vendor
relationships
• Frequent turnover
in partners
Ponemon Institute, Data Risk in the Third Party Ecosystem
13. Roles, Responsibility, & Accountability
Senior leadership and boards of directors are rarely involved
in third-party risk management.
36%
of CEOs play a key role
in security &
compliance strategy
79%
Of CEOs cited over-
regulation as a top
threat to their
organizations’ growth.
PWC State of Compliance 2016
Only 16% of respondents indicated that they view their CEO as the compliance and
champion at their organizations.
15. Shared Responsibility Varies by Model
Responsibility Colocation IaaS PaaS SaaS
Data
Classification
End-point
Protection
Identity &
Access
Management
Application
Controls
Network
Controls
Infrastructure
Physical Security
Customer
Customer
Customer
Customer
Provider Provider
Provider
Customer Customer Customer
Customer Customer Customer Both Parties
Both Parties
Both Parties
Both Parties
Customer
Customer
Both Parties
Provider Provider
Both Parties
Provider
Provider
Provider
Both Parties
Provider
16. Accountability and Ownership
Organizations admit they are sharing sensitive data with third
parties that might have poor security policies.
Ponemon Institute, Data Risk in the Third Party Ecosystem
Figure 2: Perceptions about vendors’ security policies and procedures
17. Beware of These 3rd Party Risk Indicators
• Turnover of the vendor’s key personnel
• IT glitches, operational failures and
stoppages
• Outdated IT systems and equipment
• History of frequent data breach
incidents
• Legal actions against the vendor
• Poorly written security and privacy
policies and procedures
18. Case Studies
• Target breach due to HVAC vendor hack. Ultimately, two-
factor authentication and anti-malware would have mitigated
the breach.
• Hackers breach Equifax’s portal, stealing W-2 data. Only a PIN
code was used to protect sensitive data.
• Uber pays hackers $100,000 to hide year-old breach of 57
million users. Hackers accessed Github.com, a third-party
cloud storage website used by Uber software engineers.
Employee training could have prevented passwords from
being published on a public forum.
ZDN
Forbes.com
USA today.com
19. Best Practices: Risk Management Life Cycle
DUE
DILLIGENCE
CONTRACT
ONGOING
MONITORING
TERMINATION
PLANNING
OVERSIGHT AND ACCOUNTABILITY
20. Best Practices: Technology, People, Processes
Technology
• Data encryption in transit and at rest
• Firewalls
• Multi-factor authentication
• Cloud encryption
• Audit logs showing access to data
• Vulnerability scanning, intrusion
detection/prevention
• Hardware and OS patching
• Security Audits
• Contingency Planning
People & Processes
• Audit operational and business
processes
• Audit access management
• Enforce privacy policies
• Ensure cloud networks and connections
are secure
• Evaluate security controls: physical
infrastructure and facilities
• Data decommissioning process
• Be prepared for incidents
1 -Risk
Assessment
3-Vendor Security
Alignment
2 –Assign
Owners
21. Best Practices: Choosing a Vendor
Understands Your
Business Goals
Credentials &
Certifications
Service Level
Agreements (SLAs)
& Business Associate
Agreements (BAAs)
Security
Availability &
Scalability
Expertise in Your
Industry
Chad
Provide insights into risk management governance. What are the obstacles? Budget, resources, knowledge, etc.
Maria
Discuss differences and similarities in the landscape among the industries you serve. Discuss top threat sources.
Michael
Discuss the cost of compliance versus non-compliance. Remaining non-compliant is not an option. Organizations are on the hook for ongoing penalties until they become compliant. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.
Chad
Discuss the evolution to a third party ecosystem and how it’s only one of the many challenges executives face. Compliance and security is not their core business.
Third parties are not limited to outsourcing alone, though. Third parties can also be your suppliers. Think about a large global organization with a massive supply chain could have thousands of supplier relationships with digital entities.
Chad
Compliance regulations are written as though there’s one party responsible, even though there are a number of participants.
Football analogy: it’s like creating a play for one player when there are multiple players, and multiple teams.
Maria
Discuss challenges at a high level.
Continuing the football analogy: It’s as if your coach isn’t tell you what position you’re playing during the game or evaluating post-game recaps to continue to improve your performance. You weren’t given a helmet and have no clue what plays you’re running.
Maria
Discuss the limitations of compliance frameworks. Highlight the fact that they are not prescriptive, but instead are up for interpretation. Discuss regulations that offer certification by a third-party auditor, versus others do not have a formalized way to prove compliance.
Michael
Discuss PCI DSS requirements and which ones require shared responsibilities with vendors and partners.
Discuss Common misconceptions of the requirements.
Michael
Internal policies and processes are PREREQUISTES to bringing in a 3rd party – you must have those in order prior to adding complexity of external parties. When your organization doesn’t have a baseline of standards, you open your organization up to vulnerabilities. If you suspect you don’t have the right policies and procedures in place, chances are you are right – and you won’t have control or confidence over your security internally or exchanging data with providers. You must not only develop policies and processes, but also enforce them.
(1st and last symptom) who has access to their information and that they rely on contractual agreements for peace of mind. Highlight the fact that organizations are unable to determine
Michael
Maria
Discuss the stats from the State of Compliance 2016 report.
Most boards and executives perceive compliance and security to be important to their organization’s growth and well-being, but the majority of them are not involved. They do not play a key role in the strategy or execution of the plans that maintain risk management. This disconnect impacts employee perception of senior leadership’s role in their organizations’ compliance programs, as only 16% of respondents indicated their employees view the CEO as the compliance and ethics champion at their organizations.
Maria
Discuss who is responsible for what across departments. Operations, Security, Compliance, and IT take the lead on strategy, information custodians (i.e. Database Administrator) control access to the data, and information owners can be in any department. Everyone plays a part in reducing vulnerabilities, reporting possible security incidents, etc.
Chad
Discuss how security is different across different types of infrastructures. Some responsibilities are shared, while others are clearly one or the other party.
Include examples of differences in physical vs virtualized environment security.
Chad
Organizations admin they are sharing sensitive data with vendors and supplies that have poor security, but they also aren’t doing anything about it. In Ponemon’s 2017 Data Risk Survey, 58% of organizations stated that it’s not possible to determine if their 3rd parties have sufficient safeguards.
Only 1/3 of organizations perform frequent review of vendor management policies to make sure they address the changing landscape. And about 38% of organizations have no tracking methods regarding their risk management program internally or externally.
Michael
Discuss the warning signs of a 3rd party that is struggling with their own security measures, and will likely put you at risk, too. It’s not impossible to determine like some organizations indicate across studies.
Michael
Target breach due to HVAC vendor hack: HVAC vendor did not use appropriate anti-malware software or two-factor authentication for contractors, leaving a backdoor open to Target’s network.
Hackers breach Equifax’s portal, stealing W-2 data: The trouble stemmed from TALX, an Equifax subsidiary that provides online payroll, HR and tax services. Hackers were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering personal questions about those employees. The PIN was the only security measure put in place.
Uber pays hackers $100,000 to hide year-old breach of 57 million users. Hackers accessed Github.com, a third-party cloud storage website used by Uber software engineers. Employee training could have prevented passwords from being on a public forum.
Sources:
http://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/
https://www.forbes.com/forbes/welcome/?toURL=https://www.forbes.com/sites/thomasbrewster/2017/09/08/equifax-data-breach-
history/&refURL=https://www.google.com/&referrer=https://www.google.com/
https://www.usatoday.com/story/tech/2017/11/21/uber-kept-mum-year-hack-info-57-million-riders-and-drivers/887002001/
Maria
Discuss the risk management lifecycle. Review the lifecycle and draw particular attention to documentation and audit-prep, as it’s not enough to be compliant and secure—you must have proof of your efforts:
Documentation
To address the risk, companies should have an inventory of all third-party vendors.
In your contracts with 3rd party vendors, make sure you address how our information is being access and processed, including with whom you have no direct relationship – aka a 4th party.
Audits
‘Weakest Link’ Attack Methodology’: An attacker does not want to spend a great deal of time looking for a way into a target network. The objective is to obtain entry, gather valuables, and abscond in a minimal timeframe
To address the risk, companies should have an inventory of all third-party vendors.
In your contracts with 3rd party vendors, make sure you address how our information is being access and processed, including with whom you have no direct relationship – aka 4th party
Chad
Develop a strong compliance and security posture within your organization (policies, processes, technology). Discuss the ideal strategy and highlight a few of the most important aspects.