Top Industries That Need To Up Their Vendor Risk Assessment Game

Upstream compliance, cyberthreats, geographical location, financial assets, and reputation are five of the top vendor risks most organizations face. But different industries also face vendor risks challenges that are unique to their business sector. For example, the healthcare industry has HIPAA regulations it must follow, and the insurance industry is subject to reporting and auditing standards from various state regulators. 

When investigating vendors, many companies focus on what they offer and whether it will help them work better and faster. Few conduct a thorough security assessment that's needed to ensure that third-party vendor systems won’t open up holes in their own security or introduce new threats into their network.

At ComplyScore, we have successfully helped companies in a variety of industries assess and manage their vendor risks. Based on our experience, these five top industries must up their vendor risk assessment game now to ensure their vendors’ security standards are as robust as the ones they have in place themselves.

Entertainment

The entertainment industry uses many third-party vendors but has no mandated vendor risk regulations it must meet. The industry must initiate vendor risk assessments on its own. While vendor risk management is important to all entertainment businesses, video game companies face enterprise-specific challenges from practices such as outsourcing production elements to countries that represent higher security risks. Comprehensive risk assessment can help the industry avoid expensive litigation while preserving reputation and stakeholder value.

Insurance

The insurance industry has long outsourced business processes and utilized third-party software solutions. Regulators like the OIG, OCC, FFIED, CFPB, and others require insurance companies to identify possible third-party risks, verify the vendors they do business with are compliant, and regularly monitor changes that may create new risks. A risk assessment platform helps automate risk rating and reduce the amount of time spent managing vendor risk.

Healthcare

Most healthcare organizations have a strategy in place to comply with the Health Insurance Portability & Accountability Act (HIPAA) but with each new technology and practice, fresh risks abound. Third-party risks cost the healthcare industry nearly $24 billion per year and many providers are hard-pressed to adequately assess and understand the risks their vendors pose. A cloud-based platform and end-to-end vendor risk assessment managed services can help meet each provider’s unique needs and ensure compliance requirements are met.

Financial Services

A favorite target for cybercriminals, the financial services sector must continuously monitor third-party risk, adopt policies that go beyond regulatory compliance, and devise an organization-wide approach to vendor risk management. From deciding whether a vendor is a good fit to establishing a cybersecurity culture, a broad vendor risk assessment process protects critical financial and PCI data and helps organizations avoid catastrophic breaches.

Pharma

Pharmaceutical, biotechnology, and medical device companies face many regulatory compliance requirements related to areas like trial designs, geographic location, and/or specific expertise. Geographic expansion is a particular challenge the life sciences industry faces, as is meeting anti-bribery regulations. An advanced 3rd party assessment solution streamlines the vendor assessment process while ensuring analytic consistency and significantly reducing overhead.

Third-party vendors are a risky necessity that can be made safer by using a cloud-based risk assessment solution and vendor risk assessment managed services. ComplyScore’s CyberScore is designed to help top industries manage third-party relationships in accordance with increased and expansive regulatory expectations while mitigating the risks posed by third-party vendors throughout the lifecycle of the relationship.

This blog was originally posted on https://complyscore.com/blog/top-industries-that-need-to-up-their-vendor-risk-assessment-game/

Managing Inherent Risks in TPRM

A successful vendor management program needs to invest heavily in managing risks associated with 3rd party vendors. While doing TPRM, we generally assess risks such as Information Security and Compliance Risk. However, a one size fits all approach for vendor risk management is not optimal. The program needs to be tailored to the risks associated with the specific engagement(s). This risk, which is associated with the nature of the engagement, is called the Inherent Risk. Inherent risk is the risk associated with a given engagement regardless of the control/s that the vendor has implemented. It gives you an indication of the level of due diligence you need to do on the vendor.

For an engagement with low inherent risk you may choose to assess basic controls while for a high inherent risk engagement, you may want to do an onsite audit and validate all controls.

What is Inherent Risk?

Mathematically, Risk = Likelihood * Impact.

It is the likelihood of a breach happening multiplied by the impact of the breach on the business.

To explain this better, let us consider 2 scenarios.

In scenario 1, your client is sending sensitive data to Amazon. In scenario 2, they are sending the same sensitive data to a little-known offshore company. Is the inherent risk the same in both scenarios?

In the above case, where sensitive data was sent to 2 different vendors, the impact was high regardless of the vendor. (If data for Likelihood is not available, you may choose to go with the same likelihood across all engagements. If you are being conservative, you will prefer to go with high likelihood). The likelihood of data being breached at Amazon is low while the likelihood of data being breached at an offshore company is high.

The result is that the inherent risk in scenario 2 is higher than scenario 1.

Inherent risk is different from Residual Risk. Residual risk is the risk that remains after assessing the controls that are implemented to mitigate the risks. This is calculated by multiplying inherent risk with the effectiveness of the control.

In this article, we are going to focus on Inherent Risk. Let’s start with the basics:

IMPACT and LIKELIHOOD:

Impact - will help you figure out the kind of data that can be compromised and how much of a data can be compromised. It gives you a sense of the extent of damage you will incur and the kind of impact it will have on your business. In some cases, it will be the financial loss that will be incurred whereas, in others, it might be a reputational loss. What kind of loss will be more harmful to you? How much of a damage can you survive? These are some areas you will get clarity on.

Likelihood- This will help you figure out the probability of a breach happening. Determining the likelihood depends on several factors. You can take the highest rating if you want to be conservative or you can take an average. Where is the data being accessed from? The rating is typically considered low if the data is being accessed from inside your office. The risk is considered medium if the access is offsite from a country with low CPI (Corruption Perception Index) and it is high in all other offsite access. How is the data being accessed and/or transferred? The risk is inherently high if the access and transfer are manual, to factor in for human error. In the case of automated access, the rating is considered low. In cases where the data is accessed by VDI but there is no transfer of data, the rating is inherently medium.

CATEGORIES of RISK

Inherent risk can be categorized into different areas:

Technology – the risk you face due to a failure in the vendor’s technology,

Compliance- is the vendor being compliant in the manner in which the data is handled,

Finance- the risk you might incur if the vendor fails to deliver,

Legal- the risk you face when the vendor does not keep up with the laws and regulations,

Privacy- the risk you face if your vendor does not put sufficient controls in place to protect the privacy, and

BCP (Business Continuity Process) – the risk you face if the vendor goes out of business.

Since the risk area assessed depends on the type of engagement between the vendor and the client, once the type of engagement is determined, an inherent rating is provided.

For each area/category of risk to be assessed, you will need to develop specific factors to calculate the impact and likelihood. We had seen earlier for Cyber Security risk the impact depends on the type of data and the volume of data accessed. The likelihood depends on the how the data is accessed. Develop similar factors for each area.

QUESTIONS TO ASK:

In this part, we will cover the bare minimum questions you need to ask to help you calculate the inherent risk.

You need to know:

Access to the data: Is the access to sensitive data being separated by roles and responsibilities? Is there hierarchical access and ownership of data? Or is it, free for all.  

Storage and protection of data: Is it in a place with open access? Are there controls in place to safeguard it?

Physical controls: Are there physical controls in place? Is the room hosting the data locked? Is there keycard access in place?

Here is a snapshot of some of the questions posed by our vendor risk management solutions to assess our client’s risk. Contact us to learn more about Complyscore’s it vendor management services.

This blog was originally posted on https://complyscore.com/managing-inherent-risk-in-third-party-risk-management/

Enterprise Vendor Risk Management: Is Your Organization Proactive Or Reactive?

Organizations often fail to anticipate the risks associated with 3rd party vendors. The threats they have exposed their own data to, and possibly their customers’ data, are realized, on many occasions, only after the breach has happened and all they can do at that point is damage control.

Without a proactive approach to vendor risk management, your organization can open itself up to increased levels of risk that can have a negative impact on its financial standing, compliance posture, and overall ability to serve its customers. If you want to drive competitive advantage and sustain future growth, the focus must be on vendor risk management that is proactive, not merely reactive.

Proactive Vendor Risk Management

While anticipating and assessing all potential vendor risks may be tedious and even seem impossible, proactive vendor risk management is really a discipline that must be integrated into your organization’s overall risk management culture.

Traditional IT vendor management solutions take a reactive approach, using programs that assess, report, and mitigate risks after they happen. The emphasis is placed on reducing fallout and minimizing damage to the business. This focus on events that have occurred instead of leveraging predictive digital tools such as AI, data analytics, and process automation can be compared to the proverbial barn door that’s closed after the horse escapes.

For most businesses, 24/7 coverage of IT systems is not financially feasible. It is advisable to partner with a vendor risk management company that:

•    Provides end to end services including distribution, completion, and evaluation of assessments

•    Creates customized assessments based on the company’s exclusive vendor profiles

•    Immediately identifies potential issues before they turn into critical security breaches

Working with a managed service provider to move from reactive to proactive enterprise vendor risk management helps ensure that your vendors have the right controls in place to properly serve your organization. It also allows your business to improve compliance with regulatory demands, prepare for unexpected risk events, and maintain its reputation.

Putting Proactive Vendor Risk Management to Work

Adopting a vendor risk management strategy that uses the right tools to evaluate vendors and their processes improves your company’s ability to manage and/or avoid existing and emerging risks. Internal IT staff can also adapt more quickly to unwanted events or crises while building an understanding of how to assess and mitigate risks. Your organization then has a better view of potential future risks, how they might impact your business, and how to keep those risks at bay.

ComplyScore’s managed third party vendor risk assessment solutions help your organization approach risk management and vendor governance proactively and effectively at the enterprise level. By using a more forward-looking approach to vendor risk management, your business avoids unexpected events and expenses. That, in turn, results in improved compliance, a greater business value, and ensured sustainability. The bottom line? When choosing an MSP for your organization’s unique vendor risk management needs, look for one that can maintain a proactive approach that evolves as your organization’s vendor landscape unfolds and grows.

This blog was originally posted on https://complyscore.com/blog/enterprise-vendor-risk-management-is-your-organization-proactive-or-reactive/

AWS Security: Best Practices for Third Party (3P) InfoSec Risk Assessments

An effective vendor risk assessment is the cornerstone of every successful third-party risk management program. While the essential elements of an assessment should, in theory, be easily determined, the ever-evolving IT security landscape and threats is making the process more complex.

Addressing Platform-Specific Risks

Some recent incidents have shown that even respected security solution providers are not immune to breaches in information security. One such recent misstep by a well-known cybersecurity leader resulted in exposed Amazon Web Services (AWS) credentials. This allowed hackers to steal information on customers who used its Cloud Web Application Firewall (WAF) product. This incident underlined the importance of drilling down on the specifics of the platforms used by the 3rd party vendors during the security evaluation.

Organizations focused on good vendor governance need a thorough understanding of each vendor’s security posture to mitigate and manage risks from exposure. Most 3rd party providers host and maintain core tech infrastructure in the cloud. While existing third party assessments all focus on governance, processes, and security controls, the questionnaires employed do not adequately address platform-specific risks. Since the majority of 3rd party providers build on AWS and/or Azure, we believe it's in our clients' best interests to be able to drill down and address controls that are unique to the platform used.

Best Practices for AWS Security

AWS offers multiple tools that allow organizations to effectively manage security. Identifying the tools a third-party vendor uses gives a good indication of that vendor’s security posture. For example, does the vendor create VPC flow logs to capture IP traffic information? Is Trusted Advisor used to optimize the AWS environment for performance, cost, and fault tolerance? Are malicious and/or unauthorized activities continually monitored with AWS GuardDuty?

For successful vendor risk management for our clients, we’ve developed a list of best practices for vendors who host on AWS.

Five risk mitigation best practices for vendors who host on AWS include:

1.    Security of the root account including disabling API access, alert set-up for root access use, and activating MFA (multi-factor authentication). 

2.    Access management techniques that include using groups to assign permissions, quarterly rotation of access keys, enabling MFA for accounts that have console access, and assigning unique IAM (identity and access management) usernames for each user. 

3.    Network restrictions that include using security groups to control inbound and outbound traffic.

4.    Monitoring, encryption, and other controls that help build resilient IT architecture. This includes 24/7 monitoring of AWS account activity, conducting risk assessments of the AWS environment, and enabling server-side encryption (SSE), VPC flow logging, S3 Bucket access logging, AWS configuration in all regions, and logging for all resources.

5.    Metric and composite alarms for events such as configuration changes, unauthorized API calls, non-MFA management console sign-in, storage policy changes, and changes to Network Access Controls Lists and network gateways.

Information gleaned on whether third-party vendors implement these best practices helps identify and measure 3rd party risks while delivering highly accurate risk intelligence that enables an organization to make more informed IT vendor management decisions.

Based on the above best practices, our vendor risk assessment questionnaires assess the 3rd party vendors utilizing AWS solutions, against a checklist of controls. This checklist is designed to make the process of assessing the security posture of these vendors simpler and more agile, and in the interest of minimizing breaches, we are making this list publicly available.

Check out the list here, and do not forget to contact us for any clarification!

Stay tuned for the best practices based checklist for Azure coming soon.

This blog was originally posted on https://complyscore.com/blog/aws-security-best-practices-for-third-party-3p-infosec-risk-assessments/