3rd party risk: practical considerations for privacy & security due diligence
DESCRIPTION
TRANSCRIPT
3rd Party Risk – Pt. 1Practical Considerations for Privacy & Security Due Diligence
Page 2
Agenda
• Introductions
• 3rd Party Risk Due Diligence Best Practices• Questionnaires• On-Site Reviews
• Q&A
Page 3
Introductions: Today’s Speakers
• Ted Julian, Chief Marketing Officer, Co3 Systems• Security / compliance entrepreneur• Security industry analyst
• Deb Hampson, AVP & Assistant General Counsel, The Hartford• Head of Corporate Privacy Office since 2006• Previously head of The Hartford Life's Corporate
Compliance Unit and the Group Benefits Legal Team• Specialties: privacy law, insurance law, corporate
compliance, social media legal and compliance issues.
Page 4
Co3 Automates Breach Management
PREPARE
Improve Organizational Readiness• Assign response team• Describe environment• Simulate events and incidents• Focus on organizational gaps
REPORT
Document Results and Track Performance• Document incident results• Track historical performance• Demonstrate organizational
preparedness• Generate audit/compliance reports
ASSESS
Quantify Potential Impact, Support Privacy Impact Assessments• Track events• Scope regulatory requirements• See $ exposure• Send notice to team• Generate Impact Assessments
MANAGE
Easily Generate Detailed Incident Response Plans• Escalate to complete IR plan• Oversee the complete plan• Assign tasks: who/what/when• Notify regulators and clients• Monitor progress to completion
Page 5
About The Hartford
Personal Lines
Small Commercial
Middle Market
Group Benefits
Specialty
Retirement
Individual Life
Mutual Funds
Annuities
Page 6
Data Breaches and 3rd Party Leaks
Malicious Cyber-Attacks
Lost/Stolen Assets
3rd Party Leaks
Internal/ Employee
Actions
Global Consumer Electronics Firm:
Hackers stole customer data, including credit card information
100 million records
Community-Based Healthcare Plan:
Laptops with patient data stolen by former employee
208,000 records
Multi-Channel Marketing Service:
Digital marketing agency exposes customer data of dozens of clients
Millions of records
Government Agency:
Employee sent CD-ROM with personal data on registered advisors
139,000 records
The multitude of breach regulations don’t care how the data was lost. You are subject to the same requirements.
3RD PARTY RISKPractical Considerations
Page 8
3rd Party Privacy & Security Due Diligence
Questionnaire On-Site Visits
Certifications Annual Audits
POLLDo You Have A 3rd Party Questionnaire?
Page 10
Who Receives a Questionnaire?
• Every vendor that handles customer data, employee data or company confidential data receives a questionnaire.
• The questionnaire is developed using:• International standards:
• ISO/IEC 27001 Information Management Systems• ISO/IEC 27002 Code of Practice for Information Security Management• the BITS Financial Institution Shared Asset Program and • internal Privacy and Information Protection Policies
• Internal Privacy and Information Protection policies based on regulatory requirements.
Page 11
What Areas Does the Questionnaire Address?
Overview of services being provided
Privacy and Security Policies
Organizational Structure
Personnel Security
Environmental Security
Operations Management
Network Management
Information Handling
Access Control
Compliance
Business Continuity and Disaster Recovery
POLL
Do You Conduct On-Site Reviews For 3rd Parties
Page 13
Who gets an On-Site Visit?
Risk-Based Approach For Vendors Who:
• Provide incomplete questionnaire responses• Provide unsatisfactory questionnaire responses• Handle contracts over a specified dollar amount• Handle information that is sensitive or confidential• Are located in a foreign country
Page 14
Address key privacy and security policies and procedures to ensure senior management
buy in
Allows assessors to obtain more specific information on vendor’s
controls
Verify the existence of key security documents
Verify key physical security and environmental controls in place
Interviews with key personnel
Meetings with vendor Senior management
Comprehensive document Review
Physical security inspection
Verify that security requirements detailed in the Statement of Work are
implemented.
Policy/Statement of work verification
Components Of An On-Site Review Process
Page 15
Top Questions
1.Do comprehensive information security policies exist that all employees must read and accept?
2.Are all employees and contractors with access to Company data required to take information security awareness training?
3.Are there processes in place that ensure access to Company data is authorized and granted in the most restrictive manner possible and limited to those having a business need for such authorization?
4.Is access to Company data contingent on a thorough criminal background history investigation performed using an accredited personnel investigation agency?
5.Are physical security measures in place to control physical access to systems or output that contain Company data?
Page 16
Top Questions (cont.)
6. Is all access to Company data logged and reviewed on a regular basis?
7. Is there a Security Incident Response Plan in place that contains procedures to be followed in the event of any actual, suspected, or threatened security breach, including unauthorized use, access, disclosure, theft, manipulation, or reproduction of Company data?d
8. Will the vendor submit to an annual Security Risk Assessment review based on ISO 27001, conducted by the Company (or it's agent)?
9. Is there commercially reasonable and effective network intrusion prevention or detection, firewalls and anti-virus protection in place and functioning properly?
10.Are operating systems and applications associated with the Company appropriately patched after knowledge of any security vulnerabilities?
11. Are all sensitive or confidential data sent over public networks encrypted with at least 256-bit encryption?
Page 17
Considerations For Foreign Service Providers
Scope of Services and Sensitivity of Data• Are the services contemplated to be performed temporarily or on an ongoing
basis?• Do the services involve the handling, storage or transmission of sensitive data?• Can the company execute an exit strategy if services disrupted?
Geographic, Cultural, Social and Political Factors• How far away is the vendor?• What language barriers?• How often does the Company plan to review or audit the vendor?• Do on-site reviews need to be done?• What social or political factors are reasonably likely to affect the provider?• Can the Company monitor these factors?
Business Continuity and Disaster Recovery• Does the vendor have Business Continuity Plan?• Does the vendor have experience executing the plan?• Local Laws Regulating Privacy and Data Security
Page 18
Considerations For Foreign Service Providers (cont.)
Local Laws Regulating Privacy and Data Security • Are there local laws that impose requirements on vendor with regard to data?• How do the local laws apply to the Company?
Legal/Compliance Risk• What contractual provisions required to ensure proper resolution of disputes?• If local laws create requirements are they consistent with the provisions the
Company applies to its US based service providers?• What is the process under local laws for responding to access requests by
individuals, subpoenas or other requests for disclosure from governmental agencies?
Security Controls• Can the vendor reasonably be expected to satisfy stricter or rapidly evolving
standards for data security?• Is the vendor transferring data to other locations or countries?
Page 19
How About When You Receive A Questionnaire?
• What do you do when there are too many questions to answer?
• How do you ensure consistent responses?
• How do you respond to yes/no questions?
• How do you manage the volume?
• Whose Privacy and Security Policies and Procedures do you follow?
QUESTIONS
Page 21
Next Webinar
• Canadian Breach Regulations• Next Thursday, 10/25 @ 1 PM• Invites with more info and registration information in the
next day or two
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages for privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and very well designed.”
PONEMON INSTITUTE
Deb Hampson
Assistant VP & Assistant GC
www.thehartford.com