Information Security Risks assisted Business models for banking & financial services(BFS) institutions have evolved from being a monolithic banking entity to multi-tiered service entity.
What this means to BFS companies is that they need to be more updated and relevant with regards to technology & the quality of all services provided to their clients. The most opted methodology to do that today is by means of outsourcing services to vendors & 3rd parties.
Though outsourcing is cost beneficial to companies, this approach comes with its own set of drawbacks. It is judicious to say that every outsourcing enterprise should be aware of the risks that vendors bring to the table.
Though vendors bring in a lot of operational Information Security Risks depending on the business engagement, a methodology to manage only the 3rd party Information Security Risks are discussed here.
Just to provide a sense of the impact that vendor Information Security Risks brings to organizations, below are some of the facts from surveys conducted by Big 4 consulting companies like PwC & Deloitte.
According to Deloitte “94.3% of executives have low to moderate confidence in their third-party risks management tools & technology, and 88.6% have low to moderate confidence in the quality of the underlying Information Security Risks management process” .
We know the problem now, how do you begin resolving it??
A perfect place to begin is with the sourcing team and /or procurement team depending on how your organization is set up. In an ideal world, these teams are expected to have an inventory of all vendors, 3rd parties & Partners of your organization.
Once we have this inventory in place, the IT vendor risk management (IT- VRM) team needs to segregate the IT vendors from the non-IT ones. This is a onetime activity. For future needs, it is recommended to have the sourcing team segregate vendors basis on their business engagement (IT vs Non-IT).
Understanding your Vendors & the Information Security Risks they carry:
One of the simplest & efficient way to understand your vendors is by having a scoping checklist, that details the vendor business with your organization, kind of data touchpoints & exchanges, kind of Information Security Risks that your organization is exposed by this outsourced business.
This information is usually available with the vendor manager representing your organization in the vendor relationships.
Below is the list of Information Security Risks pointers (not limited to) that you might want to consider asking your vendor manager.
- Regulatory risk – Does this relationship affect your regulatory posture? What is the penalty associated with such regulatory non-compliance?
- Reputational risk– Does this service impact your clients & the reputation you hold with them?
- Financial risk– Any financial Information Security Risks associated with business engagement?
- Information security risks – what data are shared as part of the business engagement with the vendor? how secure is the vendor with regards to protecting your organization data?
- Resiliency risks – Does the vendor introduce any single point of failures to your business practices?
For understanding the level of assessment to be performed with the vendor, you will need to understand the vendor’s business operating model.
Below is an indicative list of themes that you might want to discuss with vendor manager to understand the scope of the vendor assessment.
- Data attributes shared & received with the vendor, volume of data & frequency
- Mode of communication/interfaces with a vendor – Mail, remote connection to vendor network, the remote connection from vendor to your internal network, data upload only, data download only, vendors are brought on-site & connect from your offices to provide services
- Services provided – Data center services, Application provider, Cloud service provider, Data processing services, & many others.
Information Security Risks Rating, Assessment recurrence & Assessment type:
In Information Security Risks, The basis on the outcomes from the previous step, a consolidated risk matrix may be developed with the total impact & likelihood of the vendor. Depicted below is a sample of a Qualitative risk matrix.
Recurrence of vendor assessment lies with the Information Security Risks rating derived earlier. Industry best practice is to have more frequent & stringent assessments for critical vendors than other vendors.
Also, the degree of assessment for each vendor might vary depending on the Information Security Risks vendor carries. For instance, a critical vendor providing infrastructure services could be rated a High/critical vendor & would hence need a more detailed IT assessment.
Fig-4: depicts the various types of checks that should be performed for various types of vendors along with the assessment cycle. This is just an indicative list & might vary based on organization.
Below list gives a description of the types of tests that could be performed for any Vendor
- Test of design: Evaluate, review Policy, procedures, standards&contractsof the vendor organization
- Test of Effectiveness: Evaluate & review the evidence that are in support of the design evidence produced by the vendor for various controls.
- Physical Site- visit: IT-VRM team could plan to visit the vendor premises for a much broader assessment, this is the most exhaustive forms of testing & can be restricted to be performed only for Critical/high vendors.
For Example, if your checklist expects the vendor to have an updated/reviewed information security policy at least on an annual basis. Your Design test should check if the policy mandates the information security team (or) the authorized team to review the policy annually. Your Effectiveness Test should check the actual vendor information security policy for recent updates & see if it was reviewed annually.
Assessment Checklist & Methodology:
Now that we know who our Vendors are, what they do, what Information Security Risks they bring in to the organization, what kind of assessments to be performed & how frequently to do it, the assessment checklist & methodology needs to be finalized. Many organization uses different control frameworks to do this depending on the business vertical they belong to. Some of the common control frameworks are listed below,
- SIG (Standard Information gathering)
- NIST SP -800:35
- PCI DSS latest version
SIG is the most sought-after solution from the list since it comprehends all major control frameworks listed here.
Hence, it is more exhaustive in nature. Irrespective of what control framework is adopted, a control questionnaire needs to be prepared with respective of the business service being delivered by the vendor nothing more & nothing less.
A control questionnaire needs to be dynamic with regards to each vendor & needs to be checked for adequacy & relevancy by the IT-VRM team before issuing one to the vendor.
Fig :5 below,shows the list of different control areas that might be accounted for creating a control questionnaire. Once the questionnaire is created it needs to be shared with the corresponding vendor personnel for collecting their responses
Based on the Checklist used for the vendor assessment, vendor personnel needs to respond to the questionnaire with relevant evidence corresponding to each control. This is related to the type of assessment being performed (Design (or) Execution (or) Physical site visit). Usually, a communication is shared with the vendor personnel on the guidelines on how to respond to the questionnaire & the timelines for completing it.
Challenges & concerns in the Vendor assessment phase:
The vendor might have some issues in responding to your questionnaire, listed below are some of the sample cases,
1. Confidentiality issues in Sharing critical documents – Some vendors might not be allowed to share their internal documents as their policy might restrict them from doing so. In such cases, aNDA may be signed between your organization & vendor for sharing critical documents. Alternatively, an a screen sharing session with the vendor can help in to review the documents remotely. Worst case scenario, a physical visit to the vendor’s office might be the only solution.
2. Responding to a big questionnaire might take time–In certain cases, where the questionnaire might roll up to 200+ questions, it is obvious that the vendor might take time to respond to your questionnaire.
A solution to such cases is to receive their 3rd party attestation reports on vendor controls performed by big 4 consultants (or) external consultants.
Example of such reports is SOC1,2 reports. These reports justify the control set up in place for a control area from an independent view. These reports speed up the process of acquiring information about controls available with the vendor & can be used as alternatives to actual evidence themselves.
Concluding Vendor assessment & Reporting:
A review of the evidence provided by the vendor on the questionnaire is one of the key steps in assessing vendor Information Security Risks. Each question/control should be reviewed by the IT-VRM team in your organization for adequacy & relevancy.
Controls that do not meet the expected quality/quantity of responses should be flagged. These flagged controls should be compiled & assessed for the impact to your organization. Gaps should be classified based on impact & probability of a threat to your organization.
A report based on the review should be published to the vendor. This report should have the below sections & details at a minimum.
- Vendor Description of business services
- Executive summary of Information Security Risks & Residual risk rating of vendors
- Next scheduled date of assessment (depending on the residual risk level & frequency)
- Detailed information on risks/ gaps that were identified from the questionnaire.
- Agreed action plan for individual Information Security Risks with timelines for remediation. This should also have an accountable party from the vendor organization, who needs to own the action plan.
Vendor gap management:
The whole process of vendor risk management is complete only when all the reported gaps are remediated /treated by the vendor. This is achieved by following up with the vendor on a frequent basis.
While reviewing/closing the gaps identified during the initial assessment, due care must be taken to validate the completeness of the control implemented to fix it.
Expected deliverables that qualify for a proper sign-off must be part of the action plan. These deliverables would need to be verified while closing the gaps. Fig-6 below shows the overall process of the IT vendor risk management process discussed.
IT Vendor Risk management is one service that should either be managed by a dedicated team such as the ITVRM team (or) it can be managed by the internal audit team. In both cases, the lifecycle will be very similar to what was explained.
Most organizations consider outsourcing as a technique to evade Information Security Risks & costs, but outsourcing organizations are still the owners of the risks.
Outsourcing should be adopted only after considering all the risks & benefits from the vendor relationship, if the benefits overweigh the risks then it would be a wise decision to outsource it.
Also, a robust vendor risk management process should be in place to evaluate the risk profiles of vendors on a consistent basis. These risks should be part of the overall risk register that your organization maintains.