IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter...
-
Upload
dinhnguyet -
Category
Documents
-
view
218 -
download
0
Transcript of IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter...
![Page 1: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/1.jpg)
IIA Chicago Chapter 53rd Annual SeminarApril 15, 2013, Donald E. Stephens Convention Center
@IIAChicago
#IIACHI
CONCERNED ABOUT VENDOR MANAGEMENT?
Understanding third-party risk for technology companies
Michael Allen
Information Security Officer
Morningstar, Inc.
Vincent Concialdi
Managing Director
Grant Thornton LLP
![Page 2: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/2.jpg)
2
About Morningstar, Inc.
Morningstar, Inc. is a leading provider of independent investment research in North
America, Europe, Australia, and Asia. Our mission is to create great products that
help investors reach their financial goals. We offer an extensive line of products and
services for individual investors, professional financial advisors, and institutional
clients.
Morningstar is a trusted source for insightful information on stocks, mutual funds,
variable annuities, closed-end funds, exchange-traded funds, hedge funds, separate
accounts, and 529 college savings plans.
![Page 3: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/3.jpg)
#IIACHI
April 15, 2013 IIA Chicago Chapter 53rd Annual Seminar 3
• Examine the roles and responsibilities of risk management in finance, legal, procurement and business operations areas
• Identify a framework for assessing third-party risk
• Understand tools that can be used to provide comfort that proper controls are in place
LEARNING
OBJECTIVES
![Page 4: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/4.jpg)
4
DEFININGTHIRD PARTIES
• Businesses that are not under direct business control of the organization that engages them
• Third parties may include:• Vendors
• Distributors
• Suppliers
• Franchisees/licensees
• Joint venture or alliance partners
• Technology outsourcing providers
![Page 5: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/5.jpg)
5
REAL RISKREAL IMPACT
Huawei Threat: Real or Overblown?
Hacktivist’s target U.S. banks in
DDoS attacks
Amazon EC2 service goes offline affecting
thousands of websites
1.5M credit cards stolen in Global Payments breach
![Page 6: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/6.jpg)
6
WHY IS THIRD PARTY RISK IMPORTANT?
ComplianceReputational
Financial
Strategic
Regulatory / Contractual
Operational
![Page 7: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/7.jpg)
SECTORS WITH HIGHER RISK
Technology providers
• Data centers
• Companies hosting IT
applications
• Third party logistics
companies
• Cloud or Software as a
Service providers
• Telecom providers
• Any outsourcing company
that manages information
on behalf of others
Relevant industries
• Government
• Health care
• Banking
• Investment/fund
managers
• Payroll management
companies
• Financial Services
![Page 8: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/8.jpg)
8
RESPONSIBILITY FOR THIRD PARTY RISK
MANAGEMENT
Internal audit
Finance
Legal
Business operations/ IT
Compliance
ProcurementVendor Oversight Function
![Page 9: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/9.jpg)
9
WHERE DO YOU BEGINPROJECT OBJECTIVE
• Risk Assessment & Appeals Processes
– Customized the vendor due diligence process depending on the
company’s specific risks
– Rule-based point values assigned
– Cumulative score will dictate level of additional investigation if required
![Page 10: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/10.jpg)
10
FACTORS TO CONSIDER WHEN ASSESSING RISK
Risk Domain Assessment Factors
Strategic • Level of importance of vendor to corporate operations
Reputational • Magnitude of potential loss if there are problems with the vendor relationship
Regulatory • Level of vendor oversight/monitoring• Reporting required by outside
regulatory body
![Page 11: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/11.jpg)
11
FACTORS TO CONSIDER WHEN ASSESSING RISK
Risk Domain Assessment Factors
Operational • Type of vendor – nature of products/services provided
• Frequency of communication with vendor
Financial • Magnitude of potential direct damages associated with a data breach
Compliance • Safeguards or controls designed to ensure compliance with relevant regulations and contract obligations
• Availability of audit reports or existence of "right to audit" clause
![Page 12: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/12.jpg)
12
EXAMPLE OF HOW TO DEFINE THE RISK
UNIVERSEVendorName
Vendor Type
Nature of service being provided
Contractualdetails
Geographical/global consideration
Applicable regulatory requirements (e.g., HIPAA, FCPA)
Primary relationshipowner within organization (e.g., IT, finance, marketing)
Provides an audit report such as SOC 1
Right to audit clause
PaymentCard Gateway
Credit
card
service
provider
Credit card
processor
Three-year
agreement
Credit card
data
processed in
small town
USA
PCI-DSS Bob,
Subscription
Management
Yes, SOC 2
and PCI
ROC
No
HR System HR
system
provider
HR support
portal
One-year
auto-
renewing
contract
Global
workforce
Privacy laws,
Safe Harbor
Larry,
Human
Resource
Director
No, Shared
assessment
(BITS) only
Yes
Quick Print Printing/
service
provider
Prints/mails
statements
and
marketing
materials
Five-year
agreement,
approved by
Legal
department
Big City N/A Sally,
Business
Unit
Yes, SOC 2 Yes
![Page 13: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/13.jpg)
13
Business Requirements
On-Site Review
Vulnerability Assessment
Reports
Shared Assessment / BITS
questionnaire
SOC Reports
Security Policy Review
Conduct Risk Assessment
WEIGHTING RISK FACTORS
![Page 14: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/14.jpg)
14
WEIGHTING RISK FACTORS
Source: NIST SP 800-30
Identify Threat Sources
Identify Vulnerabilities
Quantify Likelihood and Impact
Determine Residual Risk
Examine Compensating Controls (if any)
![Page 15: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/15.jpg)
15
WEIGHTING RISK IMPACT SCALE
Impact Scale
3 – High Impact Financial: Severe and un-recoverable financial loss
Reputation: Global, long term impact to brand. Negative press expected
Regulatory: Serious regulatory violation that will result in fines
2 – Medium Impact Financial: Costly loss (can be recovered from)
Reputation: Serious short term or moderate long term impact to brand
Regulatory: Potential regulatory violation that may result in fines. Compensating controls possible.
1 – Low impact Financial: Insignificant financial loss, fully recoverable
Reputation: Limited, short-term inconvenience. Little to no negative press
Regulatory: No regulatory violation
![Page 16: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/16.jpg)
16
WEIGHTING RISK FACTORS
Source: NIST SP 800-30
Likelihood
Impact
1- Low
(10)
2 - Medium
(50)
3 - High
(100)
3 - High (1.0)Low
10 X 1.0 = 10
Medium
50 X 1.0 = 50
High
100 X 1.0 = 100
2 - Possible (0.5)Low
10 X 0.5 = 5
Medium
50 X 0.5 = 25
High
100 X 0.5 = 50
1 - Unlikely (0.1)Low
10 X 0.1 = 1
Medium
50 X 0.1 = 5
High
100 X 0.1 = 10
Risk Scale: High (>50 to 100); Medium (>10 to 50); Low (1 to 10)
![Page 17: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/17.jpg)
17
WEIGHTING RISK FACTORS
Source: NIST SP 800-30
Information Security – Risk Assessment
Threat Source Un-authorized users, hackers, criminals, terminated / disgruntled employees
Vulnerability Sensitive production data is copied into QA environments for test purposes and is accessible by development and QA personnel
Compensating Controls
None
Likelihood Rating 2 – Possible
Impact Rating 3 – High
Residual Risk HIGH (50)
Recommendation Scrub all sensitive data prior to it being placed in a non-production environment
![Page 18: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/18.jpg)
18
WEIGHTING RISK SIGN-OFF PROCESS
Signature of Business Owner
I accept the risks identified in this assessment and understand that the acceptance of these risks may pose a significant security risk to my application, the company and/or the our customers.
Signature: Title: Date:
Set Remediation Deadline and Follow Up With Owner!
![Page 19: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/19.jpg)
19
RISK MITIGATION TECHNIQUES
• Transaction monitoring
• Increased data analysis and reporting
• Contract renegotiation
• Independent reviews
• Audits
• Site visits
• Questionnaire
![Page 20: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/20.jpg)
20
AUDITOPTIONS
![Page 21: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/21.jpg)
21
USE OF ATTESTATION REPORTS
SOC 1 SOC 2 AT 101
• provides vehicle for
reporting on a service
organization’s system
of internal control
relevant to a user
organization’s internal
control over financial
reporting.
• intended as auditor-to-
auditor communication,
with specific content
dependent on the
service organization’s
system.
• address controls
pertinent to the Trust
Services Principles of
security, availability,
processing integrity,
confidentiality and
privacy.
• includes many of the
same elements as a
SOC 1 report
• principles and criteria
developed by the
AICPA and the
Canadian Institute of
Chartered Accountants.
• allows service
organizations to
provide user
organizations and
other stakeholders
with a tailored
report on controls
that are relevant to
the services.
• highly flexible and
can be leveraged for
multiple industry
standards (e.g.,
NIST, ISO)
![Page 22: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/22.jpg)
22
A FEW THINGS TO NOTE ABOUT SOC REPORTS
Consider the following when reviewing a SOC report:
• Time period covered
• Handling of subservice providers (carve-out vs. inclusive)
• In-scope and out-of-scope locations
• Construction of control objective and control activities
• Sampling and testing methodology
• Exceptions noted and management response
![Page 23: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/23.jpg)
23
ADDING VALUECASE STUDY
Scenario
• A software as a service (SaaS) provider adds value to its customers by performing analytics on data received
from its customers. To make the analytics operations effective, customers are required to exchange sensitive
information with the SaaS provider.
Issue:
• In order for the customers to feel comfortable exchanging sensitive information with the SaaS provider,
transparency into the confidentiality and security controls the provider has implemented is required
• The SaaS provider spends a significant amount of time completing security questionnaires (e.g. BITS or
other proprietary questionnaires) to provide assurance that adequate security / confidentiality controls are in
place
• The customer must trust the SaaS provider’s response (no third party review)
Solution:
• Conduct a third party confidentiality and security review on the SaaS environment (SOC 2) and make the
report available to customers for review
Benefits Achieved
• Increased transparency into control environment
• Third party attesting to the effectiveness of security and confidentiality controls (SOC 2 – Type 2)
• Reduction in time spent on completing third party security / confidentiality questionnaires
• Single / standardized report format
![Page 24: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/24.jpg)
24
KEY TAKEAWAYS
• Understand and evaluate your third party relationships
• Know your risks
• Take reasonable steps toward risk mitigation
![Page 25: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/25.jpg)
25
QUESTIONS
![Page 26: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/26.jpg)
26
FOR MORE INFORMATION,
CONTACT:
Michael Allen
Information Security Officer
Morningstar, Inc.
T 312.696.6302
Vincent Concialdi
Managing Director
Grant Thornton LLP
T 312.602.8731
![Page 27: IIA Chicago Chapter 53rd Annual Seminar - … Seminar Presentations/E1... · IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, ... services for individual investors, ... presentation](https://reader031.fdocuments.us/reader031/viewer/2022020304/5bb5740709d3f2213f8c2348/html5/thumbnails/27.jpg)
What do you think?Share your thoughts about this presentation on Twitter using the hashtag #IIACHI
@IIAChicago
Visit our Social Media booth in the Exhibit Hall to join the conversation today!
Not on Twitter?
Follow us on Twitter