View
4
Download
0
Category
Preview:
Citation preview
2/14/2017
1
Outsourcing and the Need for
Supplier Audits
John A. Gatto
Retired
April 3, 2017
Agenda
2
Why Audit Suppliers
Outsourcing
Supplier Risks
Minimum Security Standards
Audit Focus
2/14/2017
2
Definitions
Third Party
Any entity not under direct
business control of an
organization
Suppliers, business partners, marketing partners
3rd Party Risk Management
Encompasses supplier risk
management and is more broadly focused on
understanding organizational risks
Understanding which risks can be affected by a third party, either
+ or -
3rd Party Inventory
Comprehensive list of 3rd
parties from across the enterprise
Should also include
subsidiaries
3
4
• High Level of Risk
• Access to / custody of vital information
• Critical to the success of the business
2/14/2017
3
Why?
$50 billion estimated annual losses to
business from data and identity theft
3rd parties are a major source of data breaches
of regulated data
74% of companies do not have a complete
inventory of all 3rd parties that handle personal data of its employees
and customers (A)
73% of companies lack incident response
processes to report and manage breaches to 3rd
parties that handle data (A)
Breaches and non-compliance can lead to brand reputation, fines,
lost revenue and / or regulatory sanctions
Financial impact: investigations, legal
fees, monitoring services for victims, reissuance of credit cards, government
fines, etc.
(A) PwC 2014 Global State ofInformation Security Survey
5
Regulatory Requirements
REGS
GLBA
PCI
HIPAA
OCCFFIEC
FDIC
ISO 27001
6
2/14/2017
4
Key 2016 CEB Hot IT Spots
Third Party Relationships
Externalization of application development, infrastructure operations and back office
processing is continuing to rise
Complex sourcing options and persistent economic volatility, poorly
structured contracts, ineffective Supplier risk management and lower
quality services
Add to Audit Plan
3rd Party Contract Evaluation
3rd Party Compliance Review
Supply Chain Management Assessment
Third party information security audit
7
Key 2016 CEB Hot IT Spots
Key Risk Indicators
Number of compliance violations attributed to 3rd parties
Number of 3rd parties with access to sensitive company data
Use of right to audit clause
Number of 3rd party contracts established outside the procurement function
Frequency of business interruptions caused by 3rd party control breakdowns
8
2/14/2017
5
Agenda
9
Why Audit Suppliers
Outsourcing
Supplier Risks
Minimum Security Standards
Audit Focus
Outsourcing
10
Transform non-core business processes and ensure that maximum value from resources is focused on core processes
Partnering with an outsourcer is a very effective means to build a company that is capable of meeting future needs and turning on a dime at a moments notice
Delegate one or more business processes to an external provider who owns, administers or manages the processes based on performance metrics
2/14/2017
6
Outsourcing Risks
Handling and processing of data
Security and access
Retention of Data
System availability
Specific business factors
11
Areas for Outsourcing
• IT• Accounting• Corporate Services• Document Management• Healthcare processing• Call Centers
• SoX / MAR Compliance• CRM Storage• Facilities• Printing• Internal Audit• Real Estate• Product Development
12
2/14/2017
7
Major Types of IT Outsourcing
13
Application management
Infrastructure management
Help desk services
Independent testing / validation services
Data center management
Systems integration
R&D services
Managed security
Outsourcing Life Cycle
FEASIBILITY
• Building the business model and case
• Creating the baseline
• Understanding the market
• Assessing and benchmarking options
14
ALIGNMENT
• Validating the strategy
• Identifying options
• Preparing the business model
• Agreeing on sponsorship and building the team
2/14/2017
8
Outsourcing Life Cycle
TRANSACTION
• Structuring the deal
• Agreeing on outsourced assets
• Negotiating the contract
• Delivering the deal and the business case
TRANSITION
• Delivering the change
• Getting quick returns on investment
• Establishing the culture
• Managing people
15
Outsourcing Life Cycle
OPTIMIZATION & TRANSFORMATION
• Monitoring the contract and resolving disputes
• Transforming the business
• Reassessing the relationship
• Delivering the business case – realizing the benefits
TERMINATION / RENEGOTIATION
• Determine SLA adherence – both parties
• Decide if agreement should continue or end
• If end, invoke termination process
• If continue, renegotiate contract
16
2/14/2017
9
Agenda
17
Why Audit Suppliers
Outsourcing
Supplier Risks
Minimum Security Standards
Audit Focus
Supplier Risk Problems
What types of data
do my suppliers have
access to?
How are my suppliers
protecting my data?
18
2/14/2017
10
Highest Risk Industries
Government
Healthcare
Banking
Investment / Fund
Managers
Payroll Management Companies
Financial Services
19
Outsourcing Life Cycle - Risks• Outsourcing strategy is not aligned with corporate
objectives.Alignment
• Assumptions (payback period and savings) are wrong -inadequate due diligence from suppliers and the organization's failure to assess relevant risks
Feasibility
• Procurement policies not met; proper service-level agreements not implemented; regulatory implications not considered; contingency arrangements not planned.
Transaction
• Lack of formal transition planning, failure to plan for retention of appropriate skills, and ineffective escalation and resolution of operational IT issues.
Transition
• Outsourcing contract is not managed effectively -outsourcing benefits and efficiencies are not achieved.
Optimization and Transformation
• Inadequate termination of outsourcing processes. Termination and Renegotiation
20
2/14/2017
11
21
SuppliersThe
EnterpriseCustomers
Data Data
Data Data
The process of assessing,
mitigating and remediating key
areas of risk around the
suppliers that provide services
to an organization
Supplier Risk Management
The process of responding to,
mitigating and remediating key areas
of risk identified by customers. This
is both a proactive (self identified)
and a reactive (customer identified)
process
Customer Risk Management
Risk Management
21
TPRM –What It Is
Third Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties OTHER than your own company.
Due Diligence is the investigative process by which a company or other third party is reviewed to determine its suitability for a given task. Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire vendor lifecycle.
No universally-accepted framework like CobiT or COSO
22
2/14/2017
12
Parties in Risk Management
Business Operations
Compliance
IT Security
Procurement
Finance
Internal Audit
Legal
23
TPRM - Process
Initial Risk Review
• Based on risk tier
• Documentation review
• On-site review
• Business process documentation
• Inherent risk/residual risk
• Remediation plan
Ongoing Monitoring
• Both for changed risks and for changes at third party
Recurring Reviews
• Based on risk tier
24
2/14/2017
13
Confidential
RestrictedInternal
Public
21
Classes of Data Suppliers Handle
25
Confidential
Restricted
Internal
Public
Classification of
Data Handled by
Supplier
Examples of Type of
Data Handled by SupplierExample of Supplier
Business Relationship
• Protected health information
• Medical records
• Patient /member information
• Treatment & condition information
• Credit card information
• Member address
• Phone number
• Biometric info
• Email address
• Date of birth
• Payroll information
• Employee performance data
• HR and personnel records
• Proprietary and trade secrets
• Proprietary code & business logic
• Investigations
• Tax information
• Employee info
• Highly sensitive
reports
• Reports / Assessments
• Findings and recommendations
• Strategy /roadmap documents
• Internal company memoranda
• Budgets
• Financial data
• Projections
• Marketing and promotional
materials
• Mailings and solicitations
• Public relations
• Campaigns and outreach
• Telemarketing
• Surveys
• Advertising
material
• Web and media
• Outsourced software development
• Outsourced software maintenance and support
• Customer/Member helpdesk
• Claims processing
• Mail/Envelope stuffing and fulfillment
• Professional services firms
• Consultants and advisory firms
• Professional service contractors
• Payroll and check printing services
• Benefits administration services
• Tax compliance services
• HR consulting and outsourcing services
• Mission critical consultants and contractors
• Advertising agency
• Event marketing firm
• Web-design and digital media services
• Printing and graphics design
• Marketing and survey companies
26
Types of Data Suppliers Handle
26
2/14/2017
14
ConfidentialRestrictedInternalPublic
Low
Medium
High
Classification of Data Handled by Supplier
RISK
LEVEL
27
27
Risk Levels by Types of Data
27
Contract language not clear / missing critical component
Cannot meet contract due to financial issues
Security issues / data breaches affect company brand
Adherence to employment requirements
Not able to provide services to match SLA’s
Inadequate recovery processes
Supplier Risks
28
2/14/2017
15
Country specific laws and regulations hinder performance
Access data outside of the business arrangements
Subcontractors not adhere to main contract provisions
Cost reductions not met
Loss of business knowledge
Customer restrictions
Supplier Risks
29
Process discipline
Scope creep
Turnover of key personnel
Knowledge transfer
Internal control structure
Culture
30
Supplier Risks
30
2/14/2017
16
• Risks in both
• Sensitivity with many customers about the availability of their data to off-shore personnel
On-shore versus off-shore Suppliers
• Increased reliance on Supplier solutions to work with your most sensitive data requires you are cognizant of the shared risk
Volume & sensitivity of data
• More control when Suppliers access the data via your network
• More risk when data leaves your network
How data is accessed, stored,
transmitted & viewed
• Understand the Supplier’s commitment to security & reducing risk - a stolen unencrypted laptop can harm company reputation if data is exposed
Maturity of Supplier & Supplier’s security
program
Supplier Landscape Considerations
31
Supplier
Contracting
Security
Privacy
Business
Legal
Audit
32
Suppler Contracting
32
2/14/2017
17
33
Phase Considerations
Strategy & Planning • Privacy, Audit, Legal & Security requirements
RFP
• Supplier ability and method to meet contractual
requirements
• Supplier security controls questionnaire
Contracting• Business Associate Agreements
• Minimum Security Requirements
Implementation
• Requirements for data access, connectivity, data transfer,
etc.
• Understanding the process for incident notification
Monitoring• Supplier security controls questionnaire
• Supplier assessments / audits
Contract
Termination• Protocols over data when relationship no longer exists
Supplier Security Controls Life Cycle
33
Why Audit Suppliers
Outsourcing
Supplier Risks
Minimum Security Standards
Audit Focus
34
Agenda
34
2/14/2017
18
Audited Financial Statements
Experience & Capabilities
Business Reputation
Qualifications & Experience
Existence of significant
complaints, litigation or
regulatory actions
Use of other parties or
subcontractors
Scope of internal controls, systems, data security and audit coverage
Business resumption strategy &
contingency plans
Adequacy of management information
systems
Supplier Management
Processes
Insurance Coverage
Due Diligence
35
Understanding your needs
Establishing stakeholders and defining roles
Defining business and technical requirements
Defining supplier requirements
Supplier outsourcing
36
Contract Risks
36
2/14/2017
19
37
Scope
Data protection, privacy, and intellectual property
Price protections
Third-party assignments
Ownership of assets used or
created by partnership
Conflicts among different legal
systems
Contingency planning and
change management
Right to audit Termination
Dispute Resolution
Confidentiality & Security
Key Contract Components
37
How is contract structure for Suppliers: Standard, Master Service Agreement, Amendments, Exhibits, Appendices, etc.
Do you have a “right to audit” clause in the contract?
Are services detailed?
Are locations identified and addresses provided?
Are resources assigned?
Is system access identified?
Are minimum security requirements included?
38
Key Items to Understand
38
2/14/2017
20
Security Assessment
Conduct an annual security assessment
Identified gaps -remediation plans
Security Officer
Appoint a person who is either the Security Officer
and/or is responsible for compliance
Implement Security Policies and Procedures
Document the administrative, technical and
physical controls to protect data
Include appropriate disciplinary
provisions for data security violations
Minimum Security Requirements
39
Awareness & Training
Have data security awareness and
training
Receive training prior to contact
with data
Security Monitoring
Continuously monitor security events / conduct periodic reviews of activity
Implement hardware, software and
procedural audit control mechanisms
Incidence Response
Timely notification of suspected / actual data compromise
Steps to prevent further damage and
corrective action steps to stop incident
from recurring40
Minimum Security Requirements
40
2/14/2017
21
• Monitor building exterior and all entrances
• Process for logging and escorting visitors
• Deploy / monitor cameras 24 x 7
• Deploy and use electronic access control system
• Have solid floor-to-ceiling walls
• Provide alternate power sources
• Not display any information about Company
• Data received in paper or portable media stored in locked containers, etc.
Physical Security
41
Minimum Security Requirements
41
• Be enclosed by a compound wall with entry/exit gate attended by security guard 24x7
• Restricted access parking requires:• vehicle identifiers,
• vehicle examination prior to entrance (visual inspection of undercarriage, interior of vehicle, interior of trunk, etc.),
• presentation of employee identification badge prior to entrance
Physical Security outside the US -additional requirements
42
Minimum Security Requirements
42
2/14/2017
22
43
Workstation Security
Workstations shall be positioned so that XYZ data is not visible outside of the designated XYZ production
area
Workstations shall lock after no more than 10 minutes of inactivity. Supplier personnel shall be instructed to lock their workstations when they shall be away from
their desks.
Laptops shall not be used to access, process, transmit or store data
Minimum Security Requirements
43
44
Workstation Security
Print capability is disabled
Access to applications is limited. Applications not required for processing data are disabled.
USB and CD/DVD drives are disabled
End-point firewalls installed on all Supplier workstations and be configured to prevent unauthorized network
access attempts
Minimum Security Requirements
44
2/14/2017
23
Subcontractors
• Not employ subcontractors unless express written permission granted prior to implementing the arrangement
• Monitor activities of subcontractors for compliance with the Agreement
Encryption
• Comply with standards provided by the National Institute of Standards and Technology (NIST).
• For data in transit, must use encryption technologies that comply with NIST applicable state and federal regulations (“Approved Encryption”).
• Implement technical security measures to guard against unauthorized access to data that is being transmitted over an electronic communications network. Encryption shall be the primary means of securing the data while in transit.
Minimum Security Requirements
45
46
Hard Copy Documentation
Remote Access / Network Security
Asset Tracking, Disposal & Destruction
Security Safeguards for Data in Transit
Anti-Malware
Patch Management
Logical Separation of Data
Access to Data
Development & Testing
Business Continuity/Disaster Recovery
Other Security Requirements
46
2/14/2017
24
No formal program or owner
No formal framework or guidance, so
people don't know where to start
Time consuming
Too many vendors to assess OR lack of vendor inventory to know who to assess
Manual process –spreadsheet driven
Vendors may be brought in as
personal referral
Why Lax Supplier Management
47
Align every IT outsourcing contract
with the organization’s key
business objectives
Set up a monitoring mechanism
Manage changes in IT projects and services across
complex portfolios
Establish direct and visible accountability for IT performance
Define specific ownership of key
contract terms
Define well-integrated IT management
processes for the client and service
provider
48
Supplier Governance Framework
48
2/14/2017
25
49
Which suppliers require
monitoringWhat should
be monitored Who should
conduct the monitoring How
frequently
When to do on site versus remote
Monitoring
49
Compliance Elements
Legal and Regulatory
Compliance
• Is the supplier compliant with regulators and self-regulatory organizations?
Financial Condition
• In addition to the vendor’s current financial condition, assess third-party suppliers’ growth, earnings, pending litigations and any other factors that may affect the supplier’s overall stability.
Business Reputation
• Does the supplier have a history of complaints performing the activities the company is planning to outsource?
Compliance/Risk Management
• Only work with third-party suppliers that have processes in place for ensuring compliance with contractual and regulatory requirements and following industry best practices.
Subcontracting• Assessments should include validation that the
supplier is in compliance with contractual provisions concerning supplier outsourcing.
50
2/14/2017
26
Compliance Elements
Business Continuity
• A third-party supplier should have a plan in place to respond to service disruptions ranging from Internet outages to cyber-attacks or natural disasters.
Physical and IT Security
• The vendor should have controls in place to ensure its IT systems are protected from external and internal attacks and that its computers and servers are protected from theft.
The Right to Audit and
Require Remediation
• Before entering into an agreement, establish their right to audit the third-party and to require remediation when issues are identified.
Termination
• Procedures should also be spelled out in some level of detail should the third party be unwilling or unable to fulfill its compliance and performance obligations.
51
Why Audit Suppliers
Outsourcing
Supplier Risks
Minimum Security Standards
Audit Focus
52
Agenda
52
2/14/2017
27
53
Who are your key suppliers?
Who maintains the supplier inventory
and how is it updated?
What can the supplier provide in terms of assurance (SOC2, HITRUST
certification)?
Do you have a right to audit clause in the contract? How clear
is it?
Do you exercise your right to audit
clause?
Does your company have a centralized
supplier management
program?
Audit Planning – Key Questions
53
Audit Focus
IA needs to be independent and
determine if TPRM controls are designed properly and operating
as designed
TPRM is the second line of defense and the
operational aspects of the program should be
reviewed with key stakeholders
IA is the 3rd line of defense and should
focus on 3rd party on-site activities required by the
program
Depending on who owns the controls, IA will need to review that area for
sustainability
The supplier owner must be in compliance with the
contract – IA needs to audit that area also
IA should be reviewing the compensating controls that help
minimize risks and monitor all remediations
needed
54
2/14/2017
28
Audit Focus
Have 1 person facing off with 3rd party management
Sets the audit standard for 3rd party audit programs
Acts as SME on 3rd party risk management within audit
Conducts reviews and identifies potential risks and required remediation.
Develops an opinion of the overall design and effectiveness of the TPRM
55
Audit Focus
Supplier selection / governance
Supplier securitySupplier
management procedures
56
Key Audit Focus
56
2/14/2017
29
Key Controls – Supplier Operations
Overall control environment
Security considerations•Data protection
•Network, physical, environment, personal and logical access security
SDLC Controls
Change management controls
HR policies and Procedures
57
Supplier Selection
Obtain list of all Suppliers
Who is approved to
update the list
Statistics on spend
Criticality to core business
functions
Supplier Audits
Questionnaire Rank resultsFollow-up calls with Suppliers
Site visits
Supplier Oversight
Reporting Meetings Site visits KPIs
Supplier Termination
Assess vendor
termination control
environment
Ensure data properly
returned or destroyed
Review contract
termination controls
Audit Reports Identify gapsFollow-up on remediation
58
What Should Audit Do?
58
2/14/2017
30
Identify the Services Provided
Identify the Potential Risks
Document Security and Privacy Controls
Document Gaps
Recommend Enhancements
59
Audit Approach
59
Identify the Services Provided
• What information is accessed, managed or handled?
• Does the supplier store any critical information
• Does the supplier have access to the information via connection to network?
• Does the supplier provide access to critical data?
Identify the Potential Risks
• Based on services provides, identify the areas of potential risks
• Use COBIT, ISO 27001, NIST 800-53 or you own questionnaire
• If data is not confidential, do you need to audit this supplier?
• Document the risk for each service activity
Document Security and Privacy Controls
• Identify security controls for each risk identified in step 2
• For each control refer to documentation or evidence of the effectiveness of the control
• Request SOC-1, or SOC-2 or Pen Test reports
60
Audit Approach
60
2/14/2017
31
Document Gaps
• Compare the controls of the supplier with industry best practices
• Identify areas where controls are missing or sub-standard
• Focus on areas that could impact confidential data and brand image
Recommend Enhancement
• Prioritize risks associated with the gaps
• Recommend solutions to bridge the gaps
• Prioritize the timing of the enhancements
• Determine if the report will be an advisory or an audit –based on the risk raking
• Identify follow-up items and personnel responsible
61
Audit Approach
61
Organizational
Physical Security and Environmental
Workstation Security
Logical/Data Access
Network and Server Security
Change Management
Corporate Continuity
Supplier Governance
Audit Domains
62
2/14/2017
32
63
• Controls in place to ensure that audit risks are identified and mitigated properly
• Personnel policies in place regarding employee hiring, candidate background checks as permitted by applicable local laws, orientation, and training
Organization
• Building exterior and physical access security controls are in place to prevent unauthorized access (on and offshore)
• Identification badge controls
• Environmental safeguards
• Safeguards surrounding the destruction and disposal of sensitive information
• Physical access to production area is restricted to prevent unauthorized access
• Materials allowed to be brought into workspace are limited based on Supplier services provided
Physical Security and Environmental Controls
Audit Domain Coverage
63
64
• Controls are in place to:
• secure sensitive data on computer workstations (on shore and off shore locations)
• secure workstation assets and data
• protect mobile computing assets such as tablet computers and mobile phones
Workstation Security
• General controls are in place to prevent unauthorized access to:
• information resources (Internal)
• computer resources (External)
Logical/Data Access
Audit Domain Coverage
64
2/14/2017
33
65
• Controls are in place to:
• detect and prevent network threats
• apply security updates and to harden settings for application and database servers
• identify, escalate, and track security incidents until resolution
• ensure that remote or wireless access to the network is disabled or securely controlled
• Technical safeguards are in place for data in transit and data at offshore Supplier locations
Network and Server Security
• Change Management controls are in place to ensure that only authorized, tested, and documented changes are made to the system
• Organizational controls are in place to monitor and track compliance
• HIPAA and Security awareness training is communicated to employees
Change Management and Regulatory Compliance
Audit Domain Coverage
65
66
• Business Continuity/Disaster Recovery (BC/DR) plans are established and in place
• Data storage and backup activities occur on a scheduled basis and are available for file recovery and disaster recovery events
• Controls are in place to ensure that computer equipment is disposed and recycled securely
Corporate Continuity Controls (BC/DR)
• Controls are in place to ensure that Third Parties who the Supplier has contracted with are adequately managed
Supplier Governance
Audit Domain Coverage
66
2/14/2017
34
Service level management
Contractual requirements
Data transmission
controls
Data security / privacy
Continuity / availability of
systems
Operational controls
Availability of SOC-1, SOC-2,
ISO17799
Supplier Internal Audit
Function
67
Audit Implications
67
As companies focus on core
business practice, they
outsource more functions to specialized
Suppliers
Suppliers differ based by
industry: Retailers,
Manufacturers, Insurance,
etc.
1
Most companies
struggle with managing
their Suppliers
No one does it perfectly
2
Solution requires
enterprise effort
Required + increased focus by
customers and regulatory agencies across all disciplines
3
Key Take Aways
68
2/14/2017
35
End of Presentation
©Institute of Internal Auditors 2017
Join Us: @IIAChicago ● #IIAChi
Any questions?
johnagatto@comcast.net
69
Recommended