Select Page

Preview: 2018 Shared Assessmen...

Jenny Burke 12-13-2017

As we are nearing the end of 2017, we are looking forward to the release of the 2018 Program Tools in January. The Tools follow a “Trust, but Verify” approach for conducting third party risk manag[...]

As we are nearing the end of 2017, we are looking forward to the release of the 2018 Program Tools in January. The Tools follow a “Trust, but Verify” approach for conducting third party risk management assessments and are an important component of the Shared Assessments Framework that help set standards, and through those standards, efficiency, in third party risk management. The Shared Assessments Program Tools are developed using the collective intelligence of member organizations. Our members bring their expertise in cybersecurity, risk management and privacy as well as their knowledge of the regulatory landscape and specific vertical industry needs to the development of the Tools, which are updated to keep the tools current and effective.

The 2018 Program Tools will include:

  • 2018 Standardized Information Gathering (SIG) Questionnaire;
  • 2018 Shared Assessments Standardized Control Assessment (SCA) procedures (Formerly the Agreed Upon Procedures (AUP));
  • 2018 Vendor Risk Management Maturity Model (VRMMM); and
  • The new General Data Protection Regulation (GDPR) Tool Kit

 

SIG Enhancements:

We are excited about a new capability in the 2018 SIG – a Scoping Tab that will allow multiple ways to customize the SIG for a company’s individual needs. The Scoping Tab will allow for a SIG LITE, FULL SIG, and a new CORE SIG designed for assessing service providers that run business critical functions, data and systems. It has 30% fewer questions than the FULL SIG and was created to meet the needs of most assessments. In addition, content changes were made to reflect the current regulatory and threat environment, including the European Union (EU) GDPR Privacy rules, and the total number of questions was decreased by removing duplication and redundancy.

 

Standardized Control Assessment (SCA):

To better communicate the function of the “Verify” portion of our “Trust, but Verify” approach, the formerly titled Agreed-Upon Procedures (AUP) used for performing onsite assessments, was renamed the Standardized Control Assessment (SCA) procedures and was thoroughly reviewed and re-organized to align more closely with the SIG.

 

VRMMM:

The VRMMM will continue to allow companies to benchmark the maturity of  their third party risk programs. It is also the basis of the annual Vendor Risk Management Benchmark Study, recently released that allows Shared Assessments and Protiviti to analyze third party risk program maturity across verticals and over time.,

We will continue to offer the VRMMM free as a tool to assist the industry.

 

GDPR:  Data Processor Privacy Tool Kit

This new and important tool set provides guidance for Data Processors who fall under compliance to the European Union (EU) General Data Protection Regulation (GDPR) 2016/679, new requirements which will begin to be enforced on May 25, 2018. The Tool Kit contains tools, checklists and templates to help organizations evaluate their readiness and maturity of controls against GDPR privacy requirements. These tools are free and can be used as a standalone privacy assessment or incorporated into a comprehensive Vendor Risk Management program. Download the GDPR: Data Processor Privacy Tool Kit.

 

Availability

Release of the 2018 Program Tools is slated for late January 2018. The Tools are free to Shared Assessments Program members, or you can purchase the Complete Bundle (all tools above) for $9,000. You may also purchase the standalone version of the SIG for $7,000 or the  SCA for $6,000. If there are any questions about the tool or membership, please contact us.

5 Steps to Take Now to Protect...

08-03-2017

Shared Assessment’s just published Ponemon research report The Internet of Things (IoT): A new Era of Third Party Risk provides a great snapshot of current IoT Risk management both within an organiz[...]

Shared Assessment’s just published Ponemon research report The Internet of Things (IoT): A new Era of Third Party Risk provides a great snapshot of current IoT Risk management both within an organization’s four walls and with the third parties that so often support mission critical activities.

Many of the report’s findings are troublesome: the lack of Board understanding about IoT in the context of both in-house and third party risk management; the lack of an integrated approach to IoT risk management; even the lack of some of the most basic elements required to build an effective IoT risk management program, such as having a complete inventory of IoT devices (only 16% of respondents said they had such an inventory). Those findings come despite the recognition that security incidents related to IoT devices or applications could be catastrophic (94% of survey respondents said they thought such a result could emerge within two years).

What are the consequences of such a large gap between recognized IoT risks and an ability to effectively mitigate them? What are the key steps required to close that gap?

Last October’s headline making IoT-based DDoS attack was a small sample of what the future may hold. That attack disrupted a number of websites including Twitter, Netflix, PayPal, Verizon and Comcast, and was orchestrated by the Mirai botnet. That botnet employed “tens of millions” of malware-infected devices connected to the internet (Bloomberg, October 21, 2016).

The Internet of Things report’s key findings provide important insight on how the state of IoT security will play into the evolving threat landscape as the number of IoT devices expands over the next few years.

The Internet of Things results are strongly indicative of a low level of IoT risk management maturity: only 30% of respondents reported that managing third party IoT risks is an organizational priority; only 27% of respondents said their organization allocates sufficient resources to manage third party IoT risks; and only 25% reported that their governing board required assurances that third party IoT risk was being assessed, managed and monitored appropriately. Only 31% of organizations regularly report to the CEO and board on the effectiveness of their third party risk management program. Why?

More than half of respondents said the effectiveness of their organization’s third party risk management program was not a priority for the board and CEO. Perhaps even more disturbing is the perception (by 56% of respondents) that it is not possible to determine whether third party safeguards and IoT security policies are sufficient to prevent a data breach. This last finding suggests that many respondents don’t understand what a mature IoT risk management environment would comprise.

The sheer magnitude in the expected growth of IoT devices suggests that a high degree of automation is vital to effective IoT risk management. Industrial firms have had a focus on Operational Technology (OT) for years because of its essential nature in the production process. What is OT? Gartner defines operational technology as “hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.”

For those outside of organizations where industrial device control has been a longstanding requirement, the importance of operational technology security may not be second hand. That will change as IoT security concerns emerge, and we’ll rapidly see a security environment where information security, IT security, OT security and physical security require close coordination to achieve effective risk mitigation. One key question is how quickly that convergence will occur, and there is ample evidence to suggest that here too we’re early-on in that maturity process.

Source: Gartner, 2015

No matter how the IoT security ecosystem evolves, there are steps organizations can take now to protect against emerging IoT threats. The most important are these:

  1. Ensure that third-party and IoT risk management processes are defined and operational at all governance levels, up to and including the board.
  2. Update asset management processes and inventory systems to include IoT devices, and understand the security characteristics of all inventoried devices. When devices are found to have inadequate security controls, replace them.
  3. Enhance third party contracts and polices to include IoT specific requirements.
  4. Expand third party assessment techniques and processes to ensure the presence and effectiveness of controls specific to IoT devices.
  5. Develop specific sourcing and procurement requirements to ensure that only IoT devices designed with appropriate security functions included and enabled are considered for product selection and acquisition.

For more than four decades, Gary Roboff, Senior Advisor, The Santa Fe Group, contributed his outstanding talents to the in financial services planning and management, including 25 years at JP Morgan Chase where he retired as Senior Vice President of Electronic Commerce. Gary has worked extensively in electronic payments, payments fraud, third part risk management, privacy and information utilization, as well as business frameworks and standards for electronic commerce applications.

Best Practices in Third Party ...

07-07-2017

Part 3 in a series with Kenneth Peterson, Chairman and CEO, Churchill & Harriman Q. What does the annual Shared Assessments Summit deliver to its audience to further propel education and awaren[...]

Part 3 in a series with Kenneth Peterson, Chairman and CEO, Churchill & Harriman

Q. What does the annual Shared Assessments Summit deliver to its audience to further propel education and awareness in healthcare security?

R. “The Shared Assessments Summit brings together senior risk executives to share best practices and latest insights on managing third party risk across the security, healthcare, financial services, transportation and government markets. This annual gathering and the conversations we have among peers throughout the year are tremendously important in helping us stay vigilant and focused on continuously improving the safety and security of our client’s most critical information. We’re excited to serve and collaborate with those we met at the 2017 Summit and help them with their risk management and third party vendor programs.”

Q. Tell me about some of the things you’re working on?

R. We continue to be very privileged to serve a wide array of very discerning clients and to collaborate with an incredible group of people. The depth and breadth of the issues we grapple with each and every day continue to become more and more complex. Therefore, it is incumbent on C&H to constantly hone the techniques we apply for our clients. These techniques have a measurable bearing on our client’s inward facing and outward facing cybersecurity risk management program. We’re able to then replicate those techniques as is appropriate for other clients.

Q. Where does Churchill &Harriman fit into the healthcare security market?

R. “Churchill & Harriman (C&H) is a leading provider of cybersecurity risk management and third party risk assessment services to the healthcare industry as well as the financial services, transportation and ecommerce markets. Certain results that C&H contributes to are formally recognized by the U.S. Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), the U.S. Department of Health and Human Services (HHS), the National Health ISAC (NH-ISAC), and the National Directorate of ISACs (NCI Directorate). We’re privileged in that our tools, talents and techniques are being leveraged across industry. Working closely with our partners at Prevalent, Churchill & Harriman is further serving the collective good, providing third party risk management services that benefit the entire health care community.”

Q Help me finish this sentence…if a healthcare organization could only focus on 1-2 critical items for safeguarding their data and operations moving forward they should…
R. “Focus on the implementation and maintenance of a Threat and Vulnerability Management program that enables the organization to acquire and retain a thorough understanding of the threats to their information and operations, the vulnerabilities that those threats can exploit, and the probability of occurrence so that resources can be appropriately managed. Over time threats change, vulnerabilities can change quickly, and probabilities are never static. Therefore, the program must have the ability to take advantage of real time sources of accurate intelligence and information as well as continuous monitoring of their environment so that changes to policy, processes and technology do not fall behind and expose the organization to adverse results.”

Ken Peterson is a recognized leader in developing and implementing cybersecurity risk management strategies and solutions. Under Peterson’s stewardship, C&H has optimized enterprise risk governance programs, executing thousands of third-party risk assessments globally since 1997. C&H risk management work has been formally recognized by the U.S. Department of Homeland Security, the Federal Bureau of Investigation, the U.S. Department of Health and Human Services, the National Health ISAC, and the National Directorate of ISACs. In partnership with Prevalent, Inc., C&H has been formally selected by the NH-ISAC to perform certain third-party risk management services on behalf of their Members.

C&H is an Assessment Firm Member of the Shared Assessments (SA) Program, actively contributing to the Shared Assessments Agreed Upon Procedures (AUP), the Standardized Information Gathering (SIG) questionnaire, the Technical Development Committee and public outreach programs. Peterson is privileged to serve on the Shared Assessment Program’s Steering Committee and governing Advisory Board. Peterson additionally serves as the formal liaison between these two bodies.

To Learn more about C&H, please email info@chus.com.

Internet of Things (IoT) and T...

In our digital age, everything is connected. Cars can drive themselves, Planes can fly themselves, and your Refrigerator can use the internet to tell you if you are out of milk and eggs when you are a[...]

In our digital age, everything is connected. Cars can drive themselves, Planes can fly themselves, and your Refrigerator can use the internet to tell you if you are out of milk and eggs when you are at the grocery store. The era of connectivity and immediacy of data has created a new worldwide web out of normal everyday devices. The concept of “Internet of Things” or IoT, has created functionality and convenience, but can also introduce new risks to our ecosystem.

Common definitions of IoT include (from Wikipedia) “the interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data” and (from OWASP), “the proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data”. IoT is a game changer to consumerism, but also a game changer to the hacktivist. It changes our thinking about risk in typically non-risky areas of our lives, or of our workplace.

Identifying risks in the IoT ecosystem and managing or mitigating them can be daunting for the risk professional. The norms of criticality, materiality, and critical infrastructure don’t equate when the risk is in a benign system or device. Dealing with these risks impacts not only the organizations’ who leverage technology but requires organizations to adopt their viewpoints on third party risk.

This past month a joint research project by the Ponemon Institute and Shared Assessments Program was released to focus on the Internet of Things: A New Era of Third-Party Risk. The report highlights are shown in this infographic. The sheer volume or proliferation of connective devices is expected to double in two years; creating more challenges on how to monitor and contain risk. Key themes that emerged from the survey show the concerns risk professionals face:

  • 78% believe loss or theft of data could be caused by IoT
  • 76% think a cyber-attack could be executed through IoT
  • 69% of risk managers don’t regularly report to the C-Suite and Board the effectiveness or maturity of third-party risk oversight programs.

Some of the challenges in enabling security for IoT requires a multi-layered approach. Not all organizations consider IoT devices to be endpoints and may not be monitored, inventoried, or tracked like asset management. Technology will evolve, as do controls. Key areas of focus to assist with maturity risk management for IoT include:

  • Integrate IoT into third party risk management reporting
  • Enhance asset management processes and inventory systems
  • Assess contracts and policies
  • Expand third party controls to identify risks/controls unique to IoT devices
  • Broaden security and awareness training to include IoT themes

Web site standards have long been developed by industry groups, and collaboration to enhance the world-wide web. The OWASP top 10 threats have been table stakes in securing traditional web applications and eCommerce sites. When I first started in web development and eCommerce, the threats we phased were mild in comparison and complexity to our vastly connected world today. The OWASP group has expanded their tool sets and risk focus as IoT has evolved and they have created the OWASP Internet of Things Project to provide free tools to industry members on how to assess and address the risks of IoT.

We need to continue to embrace technology – the advances make up for the risks, it simply requires industry collaboration and the evolution of our risk viewpoints and perspectives, to ensure we look at risk and third party risk from a multi-dimensional point of view.

The full survey report can be downloaded from www.sharedassessments.org.

OWASP tools can be seen at https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project.

Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation is a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Deluxe Blogs

Applying a Risk Management App...

jaengen 07-05-2017

Niall Browne is the SVP Trust & Security and CISO, at Domo, a data management platform company. Niall is also the Chair of the "Evaluating Cloud Risk for the Enterprise" white paper produced by th[...]

Niall Browne is the SVP Trust & Security and CISO, at Domo, a data management platform company. Niall is also the Chair of the “Evaluating Cloud Risk for the Enterprise” white paper produced by the Shared Assessments members.

In the past five years, we have seen tremendous changes in technology, personnel and business practices. Cloud has now become the de-facto industry model for providing computing services. Mobile has become the most common model for accessing data. Cloud platforms are managing billions of Internet of Things (IoT) devices daily, and new exciting developments are evolving, such as microservices, to enable previously unimaginable scalability and efficiencies.

However, with the introduction of enterprise cloud, new audit controls are required to address the use of these new technologies, new service models, and new nuances in how existing audit controls apply to cloud.

The Evaluating Cloud Risk for the Enterprise whitepaper is a Shared Assessment guide that provides step-by-step guidance for enterprise organizations moving their services to the cloud. It assists in helping enterprise organizations create a cloud strategy that will scale across hundreds of their cloud providers, both locally and internationally. I had the privilege of being the chair of this enterprise cloud whitepaper. My role as CISO at Domo, the largest analytics platform in the Cloud and with more than 25% of the Global Fortune 50 companies as customers, enabled me to incorporate some key industry best practices and lessons learned into this whitepaper.

Best Practices for Enterprise Cloud Computing Management

The whitepaper introduces the concept of Common Cloud Controls. These are mature control areas associated with traditional IT services environments, also equally applicable to cloud-based services. These audit mechanisms are considered mature (e.g., anti-virus, background checks, etc.), and there are hundreds of these mature controls that apply to cloud. Organizations can simply use their existing audit vehicles to assess these controls, such as SOC II, ISO 27001, Shared Assessments AUP, etc.

This process should allow an organization to quickly and efficiently evaluate greater than 80% of a cloud provider’s controls, using current audit programs.

This then leaves those control areas that are not typically covered in ISO 27001 or SOC II (e.g., multi-tenancy, containerization, etc.). The whitepaper refers to these as Delta Cloud Controls and provides dozens of practical examples of how to effectively incorporate these control areas into an organization’s cloud strategy and audit program.

The Evaluating Cloud Risk for the Enterprise white paper includes the full list of practical recommendations, questions to discuss with cloud providers and lessons learned for cloud-related control domains, but we have summarized the Cloud Control evaluation steps into some key themes to consider:

Data Management:

What are the controls at each of the four main layers? As public cloud services all run on the same cloud environment, they share the same infrastructure.

Look at the data segmentation and separation controls at the main layers: network, physical, system and application, and evaluate each of the above controls at each layer (e.g., cloud data separation controls are typically weaker or non-existent at the physical layer as there is often no physical separation), requiring controls on the other three layers to be far stronger. Pay particular attention to the application controls, since this is the layer where the majority of critical cloud controls will reside.

Also organizations should understand their role and responsibility as the “data controller” and that of the cloud provider as the “data processor.” Misunderstanding who is responsible for what is one of the leading causes of security and privacy incidents.

Determine whether each customer is provided with a unique encryption key or whether encryption keys are shared. Unique customer keys are a strong control that can render co-mingled data unreadable in the database by another customer.

Ascertain whether customer data will be encrypted at storage and in-network transmissions, across external and internal networks, i.e. cloud provider and their underlying infrastructure (e.g., AWS, Azure). Internal network and datacenter-to-datacenter network encryption is increasingly important; as private or internal networks are susceptible to unauthorized network sniffing.

Location Management:

Where is my data? This is particularly important for cloud providers that may have datacenters and support teams in multiple legal jurisdictions.

It is important to ask your cloud providers to list all the locations that they store, process, transmit or access customer data and whether these are explicitly defined in the contract. Ensuring that the cloud contract documents all the countries or legal jurisdictions where company data will be stored, processed or accessed from is important in helping organizations meet their internal data privacy requirements. It is important to note that simple web access by support from another country is oftentimes considered the same as “data storage” in that country, and as such the full set of security and privacy requirement for data storage can apply.

The evaluation process should include investigating thoroughly any potential conflict in countries’ data privacy and legal requirements. One example is that a data privacy conflict could arise if the customer and cloud provider are located in the US and the provider has multiple datacenters in the US, but also has a datacenter in Germany for disaster recovery and resilience. The US could mandate certain data be deleted (due to a US data privacy requirement), while German law may require that the data be retained (as evidence in a subsequent legal case). In this scenario, the conflict of laws between jurisdictions may place the integrity of the customer data at risk.

 

User Management:

How is user authentication, authorization and accounting managed? A unified user management model is an essential component of cloud, from a business, usability and security perspective.

Businesses using cloud may be presented with the challenge of integrating their existing identity and log management solutions with that of the cloud provider. Ensure that the cloud provider supports identity federation standards such as SAML or OpenID, so as to help prevent costly and one-off individual integrations.

Once the user is authenticated, the next step is authorization. It is important that the cloud provider can support a granular set of user permissions, so that a customer’s least privilege and separation of duties requirements can be complied followed within that cloud provider’s environment.

Also, ensure that all end user actions, be it write or view, are logged in the cloud and that there is an API available to integrate the log data directly into the customer’s security monitoring tools. This is important so that the customer can monitor their numerous cloud providers from the customer’s Security Operations Center (SOC).

 

Vendor Management:

How do I assess my cloud vendor? As with any vendor model, an organization can outsource the responsibility for the service, but not the associated risk or accountability.

One of the foundations of cloud is its agile nature, which is inherent in its roots in innovation and rapid change. As such, the classic model of assessing your vendor once per annum does not scale for cloud. Instead companies must build an on-demand vendor monitoring and management program that is based on the continuous level of change in cloud. Where possible, this should mandate that the cloud vendor provides a number of notification requirement triggers, including notification upon substantive security control changes, change of the cloud provider’s relevant vendors (e.g., move from AWS to Azure), or upon certain defined control deficiencies (e.g., an external high level vulnerability remains open for a certain period of time).

One challenge is to ensure the benefit of deploying a cloud solution is not outweighed by the complexity of doing business in the cloud. The cloud provider should provide a single point of contact, a single contract and a single point of accountability to manage the solution end-to-end, independent of what underlying services that they themselves use.

It’s important to guard against an “out of sight, out of mind” mentality: it’s still your data and your service even if it is hosted or directly managed by the cloud provider.

The above are just some of the best practices that can be found in the recently-published Shared Assessments Evaluating Cloud Risk for the Enterprise white paper.

I hope that you find value in the Evaluating Cloud Risk guide and that it becomes an integral component of your cloud vendor management toolkit. The complete whitepaper can be downloaded from here.

Third Party IoT Security: Inte...

06-15-2017

Shared Assessment’s just published Ponemon research report The Internet of Things (IoT): A new Era of Third Party Risk provides a great snapshot of current IoT Risk management both within an organiz[...]

Shared Assessment’s just published Ponemon research report The Internet of Things (IoT): A new Era of Third Party Risk provides a great snapshot of current IoT Risk management both within an organization’s four walls and with the third parties that so often support mission critical activities.

Many of the report’s findings are troublesome: the lack of Board understanding about IoT in the context of both in-house and third party risk management; the lack of an integrated approach to IoT risk management; even the lack of some of the most basic elements required to build an effective IoT risk management program, such as having a complete inventory of IoT devices (only 16% of respondents said they had such an inventory). Those findings come despite the recognition that security incidents related to IoT devices or applications could be catastrophic (94% of survey respondents said they thought such a result could emerge within two years).

What are the consequences of such a large gap between recognized IoT risks and an ability to effectively mitigate them? What are the key steps required to close that gap?

Last October’s headline making IoT-based DDoS attack was a small sample of what the future may hold. That attack disrupted a number of websites including Twitter, Netflix, PayPal, Verizon and Comcast, and was orchestrated by the Mirai botnet. That botnet employed “tens of millions” of malware-infected devices connected to the internet (Bloomberg, October 21, 2016).

The Internet of Things report’s key findings provide important insight on how the state of IoT security will play into the evolving threat landscape as the number of IoT devices expands over the next few years.

The Internet of Things results are strongly indicative of a low level of IoT risk management maturity: only 30% of respondents reported that managing third party IoT risks is an organizational priority; only 27% of respondents said their organization allocates sufficient resources to manage third party IoT risks; and only 25% reported that their governing board required assurances that third party IoT risk was being assessed, managed and monitored appropriately. Only 31% of organizations regularly report to the CEO and board on the effectiveness of their third party risk management program. Why?

More than half of respondents said the effectiveness of their organization’s third party risk management program was not a priority for the board and CEO. Perhaps even more disturbing is the perception (by 56% of respondents) that it is not possible to determine whether third party safeguards and IoT security policies are sufficient to prevent a data breach. This last finding suggests that many respondents don’t understand what a mature IoT risk management environment would comprise.

The sheer magnitude in the expected growth of IoT devices suggests that a high degree of automation is vital to effective IoT risk management. Industrial firms have had a focus on Operational Technology (OT) for years because of its essential nature in the production process. What is OT? Gartner defines operational technology as “hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.”

For those outside of organizations where industrial device control has been a longstanding requirement, the importance of operational technology security may not be second hand. That will change as IoT security concerns emerge, and we’ll rapidly see a security environment where information security, IT security, OT security and physical security require close coordination to achieve effective risk mitigation. One key question is how quickly that convergence will occur, and there is ample evidence to suggest that here too we’re early-on in that maturity process.

Source: Gartner, 2015

No matter how the IoT security ecosystem evolves, there are steps organizations can take now to protect against emerging IoT threats. The most important are these:

  1. Ensure that third-party and IoT risk management processes are defined and operational at all governance levels, up to and including the board.
  2. Update asset management processes and inventory systems to include IoT devices, and understand the security characteristics of all inventoried devices. When devices are found to have inadequate security controls, replace them.
  3. Enhance third party contracts and polices to include IoT specific requirements.
  4. Expand third party assessment techniques and processes to ensure the presence and effectiveness of controls specific to IoT devices.
  5. Develop specific sourcing and procurement requirements to ensure that only IoT devices designed with appropriate security functions included and enabled are considered for product selection and acquisition.

 

For more than four decades, Gary Roboff, Senior Advisor, The Santa Fe Group,, contributed his outstanding talents to the in financial services planning and management, including 25 years at JP Morgan Chase where he retired as Senior Vice President of Electronic Commerce. Gary has worked extensively in electronic payments, payments fraud, third part risk management, privacy and information utilization, as well as business frameworks and standards for electronic commerce applications.

 

Tips, Tools and Recommendation...

06-09-2017

In this series, Shared Assessments Steering Committee member Ken Peterson talks about managing cyber risk in the healthcare space. Q&A Series – Part 2 For the healthcare industry, let[...]

In this series, Shared Assessments Steering Committee member Ken Peterson talks about managing cyber risk in the healthcare space.

Q&A Series – Part 2

  1. For the healthcare industry, let’s talk about third party risk management, who are the third parties here and what types of risk are they inserting into the healthcare data security landscape?
  2. “Third parties are any organization that your company may bring in to deliver specific services for your company and your customer network. Third party firms come in all shapes and sizes, different levels of business maturity and varying levels of demonstrated risk management.  It is incumbent on your company to ensure your third party vendor network is pre-qualified and vetted to ensure you’re not exposing your business and your customers to the risk of outside attacks.  A risk management plan is critical.”

 

  1. What are the risks for healthcare organizations associated with not engaging in a risk management plan?
  2. “As we’ve seen in multiple cases in the last several years, a cyberattack can have a far reaching and highly damaging impact on an organization. A company’s brand, business equity and “earned public trust” are often in jeopardy with a breach.  In addition, customer and investor exposure are also in direct risk with a breach. And the time it takes to remediate a breach, earn back the trust and confidence of customers and shore-up the safety and security of a business operation can take months if not years if the proper risk management plans are not in place.”

 

  1. What are some of the initial steps that a company should take in protecting its intellectual assets?
  2. “There are a number of key steps that an organization should take toward safeguarding its assets: 1) Kick-off a formally empowered POC related to securing your third party network 2) Do an inventory of your vendor network to ensure what capacity a vendor is being utilized and what types of data do they have access to within your organization; 3) Define your vendors risk criteria to your business – vetting most critical to least critical and; 4) Define specific remediation efforts to help harden the security of your vendors.”

 

  1. What industry organizations and tools do you recommend for healthcare organizations that are trying to improve the security of their operations?
  2. “The healthcare industry is not an amorphous mass. As an example, clinical research organizations have concerns not always shared by medical device manufactures.  It is a diverse environment.  With that said there are organizations that provide to its member’s trusted intelligence and techniques that meet those broad areas of common interest that all healthcare organizations share when it comes to information security.  The most prominent right now is NH-ISAC as it is directly focused on healthcare information security and compliance needs. Most major industries have their own ISAC at this point.  The Shared Assessments Organization focuses on tools and techniques to assess vendor risk that are common across verticals.  The focus on tools should be those that enable organizations to conduct initial vendor due diligence, monitor in real time the vulnerabilities that can compromise their information, those that can provide continuous monitoring of critical networks and those that can assist the organization with making sense of large masses of data in time to be of value.”

 

Kenneth J. Peterson, CTPRP
Founder and CEO
Churchill & Harriman

Ken Peterson is a recognized leader in developing and implementing cybersecurity risk management strategies and solutions. Under Peterson’s stewardship, C&H has optimized enterprise risk governance programs, executing thousands of third-party risk assessments globally since 1997. C&H risk management work has been formally recognized by the U.S. Department of Homeland Security, the Federal Bureau of Investigation, the U.S. Department of Health and Human Services, the National Health ISAC, and the National Directorate of ISACs. In partnership with Prevalent, Inc., C&H has been formally selected by the NH-ISAC to perform certain third-party risk management services on behalf of their Members.

C&H is an Assessment Firm Member of the Shared Assessments (SA) Program, actively contributing to the Shared Assessments Agreed Upon Procedures (AUP), the Standardized Information Gathering (SIG) questionnaire, the Technical Development Committee and public outreach programs. Peterson is privileged to serve on the Shared Assessment Program’s Steering Committee and governing Advisory Board. Peterson additionally serves as the formal liaison between these two bodies.

To Learn more about C&H, please email info@chus.com.

The Evolving Threat Landscape ...

06-07-2017

  In this series, Shared Assessments Advisory Board Committee member Ken Peterson talks about managing cyber risk in the Healthcare space. We look forward to hearing more on this topic from Ke[...]

 

In this series, Shared Assessments Advisory Board Committee member Ken Peterson talks about managing cyber risk in the Healthcare space. We look forward to hearing more on this topic from Ken and the NH-ISAC at the 10th Annual Shared Assessments Summit.

Q&A Series – Part 1
As a seasoned veteran in risk management and threat detection in the global cybersecurity market, how would you describe the cybersecurity environment we’re operating in today? Where are the biggest risks and the areas we need to be mindful of moving forward?

“We’re operating in a highly dynamic and continually evolving threat landscape for potential cyberattacks. We’ve learned that more extensive information sharing and reporting about incidents has given us a clearer picture of the dimension of the threats organizations face. The biggest risk for any organization is not understanding the unique threats and vulnerabilities for a potential attack. It is important to engage with communities of interest who can provide intelligence and techniques that can assist the organization in meeting its information security requirements.”

The healthcare industry has recently made a big push to move from paper to electronic health records putting and enormous amount of personal data in motion? How does the shift to electronic health records make your business more challenging?

“We’re balancing two paradigms here – consumer demands for easier access to their personal health information and the need to protect sensitive data that is increasingly more in motion. Our goal is always to ensure the right safeguards, and procedures are in place to better protect sensitive information – for the benefit of consumers, the healthcare market and organizations engaging with the healthcare industry.”

As the healthcare industry embraces an increased exchange of electronic data, what are 2-3 things an organization needs to be mindful of as it relates to mitigating their risk for cyberattacks?

“The first thing to understand is where and how your organization might be vulnerable to attack. For example, companies don’t often have a firm grasp of their vendor population and the intended or unintended risks that vendors may bring to your business operations. Are these vendors introducing a potential virus or malicious code via their electronic communications with your company or are they not taking proper measures to safeguard physical information that may put your business at risk. Also, does an organization have a proper vendor or third party risk governance process in place for routinely reviewing and updating vendors that are engaging with your organization. Lastly, does an organization have a proper vetting process for onboarding new vendors to ensure they meet proper security requirements. All important steps in mitigating risk for cyberattacks.”

Kenneth J. Peterson, CTPRP
Founder and CEO
Churchill & Harriman

Ken Peterson is a recognized leader in developing and implementing cybersecurity risk management strategies and solutions. Under Peterson’s stewardship, C&H has optimized enterprise risk governance programs, executing thousands of third-party risk assessments globally since 1997. C&H risk management work has been formally recognized by the U.S. Department of Homeland Security, the Federal Bureau of Investigation, the U.S. Department of Health and Human Services, the National Health ISAC, and the National Directorate of ISACs. In partnership with Prevalent, Inc., C&H has been formally selected by the NH-ISAC to perform certain third-party risk management services on behalf of their Members.

C&H is an Assessment Firm Member of the Shared Assessments (SA) Program, actively contributing to the Shared Assessments Agreed Upon Procedures (AUP), the Standardized Information Gathering (SIG) questionnaire, the Technical Development Committee and public outreach programs. Peterson is privileged to serve on the Shared Assessment Program’s Steering Committee and governing Advisory Board. Peterson additionally serves as the formal liaison between these two bodies.

To Learn more about C&H, please email info@chus.com.

Failed Risk Controls – T...

04-17-2017

By: Bob Jones, Senior Advisor, The Santa Fe Group, Shared Assessments Program and Gary Roboff, Senior Advisor, The Santa Fe Group, Shared Assessments Program. The Sales Practices Report released by[...]

By: Bob Jones, Senior Advisor, The Santa Fe Group, Shared Assessments Program and Gary Roboff, Senior Advisor, The Santa Fe Group, Shared Assessments Program.

The Sales Practices Report released by the Board of Wells Fargo on April 10th provides an extraordinary behind the scenes look at the breakdown of risk control processes at one of the nation’s largest banks. We think this board-initiated report is an important pedagogic tool and should be required reading for risk control professionals in banking and elsewhere.

In a previous posting, Tone at the Top: Culture Counts – the Wells Fargo Saga, we discussed extensively the evolution of the sales culture at Wells Fargo. This new and remarkably candid report document places that sales culture in the context of an extremely decentralized risk control structure. Within this decentralized structure, senior business leaders ran their operations in hermetically sealed environments where risk-related data could be (and was) shielded from both the board of directors and the relatively ineffective central risk functions that existed at Wells until recently.

Although the report demonstrates how risk control mechanics at Wells failed over a period of years, it also provides details about opportunities the bank had – but did not take – to corral an aberrant culture that the bank accurately pinpointed earlier than the outside world might have expected, given the timelines management has presented in sworn testimony, press interviews and other communications from the company.

As early as 2004 Wells initiated a task force to report on gaming the sales incentive program, already perceived as an issue in the community bank. The report said:

“It is the conclusion by Corporate Security Internal Investigations” that “whether real or perceived, team members on the current Corporate Sales Incentive Plan feel they cannot make sales goals without gaming the system. The incentive to cheat is based on the fear of losing their jobs for not meeting performance expectations…. [i]f customers believe that Wells Fargo team members are not conducting business in an appropriate and ethical manner, it will result in loss of business and can lead to diminished reputation in the community.” (( Independent Directors of the Board of Wells Fargo & Company, Sales Practices Investigation Report. April 10, 2017. page 88.))

The report went on to state that Wells Fargo had been losing unemployment insurance cases involving sales integrity terminations, and said that in some of those cases judges had “made disparaging comments” about the Wells sales incentive system. The report recommended that Wells reduce or eliminate sales incentive programs and remove the threat of termination if goals were not met. Those recommendations and findings were never advanced to the company’s executive management or to the board of directors.

As the sales culture hardened at Wells, critical risk control processes broke down completely. For example, beginning in 2013 there were regular audits of the risk control culture in the community bank. In both 2013 and 2014, Audit rated the risk control culture “strong” based upon the stature of risk management in the community bank and the presence of “strong and effective controls” which demonstrated an appropriate focus on risk management. As late as March 2016, Audit rated the Community Bank risk control culture “satisfactory,” citing actions underway “to strengthen sales practices by fostering a culture where ‘only needs-based and value-add product and service solutions [would be] delivered to customers.” ((Independent Directors of the Board of Wells Fargo & Company, Sales Practices Investigation Report, April 10, 2017, pages 94-95. This “satisfactory” rating came despite a May 2015 lawsuit filed by the city of Los Angeles against Wells Fargo alleging ongoing widespread unfair, unlawful and deceptive sales practices.))

In 2004, Wells Fargo risk functions were still able to accurately document material risk culture weaknesses even if they were never vetted at appropriate levels of executive management. Ten years later that self-diagnostic ability was long gone, and with it any hope of steering clear of what became one of the largest ethical lapses and process breakdowns ever seen in retail banking.

Santa Fe Group Senior Advisor, Bob Jones, has led financial institution fraud risk management programs for more than 40 years. A well-known thought leader in the financial services industry and a sought-after expert in risk management strategy, Bob has devoted his career to innovative financial services fraud reduction and risk management. Today, Bob is a consultant, educator and expert witness, and serves as the principal of RW Jones Associates LLC.

For more than four decades, Gary Roboff, Senior Advisor, The Santa Fe Group, contributed his outstanding talents to the in financial services planning and management, including 25 years at JP Morgan Chase where he retired as Senior Vice President of Electronic Commerce. Gary has worked extensively in electronic payments, payments fraud, third part risk management, privacy and information utilization, as well as business frameworks and standards for electronic commerce applications.

Setting a New Benchmark –...

For financial services companies that fall under the New York State Department of Financial Services (DFS) cybersecurity requirements rule, the timeline for implementing 23 NYCRR500 has begun. The new[...]

For financial services companies that fall under the New York State Department of Financial Services (DFS) cybersecurity requirements rule, the timeline for implementing 23 NYCRR500 has begun. The new rule became effective March 1st. Each section of the rule has a timeline relating to the development of cybersecurity programs for all “Covered Entities.”

The regulation applies to the array of organizations that operate under license, charter or other authorization under New York’s Banking, Financial Services or Insurance Laws, which place that organization under DFS regulation. Exemptions do exist, which affect only organizations of less than 10 staff (including outside contractors), with minimum annual revenue requirements (less than $5 million) and total year end assets of less than $10 million (Section 500.19). An exempt organization must file a Notice of Exemption (Appendix B form) within 30 days of determining that it qualifies.

The rules are prefaced with the statement that, “The financial services industry is a significant target of cybersecurity threats. DFS appreciates that many firms have proactively increased their cybersecurity programs with great success. Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.” ((Cybersecurity Requirements for Financial Services Companies. 23NYCRR500. New York State Department of Financial Services. Effective March 1, 2017. New York State Register.))

Cybersecurity programs are required under Section 500.02 to: be “designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems” and must “be based on the Covered Entity’s Risk Assessment” and designed to perform “core cybersecurity functions including identification and assessment of internal and external cybersecurity risks, use defensive infrastructure and written policies and procedures.” Mitigation and program improvements to meet compliance are included in that statement, as are appropriate supporting documentation. The regulation requires that Covered Entities have a cybersecurity program that addresses 14 areas within their third party risk management program, including:

  • Encryption of non-public information (Section 500.15).
  • Multi-factor authentication that is appropriate to the risk assessment (Section 500.12).
  • Third party agreement due diligence that includes actionable contract requirements that allow the outsourcer to mirror its own risk requirements at down chain levels (third party and on) within its supply chain (Section 500.11).
  • Periodic risk assessments of information systems, business operations, technology developments and emerging threats are required (Section 500.09).

The Covered Entity may meet the requirements through adopting an affiliates program – affiliates do not include third party providers, as defined by the regulation. The rule requires all Covered Entities to have a third party risk management program. Written policies and procedures that are approved at the senior and/or board levels, ongoing training, audit trails and specific risk controls are all mandated, along with incident response planning, monitoring and testing and designation of a formal Chief Information Security Officer (CISO). The CISO must be “qualified” and would be responsible for cybersecurity program design, implementation, oversight, program updates and enforcement and be responsible under Section 500.04(b) for reporting at the board level of the Covered Entity.

This last point, appointment of a CISO, has been contentious, in part because it is viewed as burdensome for smaller organizations. The DFS allows for the CISO to be an outsourced position, an accommodation designed to alleviate the cost burden for smaller firms. However, outsourcing the CISO position may have unintended consequences, since for smaller firms the most logical third party to handle that role might well be an individual from the company that provides technology infrastructure to the outsourcer. Conflict of interests may reasonably occur. For example, part of the CISO’s responsibility is validating compensating controls when an outsourcer may not be able to or cannot comply with new DFS security requirements, such as encryption of at-rest non-public data or multi-factor authentication. Will a CISO paid by the third party be able to make an independent assessment of control adequacy when that person’s primary employer may have a vested interested in the outcome that’s different from its clients?

This regulation mandates that it is the CISO’s role to identify, sign off on and report to the board on the effectiveness of the program, materiality of risks and the compensating controls for all areas of the cybersecurity program. Is it feasible for the outsourced CISO, who may be tied to application development or other IT functions as defined in Section 500.10 Cybersecurity Personnel and Intelligence, to remain independent? These questions only scratch the surface on the potential pitfalls this situation poses in relation to robust third party risk management.

Rule provisions that immediately took effect and involve reporting to the DFS Superintendent of Financial Services include Section 500.17(a), notice within 72 hours or a cybersecurity event and Section 500.17(b), written statement of compliance with the rule (Appendix A form), which is due February 15th each year. ((The Regulation defines a cybersecurity event as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse [of] an Information System or information stored on such Information System.”)) Defined transitional period milestones to comply with the remaining requirements of the regulation are noted in Section 500.22. A full list of transition requirements are available in the regulation document.

The Shared Assessments Program member vertical groups and development committees will continue to examine and discuss the regulation and take 23NYCRR500 into account during best practices resources development and Program Tool updates.

Marya Roddis is Vice President of Communications for The Santa Fe Group, Shared Assessments Program. She acts as lead writer for staff and member subject matter experts, providing research and other support in developing blog content and documenting committee projects in white papers and briefings, as well as press communications and other outreach documentation. She has 40 years of experience in administration, compliance monitoring and communications and has served as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services and regional economic and business development.