Payment Systems, Data Breaches, Cybersecurity
Experts Discuss an Ever-Changing Threat Landscape; Share Insights on Third Party Oversight and How to Manage an Effective Vendor Risk Management Program
Santa Fe, N.M. — March 5, 2015 — Risks to sensitive data have never been greater. With the rise in cyber attacks and data breaches, outsourcing to third parties can present an exponential threat to corporations. New regulations, technologies, standards, and security threats require organizations to implement robust vendor oversight to meet and stay ahead of the latest risks and challenges from new payment methods and systems, data breaches, and cyber attacks. Shared Assessments, a cross-industry, member-driven organization focused on third party risk management, asked leading experts to offer new strategies and best practices that address the changing risk management landscape, especially when it comes to the storing, handling and managing access to sensitive data. Experts offer these top 10 tips:
1. Hackers are using your third parties to get to your data.
Understand the risks of outsourcing functions and make sure that you’re comfortable with their privacy and security posture, in advance of executing the relationship.
–Catherine A. Allen, chairman and CEO, The Santa Fe Group
2. Ensure your third parties perform sufficient background checks on their workforce.
The workforce continues to be one of the largest security vulnerabilities. Are you comfortable that the third party you are contracting with has performed sufficient background checks on all members of its workforce who will have access to your sensitive data, and is requiring its subcontractors to do the same?
–Adam Greene, partner, Davis Wright Tremaine LLC
3. Proactively plan for third party data compromises.
Many organizations are not prepared to manage their own incidents and cyber attacks—let alone plan for third party incidents and attacks. The same due diligence that organizations apply to their own incident response plans must be applied in this critical area of managing sensitive data outsourced to third parties, including demonstrating how they are protecting the data, maintaining a mature incident response plan, testing the plan, and providing strong contractual service level agreements to report compromises back to the organization.
–Rocco Grillo, managing director, Protiviti Inc.
4. Implement a holistic approach to vendor risk management.
Assessing and managing vendor risk is an ongoing process at each phase of the lifecycle of the third party relationship, from onboarding to ongoing monitoring, to exit strategies. Programs should adopt an approach that brings together all of the parts of an organization that play a role in third-party risk management, to drive a holistic approach to vendor risk assurance.
–Mary Kipp, president, El Paso Electric
5. Don’t overlook nested relationships.
Understanding how your service provider is protecting its relationships with other parties and the potential impact to your sensitive data is critical. As this dependency will only increase, organizations will need to manage these relationships intelligently, being diligent in evaluating and determining what additional parties are involved in the service provided; the level of risk involved; and how they can ensure the protection of payment card data wherever it may travel—including locations such as backup contingency for the service provider directly.
–Troy Leach, CTO, PCI Security Standards Council
6. Know your vendor.
This is essential for managing the risks holistically throughout the third party relationship lifecycle. One critical part of this practice is to perform a vendor risk assessment to identify, mitigate, and monitor security risks based on the organization’s control objectives. Applying industry standards will enable the organization to achieve efficiency and scalability in the implementation.
–Lin Lu, managing director, Deutsche Bank
7. Define a comprehensive set of security safeguards for your data.
You cannot outsource your security responsibilities with regard to protecting corporate data that is critical to your mission and business success. Defining a comprehensive set of security safeguards for the protection of such data and obtaining verifiable evidence that the selected safeguards have been effectively implemented, increases the level of transparency and trust between consumers and producers.
–Ron Ross, NIST Fellow, National Institute of Standards and Technology
8. Don’t treat all third parties with the same risk perspective.
Third party risk is not created equally. Define criteria to classify your service providers by risk or criticality, and focus oversight efforts. Make sure you define and drive your third party program, leveraging tools to support your objectives versus letting a tool drive your third party risk strategy.
–Linnea Solem, chief privacy officer and vice president-risk/compliance, Deluxe Corporation
9. Factor in risks.
Often in offshoring and outsourcing, companies account for operational or technical risks but do not factor in location risks. Also, companies factor in and monitor operations and service risk but do not factor in and monitor people-related risks. Monitoring risks is a key capability that risk managers need to either create themselves or buy. This capability needs to be real-time to be adequate and effective.
-Atul Vashistha, chairman, Neo Group
10. Detect and share information about cyber threats.
With a rapidly changing cybersecurity threat landscape, it is important to influence your vendor community to actively participate in Information Sharing & Analysis Centers (ISACs) to continually detect and share information about cyber threats. The more information organizations share, the more resilient all of our IT security programs will be.
–Brenda Ward, director, global information security, Aetna
Shared Assessments Summit 2015 to Explore Additional Insights on Vendor Risk Management
Additional vendor risk management insights and strategies will be discussed in detail at the 8th Annual Shared Assessments Summit 2015, taking place April 29-30, 2015 in Baltimore. Key topics at this year’s Summit include:
- Governance and Oversight—An Old Concept with a New Landscape
- The Learning Curve: Heightened Expectations and the Board’s Role in Risk Management
- The Changing Payments Landscape: Impact of Recent Rapid Technology Changes on Risk Monitoring and Mitigation
- Breach Incidents and Management
- The Impact of Demographic Shifts on Technology Development, Corporate Management, and Risk Exposure
- Software Application Security and Cybersecurity: Impact on Third Party Risk Management
- Vendor Risk Management—Keeping Our Eyes on What Matters Most
- Collaborative Onsite Assessments
- Third Party Oversight
For more information and to register, please visit: https://sharedassessments.org/shared-assessments-summit-2015/.
About the Shared Assessments Program
The Shared Assessments Program is the trusted source for third party risk management with resources, including tools and best practices, to effectively manage the critical elements of the vendor risk management lifecycle. Members represent a collaborative, global, peer community of information security, privacy, and third party risk management leaders in industries including financial services, insurance, brokerage, healthcare, retail, and telecommunications. The Certified Third Party Risk Professional (CTPRP) certification program, membership, and use of the Shared Assessments Program Tools, ensure organizations stay current with the threat and risk environment, including regulations, industry standards, and guidelines. Shared Assessments provides organizations and their service providers the rigorous controls needed for IT, data security, privacy, and business continuity. The Shared Assessments Program is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic consulting company based in Santa Fe, New Mexico. On the web at https://sharedassessments.org.