Select Page

If Left to Our Own DevicesR...

Eileen Smith 03-14-2019

These days everything’s connected through the Internet, that constantly growing and evolving massive communications network. More and more devices are being connected (75 billion or so by 2025), for[...]

These days everything’s connected through the Internet, that constantly growing and evolving massive communications network. More and more devices are being connected (75 billion or so by 2025), forming a complex interrelated platform or ecosystem commonly referred to as the Internet of Things (IoT). This platform offers consumers convenience, ease of use, comprehensive information management and, unfortunately, unknown security risks. Every consumer wireless device—every smart appliance, every wearable, every medical implant, every door lock and thermostat, every self-driving car, every surveillance camera, every seemingly eavesdropping personal assistant —transmits data, very sensitive data at that, in order to keep everything working. Some of the time.

Meanwhile businesses are leveraging IoT to foster greater efficiency and productivity, gain real-time information and improve the customer experience by providing innovative solutions and devices. These solutions collect vast amounts of data across their enterprise and the third parties they may employ to support and deliver those services. A good deal of this information is generated by those third parties such as contractors and partners. This leaves business cybersecurity teams markedly more challenged and vulnerable to cyberattacks and data breaches through a vast IoT landscape that may provide open entry points that have either gone unnoticed, or worse, ignored.

State lawmakers have begun to enact sweeping security legislation to address these issues in lieu of slow action at the federal level. In June 2018 California became the first state to pass comprehensive consumer privacy regulations—the California Consumer Privacy Act (CCPA)—which will take effect in January 2020. This legislation broadens the definition of “personal information,” providing consumers with significantly more control over how their information is used, including how businesses collect, share and sell your information. However, it did not tackle IoT security specifically.

California doubled down on consumer privacy laws with the Security of Connected Devices Act (SB-327). This additional law will institute strict new regulations pertaining to connected devices, increase oversight on IoT security, and cover the data (beyond personal data) that IoT devices collect, store and transmit, thus expanding upon consumer privacy features contained in the CCPA legislation.

SB-327 will require manufacturers of connected devices to equip those devices, depending on their function, with “reasonable” security features that protect the device as well as “any information it may contain from unauthorized access, destruction, use, modification, or disclosure.” For example, users of new devices would be required to create a unique password before using the device for the first time, removing the default password problem and ensuring a stronger layer of password protection. Overall, consumers of these devices should feel a greater sense of control over their personal information.

“The net of this bill is it basically requires people to understand IoT devices,” said Charlie Miller, Senior Advisor at The Santa Fe Group. “It’s all good stuff and essential to have in place but one of the challenges will be how companies are required to monitor and demonstrate compliance with the law. The problem is no longer just exposure of one’s personal information but reducing exposure to many things, including one’s personal safety.”

Consider the fact that as more employees telecommute—working from home, airports or anywhere they can access the internet—they are potentially compromising their security. Many companies have been focused more on managing and securing internal workplace IoT devices as opposed to those in use by external third parties.

This lack of regulation, oversight and governance has slowed risk management efforts over IoT. As Miller notes, “Our research shows that there continues to be limited assignment of accountability and limited success in maintaining inventories of IoT devices within their organizations and their third party suppliers, which is essential to ensure they know what functions the devices perform, what security features are present, what data is collected and how it is secured and transmitted.”

The current threat landscape is real and expanding rapidly, consisting of countless avenues for malicious attacks: malware, ransomware, cryptojacking (mining sensitive data across devices for cryptocurrencies), phishing (mostly through email click-throughs), denial of service (DoS) attacks and botnets.

So, what can third party risk managers do to address these critical issues and mitigate risk? One major action would be to understand who in your organization is accountable for IoT. Develop a plan to inventory IoT devices, understand the risks they pose to your organization, ensure your internal and third party controls are assessed/validated to mitigate those risks, report results to your risk committee and include IoT risk in your education/awareness training and perform at all levels of the organization.

Additionally, IoT device manufacturers who wait or fail to comply with this law and implement these requirements related to consumer security and privacy measures may face financial penalties and fall behind those manufacturers who do comply.

At the very least, “This law will get people to pay attention to the risks posed by IoT devices, and given that this law is still somewhat open-ended, we should expect to see additional requirements,” Miller said.

Shared Assessments Takes Top I...

Jenny Burke 03-07-2019

Just when you thought awards season was over.... Shared Assessments was honored with two awards for SC Magazine's celebration of 30 years in cybersecurity. The Shared Assessments Program was named [...]

Just when you thought awards season was over….

Shared Assessments was honored with two awards for SC Magazine’s celebration of 30 years in cybersecurity. The Shared Assessments Program was named one of the Most Important Industry Organizations of the Last 30 Years. Though we have only been around for half of that time, we are proud of the contributions that our Membership has made to make vendor management and the risk landscape in general more secure. In addition, Catherine Allen was named one of the Visionaries of the Last 30 Years. As the founder of Shared Assessments she has seen big changes in this space, but remains passionate about our mission.

 

Another honoree, Steve Katz (Information Security Executive of the Last 30 Years)  will be receiving a Lifetime Achievement Award and deliver the opening keynote address at the Annual Shared Assessments Summit on April 10th in Arlington, VA. For more information on this award, visit SC Magazine.

 

Shared Assessments was also named winner of the prestigious 2019 Cyber Defense Magazine InfoSec Awards in both the Hot Risk Management Company and the Leader in Third Party Risk Management (TPRM) categories, and that Chairman and CEO Catherine A. Allen was named an honoree in the Cutting-Edge Women in Cyber Security Category.

 

“Nation state exploitation, Cybercrime, Hacktivism, Cyberespionage, Ransomware and malware exploits are all on the rise,” said Gary S. Miliefsky, Publisher, Cyber Defense Magazine. “Shared Assessments/SFG has won these awards after we reviewed nearly 3,000 infosec companies, because they are an innovator that might actually help you defeat the next generation of exploiters.” Read more about the Cyber Defense Awards.

 

Shared Assessments was also recently honored by the Cybersecurity Excellence Awards as a winner in Vendor Risk Management.

 

Thanks to our hardworking members who are out there making the economy more secure right along with us.

 

 

Predicting the Privacy Weather...

Linnea Solem 03-04-2019

Trying to predict the privacy weather report for third party risk? The dialog on online privacy is heating up in Washington D.C. this week as hearings and industry discussion on the merits of federal[...]

Trying to predict the privacy weather report for third party risk?
The dialog on online privacy is heating up in Washington D.C. this week as hearings and industry discussion on the merits of federal privacy legislation were prompted in the wake of the passage of the California Consumer Privacy Act (CCPA). Record snowfall levels have been reported across the country, even in typically sunny California, creating a February for the record books. This month I had the chance to facilitate a teleconference on CCPA to the Shared Assessments Program Regulatory Awareness and Best Practices working groups. Trying to predict the timeline of the implications of CCPA to third party risk is rather like predicting today’s weather report in an era of unpredictability.

For members who may not have participated in the update, I’ll summarize the sunny and cloudy viewpoints on our discussion with a recap: Background on what CCPA is; CCPA Components and Timelines; CCPA Readiness Challenges, and Implications to Vendor Management.

Background on the California Consumer Privacy Act (CCPA)
Since 1972, “Privacy Rights” are considered inalienable rights under the California Constitution. California has been a leader in putting a spotlight on the sharing of data with third parties. As early as 2003, California’s “Shine the Light” law was an early effort to address the practice of sharing customer’s personal information for marketing purposes. While the initial focus triggered updates to online privacy policies, the CCPA goes even farther in putting more rights on the control of information in the hands of individuals.

A ballot initiative was created in 2017 in to address consumer privacy rights by garnering signatures to put legislation on the ballot in the 2018 election cycle. By spring of 2018, the privacy weather forecast changed swiftly with industry disclosures of the sharing of customer data on social media sites. The activist’s ballot initiative had received over 600K signatures generating a storm of effort to draft a compromise bill that could be modified or amended by the legislative process rather than continuing to put privacy regulations out to voters. So faster than a 10-day weather forecast, CCPA was enacted by the state by the June 30th, 2018 deadline. Amendments were issued at the start of fall 2018 to address discrepancies, clarify exemptions and provide a planned timeline for compliance.

CCPA Components and Timelines
Privacy professionals have focused on the extra-territorial nature of GDPR, and California’s CCPA is creating a similar privacy tidal wave in that the focus is on the collection, use, and retention of personal information of California residents.

Scope: CCPA is targeted at for profit organizations, that do business in the state of California, and collect personal information directly from individuals or on behalf of another entity. CCPA defined trigger thresholds, designed to exempt the bulk of small businesses from needed to address compliance. CCPA applies if any one of these parameters are triggered: Annual gross revenue of $25 million, entities that buy, receive, sell or share data of more than 50K consumers, households, or devices for commercial purposes, or entities that derive 50% of its revenue from the selling of consumer data, regardless of the size of the organization.

Given that the state of California is the 5th largest economy in the world and only 34 countries in the world have greater populations than California, CCPA will have global implications to digital marketing.

Key Requirements:
CCPA defines several rights as the primary objective of the legislation. These rights include:

  • To know what personal information is being collected about them
  • To know whether their personal information is sold, disclosed and to whom
  • The right to say no to the sale of personal information
  • The right to access their personal information
  • The right of deletion if there are not legitimate needs to retain the data
  • The right to equal treatment and price if these rights are exercised.

CCPA defines civil penalties for violations of CCPA within defined parameters. The element of CCPA that is driving much of the heated debate is its right of private action. The potential for class action litigation, or the seeking of damages for violations is triggering a road discussion on the differences between self-regulatory standards for digital marketing and state by state requirements.

CCPA is written from a consumer advocacy point of view. The enforcement will be done by the state attorney general. CCPA comes into effect on January 1st, 2020, with ensuing regulatory guidance to be published no later than July 1st, 2020. The CA AG has indicated they will not enforce the CCPA requirements until six months after the final regulatory guidance is published.

CCPA Readiness Challenges
At first glance, such timelines would indicate CCPA compliance would be on the Privacy Farmer’s Almanac predictions for next winter. However, the consumer’s rights regarding treatment of their personal data have a “Look-Back” period of 12 months. Building the processes to address CCPA will need to be assessed and built out into a roadmap for compliance for data that has been collected in 2019. GDPR provided a 24-month timeline for compliance, and CCPA provides a much shorter timeline given the complexities of data usage in the digital landscape.

Conducting a readiness or preparation phase for CCPA readiness will tend to focus on self-assessment and review of business processes for the collection and sharing of data. Implementing a full readiness plan will be challenging until final guidance is completed. A six-month timeframe for executing a compliance program may be too short a timeline unless preparation activities have occurred to scope and shape the depth and breadth of CCPA compliance needs.

Organizations that were required to build out business processes and infrastructure will likely have a sunnier outlook for CCPA compliance since they are simply extending capabilities to the new CCPA requirements.

Key themes for preparation activities:

  • Data Governance: Creating and maintaining adequate data inventories and data flows, including third parties for data with a “marketing/selling” point of view
  • Consumer Advocacy: Developing the business process enablement and automation of consumer rights to access and delete data typically in unstructured data stores.
  • Digital Marketing Disruption: Assessing the marketing, brand, and customer satisfaction risks for implementing limitations on the “selling” of customer data. Organizations may make business decisions in 2019 to change how or if they share customer data,
  • Vendor Management: Identifying contract provisions with third party vendors and then defining sufficient due diligence based on the service they perform.
  • Reasonable Security: Conducting reviews or self-assessments for data security safeguards. With the expanded focus on information security controls for marketing data – beyond the traditional “PII” focus, security controls will focus on the digital landscape, mobile and device at a much greater level of detail.

Implications to Vendor Management Functions
The digital marketing landscape has layers of third-party relationships. CCPA will trigger the need to identify the applicable third parties that will require affirmation of their obligations to limit the use of personal data beyond the terms of the contract.

3 Things to Think About

  1. A “service provider” for the purposes of the CCPA, is an entity that processes personal information “on behalf” of a business.
    The vendor or “service provider” must be bound by a written contract that prohibits the use of personal information for other purposes
  2. CCPA requires that for the in-scope service provider that the contract includes: A “certification” that the entity receiving the personal information understands the restrictions in the contract, and will comply
  3. These obligations will require updates to key third party risk governance processes to address the contract terms and limitations, but also the corresponding third-party assessment process for due diligence and testing of the controls.

CCPA Vendor Readiness Focus Areas
The final rulemaking for CCPA will be initiated by the CA Attorney General after a series of workshops, hearings, and outreach to the industry. While final interpretations and the potential for additional amendments make final scope and timeframes a bit cloudy, there are preparation and readiness steps organizations can do this year.

For businesses that use third parties, particularly in the online or digital marketing landscape, a starting point is to assess the current vendor inventory and contracts to create a baseline. For vendors who support their clients in the digital marketing landscape, they can begin to assess their role and what data they process and be prepared for additional scrutiny in the due diligence process.

The privacy landscape will continue to evolve, and CCPA dialog will likely continue thru spring and summer of this year. The bottom line is that CCPA is creating momentum for the U.S. to adopt a different approach to digital privacy practices, and that will impact the third-party providers that enable the digital ecosystem.

The Shared Assessments Program’s Privacy Committee will be monitoring CCPA developments to identify impacts to standardized questionnaires, privacy tools, checklists, and testing procedures for the next 24 months. If you or your organization would like to participate in the Privacy Committee or CCPA sub-committee, please click here to sign up to participate in the committee.

Linnea Solem is Founder and CEO, Solem Risk Partners, LLC, a management consulting and advisory services company focused on Third Party Risk Governance, Privacy Program Management, and Enterprise Risk Management. Linnea serves on the Shared Assessments Advisory Board.

What is the Impact of OhioR...

Jeremy Byellin 02-22-2019

Last August, Governor John Kasich signed the Ohio Data Protection Act into law.  The law creates a safe harbor that insulates “covered entities” from tort liability und[...]

Last August, Governor John Kasich signed the Ohio Data Protection Act into law. 

The law creates a safe harbor that insulates “covered entities” from tort liability under Ohio state law if they “create, maintain, and comply with a written cybersecurity program” that “reasonably conforms” to one of the specified cybersecurity frameworks (including several NIST and ISO controls, and other relevant laws that may apply such as HIPAA, GLBA, and FISMA). 

Being the first of its kind, the law is, by definition, a precedent setter.  But how much of an impact will it have on its own?

In short, not much.  The scope of the law is limited to liability under Ohio law – and only tort law at that – in Ohio courts.  In other words, the law only creates a safe harbor against being sued for negligence or some other form of tort malfeasance in Ohio.

Despite all this naysaying, this law should be good news at least for covered companies already operating in Ohio, right?

Unfortunately, not as much as one may think.  In determining whether a company was negligent in a data breach, courts already look at that company’s compliance with industry standards. 

The new law doesn’t cut out any steps to asserting such compliance as a defense to negligence.  It still forces companies to go to court and litigate whether they were compliant with the named industry standards and thus eligible for the safe harbor – which is very likely what they would have done regardless of the new law.

Granted, the law does insure against Ohio courts increasing their expectations, such that compliance with industry standards is no longer enough, but the likelihood of that happening in the foreseeable future is dubious at best.

The law, then, doesn’t make a lot of immediate waves in the cybersecurity legal landscape.  That may change if other states – or more importantly, the federal government – enact similar laws, in which case, Ohio would be the trendsetter for a potential new nationwide standard.

Given that the law only took effect this past November, it remains to be seen how the law will actually play out, or whether it will have any impact whatsoever.

Exercising Good Privacy and Co...

Tom Garrubba 02-13-2019

Santa Fe Group Third Party Risk expert, Tom Garrubba, recently contributed to Corporate Compliance Insights for his take on the recently released Cisco Data Privacy Benchmark Study Read the full a[...]

Santa Fe Group Third Party Risk expert, Tom Garrubba, recently contributed to Corporate Compliance Insights for his take on the recently released Cisco Data Privacy Benchmark Study

Read the full article.

Those of us in the privacy profession knew it was only a matter of time that privacy-minded organizations would eventually see the benefits of their internal analysis and hard work. Their efforts to refine and/or create policies, procedures, standards and practices that better secure and guard privacy during the handling of their customer’s personally identifiable information are paying off.

Evidence of this came to light in the new Cisco Data Privacy Benchmark Study (January 2019) study published in late January 2019.  The study indicates that both outsourcing organizations and service providers are modifying the way they are doing business. Organizations increasingly understand the importance of recent regulations such as the General Data Protection Regulation (GDPR), which mandates protections of the personal data for citizens throughout the EU. This understanding is gaining traction as organizations grapple with similar U.S.-state privacy regulations and guidance, such as the California Consumer Privacy Act (CCPA). From a compliance perspective, this is a breath of fresh air, since organizations are required to provide evidence that they’ve documented (and thus have a handle on) their internal processes and all the hands through which their data passes.

In reviewing the study, I take heart that the respondents’ customers (i.e., outsourcers) are performing proper due diligence as they strive to get a better understanding of how the service providers are (or will be) handling the outsourcer’s customer’s prized data. It appears that these service providers have anticipated the requests from their outsourcers and have built the need for responses into their internal compliance; thus, cutting down on due diligence delays.

These changes lead me to believe that both outsourcers and service providers have gone beyond paraphrasing Alfred E. Neuman (“What, me worry?”) since they’ve begun to see the harsh realities of the often-heavy fines levied for non-compliance. In particular, they’ve taken the privacy (and the related security) mandates of compliance regulations very seriously and are increasingly embedding this type of compliance into their business model.

One part of the Cisco study did raise my brow however; in identifying the “Most significant challenges in getting ready for GDPR,” 42% of the nearly three-thousand respondents reported “Meeting data security requirements,” as the most important. Closer to the bottom of the priority list is Vendor Management. Given the global impacts of major third party breaches over the last three years, third party risk management (TPRM) must be much higher up on the priority list.

The fact is that the security and privacy posture at any organization’s third and “nth” parties who touch personally identifiable information should be as important to the organization as their own security defenses. Outsourcers placing blind faith in their third party partners are almost certainly destined at some point to realize that just because they’ve outsourced the process doesn’t mean they’ve outsourced the risk.

This study is beneficial to organizations and industries of all types in that it evidences the importance of privacy and security compliance within the organization. By taking these concerns seriously, organizations not only create a value add for their customers, they also cover themselves from a compliance perspective by showing that they are conforming to industry best practices and regulations.

A good place to begin to ensure compliance and TPRM goals are being met by all third parties with whom a company is sharing data is through the use of recognized, field-proven best practices and TPRM tools – and ideally, tap into a global “intelligence ecosystem” of risk management professionals whose insight and experience can prove invaluable. One such resource is the member consortium Shared Assessments which produces many free tools used by member and non-member organizations alike.

Sadly, some organizations will fail to embrace important compliance processes and document their understanding by “following the data.” At every phase, from planning a third party risk management program, to building and capturing assessments, to benchmarking and ongoing evaluation of a program, there are TPRM tools that are invaluable for managing risk.

The impacts of third party breaches and lapses have been the stuff of headlines over the last year, and every organization’s shareholders, customers, partners and other stakeholders are taking note.  Companies no longer have the luxury of acting like the proverbial ostrich with their head in the sand, oblivious to the compliance perils that third party partners pose.

Cybersecurity: 4 Board-Level T...

Jenny Burke 02-05-2019

Consulting magazine recently interviewed Santa Fe Group Chairman and CEO Catherine Allen for an article examining cybersecurity challenges and related consulting trends. During the discussion, Catheri[...]

Consulting magazine recently interviewed Santa Fe Group Chairman and CEO Catherine Allen for an article examining cybersecurity challenges and related consulting trends. During the discussion, Catherine shared her insights on current cybersecurity issues, related third party risk management challenges, and board dynamics concerning information security.

 

The article, which is slated to appear in the publication in March, will feature insights from Cathy along with leaders of cybersecurity practices in global consulting firms. Here are four high-level cybersecurity trends Catherine covered during her discussion with Consulting:

 

1. Resiliency is a primary focal point: Even companies with the most advanced cybersecurity practices are likely to get hacked. As a result organizational information security programs are focusing more on resiliency and business continuity activities. “Prevention remains critical, and companies continue to strengthen policies, improve the technologies they have in place, invest in training, and adopt best practices,” Catherine said. “But we’re just not at a point where we can stay ahead of the bad guys. When a breach occurs, companies need to have a set of incident response, crisis management and business continuity protocols in place. Boards want to know how quickly the company can handle the breach and get back up and running.”

2. Continuous monitoring is crucial: More companies are investing in improvements to continuous monitoring processes and supporting technologies. These capabilities help bolster prevention and incident-response capabilities. “We’re seeing a strong drive toward continuous monitoring so that when a breach occurs, a company can quickly identify, isolate and address it,” Catherine pointed out.

3. OT-IT convergence requires more attention: The convergence of operational technology (OT) and information technology marks an important and rapidly emerging risk-management area (it’s also a topic that features prominently in the upcoming 2019 Shared Assessments Summit). “Boards and C-suites are increasingly looking at the convergence of physical, cyber and operational security,” Catherine told Consulting. This integrated view of risk management is necessary because more adversaries are breaking physical barriers to hack into organizational information systems. As OT-IT convergence attracts more attention, companies with mature third party risk management programs are applying more scrutiny to risk management practices within fourth and fifth parties (i.e., the technology and services providers that their vendors use).

4. Cyber attackers move beyond financial motives: While the hacking of financial data remains a top concern, bad actors and other adversaries also target other data (such as intellectual property) for financial gain, to inflict reputational damage, or to sow chaos. Think of a cyberattack by a nation-state that strikes an electric grid, hospital system or the elections process in a rival country. “Many companies primarily focus on protecting financial data,” Catherine added. “But you have to take a comprehensive view of the organizational data that could potentially be targeted and then understand how that fits into the third party risk management as well as the broader context of enterprise risk management.”

Data Privacy Day 2019 – A Ne...

Linnea Solem 01-24-2019

Each year on January 28th, the world celebrates Data Privacy Day (DPD), led by the National Cyber Security Alliance in North America. This international effort creates awareness about the importance o[...]

Each year on January 28th, the world celebrates Data Privacy Day (DPD), led by the National Cyber Security Alliance in North America. This international effort creates awareness about the importance of respecting privacy, safeguarding data, and enabling trust. The focus this year is on the value of information. Whether you look at data privacy from an individual point of view, or from the lens of the business that is collecting, using, and storing personal data, remember:

Personal Information is like money. Value it. Protect it.

Last year the focus on Data Privacy was on readiness for the EU General Data Protection Regulation and the implications that emerged following the social media testimony in Congress on data sharing. This year, the spotlight is on the new California Consumer Privacy Act. In each of these areas, there is an impact to vendor management that is driving a new era for third party risk governance.

If personal information is like money – then we need to treat that asset with the same level of value and protection if it is stored in our own privacy piggy bank, or in the locked vault of a vendor or service provider. Let’s put the numbers into perspective:

  • 66% of U.S. consumers want companies to earn their trust by being more open and transparent with how their information is being used
  • In a survey by Blue Fountain Media, web users surveyed that they overwhelmingly objected to how their information is being shared with and used by third-party vendors. 90% of those polled were very concerned with internet privacy.
  • A PwC survey found that only 52% of U.S. companies that will need to comply with the CCPA expect to be compliant by January 2020.

The Shared Assessments Program Vendor Risk Management Maturity Model was updated for release in 2019 to include the heightened expectations driven by new privacy regulations, high profile data breaches and updated external audit standards. The 2018 Shared Assessments Program and Protiviti Vendor Risk Management Benchmark study used the expanded maturity model. Early highlights of the 2018 were shared with Shared Assessments Program Members this past month. In the latest Shared Assessments Program and Protiviti Vendor Risk Management Benchmark study 55% of organizations surveyed indicated they were likely to “de-risk” or move away from high risk third-party relationships in the next 12 months, up 2% from the previous year. Further, considering all six privacy related measures in the survey, fully 43% of those surveyed had either fully functional or advanced privacy practices in place, the second highest result of any focus area in the survey. 22% of respondents reported they had only ad-hoc privacy practices in place and 9% had no active privacy efforts.

Both GDPR and CCPA drive the need for enhanced data governance strategies, including data flows, data maps and data inventories. Whether the data is stored locally or at a third- party service provider, the data must be protected. International Privacy regulations will continue to advance triggering the need to continually assess the effectiveness of each third party risk governance program for new privacy requirements.

Key steps in building your third-party risk roadmap for privacy protection:

  • Update vendor classification, scoping, and inventories for third party relationships
  • Enhance contract provisions for the protection and usage of data
  • Maintain a data inventory to manage and process data access requests
  • Broaden due diligence processes for assessing and identifying corrective actions of third parties
  • Deploy effective ongoing monitoring of vendor relationships
  • Maintain documentation of processing of the personal data
  • Understand data transfers and authorizations at both third and fourth parties

While the numbers seem daunting, given the pace of technology and complexity of third-party relationships, there are action steps service provider organizations can take to mature their internal processes for third party risk governance.

3 Action Steps to take in 2019:

    1. Develop a Roadmap for maturing your third-party risk governance program: Benchmark your organization’s third-party risk governance program by downloading and using the 2019 version of the Shared Assessments Program Vendor Risk Management Maturity Model
    2. Expand data governance tracking tools to protect personal data: Download the Free privacy templates in the Shared Assessments GDPR tools. The Target Data Tracker template can enable your organization to document the tracking of target data by third and fourth parties to address the broader third party and data transfer obligations driven by privacy regulations.
    3. Enhance your Training and Awareness Program: Leverage the free resources for data privacy at https://staysafeonline.org/resources/

    In today’s market landscape, all organizations utilize third party relationships to run and operate their business. Ensuring that the right privacy protections are in place in your third-party risk governance program demonstrates your commitment to treat your client’s privacy data as your own.
    Protecting data in your Privacy Piggy Bank is important not just on Data Privacy Day, but every day!

    Personal Information is like money. Value it. Protect it.

    #PrivacyAware

    Linnea Solem is Founder and CEO, Solem Risk Partners, LLC, a management consulting and advisory services company focused on Third Party Risk Governance, Privacy Program Management, and Enterprise Risk Management. Linnea serves on the Shared Assessments Advisory Board.

2019 Shared Assessments Third ...

Jenny Burke 01-07-2019

Shared Assessments has released its updated 2019 Third Party Risk Management Toolkit which serves organizations for vendor risk management, regardless of size and industry. The Toolkit elements help b[...]

Shared Assessments has released its updated 2019 Third Party Risk Management Toolkit which serves organizations for vendor risk management, regardless of size and industry. The Toolkit elements help both outsourcers and providers to meet regulatory, consumer and business scrutiny within the constantly evolving landscape of cyber and other security threats and vulnerabilities.

Shared Assessment keeps a close eye on emerging regulations, guidelines and standards for a wide range of industries, such as: NIST 800-53r4, NIST CSF 1.1, FFIEC CAT Tool and PCI 3.2.1. That knowledge is used to update the new Toolkit, which embodies multiple Tools for a comprehensive “trust, but verify” approach for conducting third party risk management assessments, using a substantiation-based, standardized, efficient methodology.

The 2019 Third Party Risk Management Toolkit includes:

  • 2019 Standardized Information Gathering (SIG) Questionnaire Tools
  • 2019 Standardized Control Assessment (SCA) Procedure Tools
  • 2019 Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools
  • 2019 General Data Protection Regulation (GDPR) Privacy Tools

Changes to the Toolkit were determined by the collective intelligence of our membership, bringing a diversity of views from;

  • Outsourcers, service providers, licensees, assessment firms and regulators.
  • Organizations from start-ups to large, global corporations.
  • Industries such as Financial, Insurance, Consumer Packaged Goods, Services, IT and Healthcare.
  • Subject experts in cybersecurity, privacy, supply chain risk, compliance, regulation, enterprise risk management and third party risk.

The updates for 2019 are a response not only to the changing regulatory and risk landscape, but to our hundreds of members and tool purchasers looking to perform vendor risk assessments that provide assurance but are also efficient and fast. The 2019 Toolkit was built to allow that standardize excellence in content but also to make assessments easier to create, customize and manage. The Toolkit is also built to work together to follow the typical process a third party risk practitioner would use to implement their program.

2019 Standardized Information Gathering (SIG) Questionnaire Tools

The 2019 SIG has undergone a major functionality and content reorganization. The SIG now functions as a questionnaire management tool that allows you to build, customize, analyze and store questionnaires.

  • Architecture – Questionnaires are now created from within the SIG Management Tool. Along with streamlined code, this makes the 2019 SIG size smaller, enabling questionnaires to be created more quickly. You can now create a SIG with questions all on one tab, or with a tab for each risk domain.
  • Content Library – There is no longer a “Full” SIG, but rather a database of member-vetted questions called the Content Library. The Content Library includes the SIG Core and the SIG Lite questions, but also houses industry-specific questions. You can even add custom questions to be treated and scored as any other included question.
  • Custom Scoping – Custom Scoping allows you to create the questionnaires you need without losing the benefits of standardizations by drawing from the Content Library. You now have three ways to edit a questionnaire – by control domain, by external requirement or by control category and subcategory.
  • Saved Questionnaires – A SIG questionnaire can now be saved as a template to be modified later, making it easy to create questionnaires for new vendors.
  • SCA Integration and Scoping – the 2019 SIG is now integrated with the Standardized Control Assessment (SCA) Procedure Tools for onsite and virtual assessments. You can now take a completed SIG and automatically create a SCA.

Content updates to the 2019 SIG Tools include;

  •  Privacy and Compliance Updates – Updated with relevant and current U.S. and international regulatory and privacy requirements including an update of GDPR-related content.
  • Industry-Specific Content – Content Library additions including FDA content for Consumer Packaged Goods (CPG) and Life Sciences, Insurance industry-specific content and IoT (Internet of Things) content.
  • Mapping – The following nine mappings to Authority Documents are now included within the body of the SIG and can be used for creating questionnaires.
    • FFIEC APPENDIX J – Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook – Appendix J: Strengthening the Resilience of Outsourced Technology Services, February 2015
    • FFIEC CAT Tool – FFIEC Cybersecurity Assessment Tool (CAT), May 2017
    • FFIEC MANAGEMENT HANDBOOK – FFIEC IT, IS & Outsourcing Examination Management Handbooks, November 2015
    • GDPR – EU General Data Protection Regulation (GDPR), April 2016 (Effective May 2018)
    • HIPAA – S. Department of Health and Human Services. Health Insurance Portability and Accountability Act (HIPAA) Simplification, March 2013
    • ISO 2700X – International Standards Organization (ISO) 27001/27002, 2013
    • NIST 800-53r4 – NIST 800-53r4 Security & Privacy Controls for Federal Information Systems and Organizations, January 2015
    • NIST CSF 1.1 – National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), April 2018
    • PCI 3.2.1 – Payment Card Industry (PCI) PCI DSS V.3.2.1, February 2018 –

 

2019 Standardized Control Assessment (SCA) Procedure Tools

The SCA Tools are a standardized set of assessment procedures. When combined with the scoping features of the SIG, the 2019 SCA is a quick and efficient way to assess service providers during onsite or virtual assessments.

Enhancements to the 2019 SCA include;

  •  Updated Guidance Documentation – The main SCA document includes new reference material that helps users complete assessments faster and with better understanding about the controls being assessed.
  • SCA Report Template – SCA reporting template is now in spreadsheet format, making it easier to document findings while onsite, copy and paste data and use on a mobile device.
  • Executive Summary Template – A new Executive Summary Template is included that will assist in creating a lightweight summary report of the SCA findings for management without all the detail of the full report.
  • SIG Integration and Automatic SCA Scoping – Using the SIG with its embedded SCA content, automatic customization is available to make SCA assessment procedures match just the SCA questions that were scoped and answered by the Assessee in a SIG.
  • SCA Assessment Standards for Distributable Reports – Due to the requirements within the SCA Standards for distributable reports, the outsourcer can be assured that the procedures in an SCA will be performed consistently, regardless of which certified organization performs it.
  • Content Updates
    • Privacy and Compliance Updates – Updated with relevant and current U.S. and international regulatory and privacy requirements including an update of GDPR-related content.
    • SIG Alignment- The SCA has been thoroughly reviewed and updated to align more closely with the SIG, using matching terminology and making it simpler to follow the “trust, but verify” model of third party risk management.
    • GDPR Privacy Tools Alignment- The GDPR Toolkit aligns completely with the SCA, ensuring SCA-based assessments address the most current privacy considerations.

2019 Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools

The VRMMM, available since 2013, is the longest running third party risk maturity model, and has been vetted and refined by hundreds of the most experienced third party risk management professionals.

 2019 saw significant updates to the VRMMM content, including;

  •  Privacy and Compliance Updates – Updated with relevant and current U.S. and international regulatory and privacy requirements including an update of GDPR-related content.
  • Inclusion of recent guidance regarding Third Party Risk Management from:
    • The American Institute of Certified Public Accountants (AICPA) which sets guidelines for public auditing principles.
    • The Office of the Comptroller of Currency (OCC) which audits the safety and soundness of U.S. banks.
    • New York Department of Financial Services Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the state of New York (NYDFS 23 NYCRR 500), which is a cybersecurity regulation mandated for any financial services company doing business in the U.S. state of New York.
    • Privacy requirements including the European Union General Data Protection Regulation (GDPR).

The VRMMM is important to third party risk, and we made it free to members and non-members. It can be download here.

 

2019 GDPR Privacy Tools

The GDPR Privacy Tools help meet the requirements imposed on how Controllers (i.e., outsourcers) must appoint and monitor Data Processors (i.e., third parties/vendors) as a part of GDPR.

Enhancements to the 2019 GDPR Privacy Tools include;

  • The GDPR Tool kit was originally released prior to the GDPR compliance deadline of May 25, 2018. The focus and narrative were on preparation for the upcoming deadline. Now that the deadline has passed, the leading practices incorporated in the tools have been updated based on the experiences of dozens of Shared Assessments member companies.
  • The template tools were enhanced to better allow tracking of issues over time.

Download this free tool.

To learn more about the Toolkit updates, and to learn how the tools work together for a Third Party Risk Management Program, you can;

Coming Soon: 2019 Shared Asse...

Jenny Burke 12-05-2018

The Santa Fe Group elves are working hard to make December great for our members. The Third Party Risk Management Toolkit is expected to drop in mid-December. We are particularly proud of what the [...]

The Santa Fe Group elves are working hard to make December great for our members. The Third Party Risk Management Toolkit is expected to drop in mid-December.

We are particularly proud of what the Toolkit will bring our members this year.

Its all in the Name. Calling it a Toolkit reflects how it is used. The tools are designed to work together to follow the typical process a third party risk practitioner would use to implement a program. The Toolkit embodies a “trust, but verify” approach for conducting third party risk management assessments and uses a substantiation-based, standardized methodology.

Our Membership Roots. The Toolkit, like all our resources, was built by the collective intelligence of our diverse membership. The practitioners that came together to create the Toolkit come from different industries, perspectives and sized-companies, but they all share a passion for creating resources that will improve third party assurance.

We Heard You. The major changes in the Toolkit are all about making the tools easier to use. Here are just a few of the new features we are most excited about:

  • SIG Content Library – there is no longer a “Full SIG” but rather a Content Library that SIGs are created from. To build a questionnaire, practitioners will select a SIG Core or SIG Lite from within the SIG Management Tool and will scope it from there by industry specific content, authority document, individual questions, control categories and risk tiers. This means that your SIG will be exactly the size you need it to be.
  • SIG|SCA Integration – SCA content is now contained within the SIG, so when you scope your SIG you are also scoping your SCA for the accompanying onsite or virtual assessment to go along with the questionnaire.
  • New SIG Architecture – Questionnaires are now created from within the SIG Management Tool. Along with streamlined code, this makes the 2019 SIG size smaller, enabling it to run more smoothly and questionnaires to be created more quickly. You now have a choice to create a SIG with all questions in one tab or with a tab for each risk domain.
  • Saved Questionnaires – Any SIG questionnaire can be saved as a template to be used or modified later, making it easy to fit existing questionnaires to new vendors.

All of our tools have also received a regulation refresh, taking into account recent national and international regulatory changes. One of the most requested new authority documents, the NIST 800-53r4 is mapped within the SIG.

Stay tuned for the tool release later this month. To make sure you are on our distribution list, or for any questions, please email us.

Fear, Uncertainty and Doubt Ma...

Tom Garrubba 11-15-2018

As cybersecurity programs become more integrated into enterprise risk management (ERM) programs, security professionals grapple with new issues. Rather than relying on fear, uncertainty and doubt (FUD[...]

As cybersecurity programs become more integrated into enterprise risk management (ERM) programs, security professionals grapple with new issues. Rather than relying on fear, uncertainty and doubt (FUD) to fuel their business case for budget increases, cybersecurity leaders are striving to quantify the business impact and probability of cybersecurity events while evaluating new options, including cyber insurance policies, and looking for new ways to address growing challenges, such as third-party risk management.

 

That’s the theme of a comprehensive CSO Online article that features insights from leading security executives and other experts, including Santa Fe Group Senior Director Mike Jordan. Mike weighs in on the growth of the cyber insurance sector. He notes that companies selling these policies have developed “a fairly good idea of what they’re willing to insure and the security measures they require you have in place in order to get a policy.” Mike’s discussion also touches on the increasingly valuable role of vendors that measure a company’s cybersecurity risks and assessment firms that conduct cybersecurity audits.

 

Of course, may organizations still have a ways to go when it comes to quantifying cybersecurity risks and assimilating cybersecurity programs with ERM. The article, authored by CSO Contributing Writer Maria Korolov, pinpoints several obstacles limiting progress toward those two objectives and then highlights approaches that have proven effective in clearing these hurdles.

 

The challenges hampering the integration of cybersecurity into overarching risk management programs include:

  • Getting lost in translation: “There’s often a disconnect between the language of security and the language of risk, and that can make it harder for a CSO to play a meaningful role in the enterprise risk management discussion,” Korolov writes, noting that “many cybersecurity experts throw up their hands in frustration when asked about how they quantify the risk reduction associated with particular mitigation strategies…”
  • An overly tactical focus: Cybersecurity professionals – for sound reasons – tend to focus on “very tactical technical issues,” such as patching vulnerabilities as soon as possible. While this perspective is necessary, it can be helpful to also frame and communicate security priorities in broader business terms. If a patch is needed, for example, the information security group should also estimate and communicate the potential cost – in lost business, remediation and potential regulatory fines – of leaving the vulnerability exposed.
  • Quantifying risks is difficult: According to a patch management expert cited in the article, “there is no formula for calculating how much the implementation of each control lowers your risk.” While the art and science of quantifying cybersecurity risks is advancing, organizations should prioritize risks that elude quantification.
  • Boards misunderstand cyber risk: Deloitte Partner Dan Kinsella frequently speaks to corporate boards about cybersecurity oversight. He says that some boards have yet to grasp the fluid nature of cybersecurity risks. Once a specific cybersecurity issue has been addressed, some boards tend to consider the matter closed. “That’s not the case with cyber risk.” Kinsella stresses.

 

Korolov includes high-level snapshots of effective cybersecurity-ERM integrations.  Several key enablers of this approach within Aetna provide a clear picture of what is needed to succeed, including:

  • Categorization: Cyber risks are treated as an operational risk within Aetna’s ERM framework.
  • Involvement: Aetna’s chief security officer (CSO) is a member of the risk committee that governs the ERM program.
  • Measurement: “Specific and quantitative” cyber risks are evaluated managed according to the daily risk score as they are assigned.
  • Mindset: Aetna’s CSO also stresses that his group risk-management activities and requirements significantly exceed what is required from a regulatory compliance standpoint.

 

Korolov’s reporting also emphasizes that third party risks further complicate the already difficult challenge of measuring the probability and potential bottom-line impact of breaches. Fortunately, progress is being made – as Mike asserts: “Measuring cyber security risk,” he tells CSO, is “becoming less art, and more science.”