Shift to Online Audits

The Shift to Online Audits

Recent events related to COVID-19 have had a huge impact on the way organizations operate and function. Along with posing many challenges, it has also opened many possibilities and ideas to a new way of doing things. Auditing, a traditionally very hands-on and in location process, adopted by organizations to ensure that the vendors they work with have a comprehensive and robust security posture, to ensure that the data shared with the vendor is protected with maximum security at all levels and services provided, if any, can continue without fail. With social distancing norms and advisory in place, in-person auditing has become a challenge and auditors have been forced to adapt to a remote process. Some companies have just started implementing various changes to accommodate this new demand as these uncertainties may repeat. ComplyScore, as always, has been a few steps ahead of the game. We have been offering Online Audits as part of our supplier risk assessment services for the last 3 years. We have done numer

ous vendor audits as well as ISO 27001 surveillance audits.

The Transition has Generally Not Been Easy

ComplyScore as a vendor risk management company has performed online audits for three years now, and has mastered this process when the world has just begun adapting to this new change and process. While the online audit process is a new process and a forced change rather than a self-adopted one, it poses significant challenges to auditors. Below are a few challenges experienced on the road to performing an online audit:

•    Validating the controls and their operating effectiveness over a period of time remotely can be challenging

•    Evaluating risks associated with data collection, processing, and compliance

•    Covering the entire security posture and all controls in a limited amount of time

•    Identifying all strategically important activities and bringing them under security scrutiny remotely can often prove to be a challenge

Exponential transformation, innovation, and advancement in technology, their implementation in the organization and the impact on the informational and operational security can be another piece of the puzzle that requires great attention especially when conducted remotely

Recent development of remote work in organizations has posed a completely new challenge where every employee can be considered as a sub-entity with many times access to sensitive and confidential information while being in a non-company managed network and workplace.

It is Important to Establish Comprehensive Processes

Highly qualified staff trained especially for the process of online audit and the experience of several audits has ensured that these audits are performed by the most experienced experts on the subject within ComplyScore. An elaborate and comprehensive process to verify and validate the implementation of controls is established through online screenshare where all controls are validated, documents are reviewed, evidence is gathered, and operating effectiveness is also checked by timestamped evidence from past to the present. Additionally, collection of pictures, videos, and a mobile screenshare during the audit provides the ability to further validate the presence of controls. ComplyScore auditors fully understand the nature of business engagements between two entities and hence can determine all the controls that would need to be implemented which are checked and mapped against various security standards such as ISO/NIST/SOC etc. The auditors with their expertise and experience are able to analyze the risks that the data faces at every junction in the network from source to the destination while it is at rest and in transit by completely evaluating the data flow diagrams and mode of transportation. Complyscore questionnaire, which is another part online audit process, provides additional controls in addition to the standard audit process to further evaluate the completeness of security controls implemented in an organization. Regular security and vulnerability training provided to auditors on innovation and advancement in technologies keeps them at par with the newest technology and vulnerabilities, the knowledge of which proves to be highly beneficial during such audits. Our vendor risk management solutions include remote assessments developed by experts in ComplyScore and incorporated as a part of online audit, keeping in mind the security threat and vulnerabilities related to organizations working remotely has helped immensely to assess the controls implemented by such organizations to safeguard process and data.ComplyScore has especially trained staff and the technology to support this process. This new module of online audit is helpful to organizations in many ways. One of the most important and biggest advantages of this process is the reduction in cost. Traditionally where audits require an auditor to travel to the location, stay at hotels, take Uber and taxis to reach the destination and perform the audit, online audits cut all these costs and save organizations a lot of money. As is said time is money and online audit saves a lot of time on both ends which further saves costs. Online audit further allows the organizations' staff to continue with their work and does not engage them all at once, and hence does not take away time from your staff who could have spent a productive day doing regular work.

While online audit does prove very beneficial for organizations, it does pose a challenge to the auditor in terms of increased workload and effort. The job to verify all security controls remotely is an elaborate task. Looking for evidence and artifacts can be time consuming and can demand extra effort from the auditing team. All the additional steps undertaken to ensure control completeness, their implementation and effectiveness in an organization, and steps undertaken to overcome the challenges listed above add a bit of an extra workload on auditors. Utilizing remote assessment, checking for additional controls as compared to standard audit controls through ComplyScore questionnaire, verifying pictures and video footage, etc. is expected to further increase the overall workload. In totality, all this has resulted in a 20% increase in the workload and effort of an auditor. Many such online audits have been successfully completed till date and organizations have been helped to save a lot of unnecessary costs without compromising with the quality.

ComplyScore has Been an Early Adopter of Online Audits

The audit process is an elaborate process and hence involves a lot of looking around to find the gaps and loopholes in the information security posture of the organization. ComplyScore has adopted a very well-defined online audit process that covers from the most granular controls to the most explicitly important and standard controls. Here are the few highlights of the online audit process:

•    Vendor and data classification (CIA) based on business engagement.

•    Preparing scope and agenda for online audit.

•    Prepare a list of documents, policies, artifacts, and evidence required to verify the implementation and effectiveness of a control and share it with the vendor.

•    Send meeting invites to all participants and if necessary designate individual parts of the audit to specialists.

•    Perform the online audit (Screenshare, policy review, effectiveness of controls, certifications and test results, etc., collect artifacts and evidence)

•    List all the observations, findings, and recommendations.

•    Prepare Closeout Report

ComplyScore also ensures that the answers provided by the vendor are validated to be most accurate and we also ensure that the collection of misguided information can be reduced to maximum extent with our experienced staff performing several rounds of cross-checks to validate a control. A single control is evaluated in more than one place and in more than one way.

As this is a new process that the world is looking to master, ComplyScore has been ahead in the game and has already initiated the identification of challenges and problems faced in this process. We have been coming up with ideas and solutions to counter these challenges and iron out the fault lines, which would help us provide improved and better services with increased accuracy and finesse.

This blog was originally posted on https://complyscore.com/blog/shift-to-online-audits/

Value of a Third-Party InfoSec Assessment Program

Background:

Information Security (InfoSec) professionals realize that their infosec program is only as strong as the weakest link. 3P (Third Party) vendors with access to sensitive data are generally regarded as the weak link, hence the focus on securing the 3P. However, given the scope and possible costs on securing this link, and the doubts regarding the assessment methodology, it is easy to doubt the value of the third party vendor risk management (TPRM) program. InfoSec managers are often challenged by their seniors to prove the value of the TPRM program.

As a leading vendor risk management company, at ComplyScore we manage thousands of assessments annually and are asked to assist in showing the value of the program. Here are some points that I would like to share with you.

Let us first consider what happens if you don’t have a strong it vendor management program. Let us look at instances where companies suffered because of their vendors.

Visser Precision: In Feb of 2020, a data breach at Visser compromised contract data, pricing and other highly sensitive details of companies like Tesla, Lockheed Martin and SpaceX.

LabCorp: In august 2018, a data breach at LabCorp’s vendor American Medical Collection Agency (AMCA) compromised data of almost 7.7 million patients

Home Depot: In 2014, a data breach compromised credit card details of almost 56 million customers. Hackers used stolen credentials from third party vendors to gain access.

Target: In 2013, almost 40 million customer credit and debit card details were compromised during a breach. The culprit? Again, a third party that had privileged access.

These are just a few of the reported incidents I have used as an example. The above examples demonstrate that even though there is an increasing awareness regarding cybersecurity and even though companies are spending a huge amount of money on security, third party breach is still one of the weakest links.

Now, let us look at the impact of these incidents.

Visser has taken a hit in reputation with this breach. The magnitude and the details are still being assessed but sensitive contract details like pricing and manufacturing details are compromised.

LabCorp spent almost $2.5 million after the breach to ramp up their security. A class-action lawsuit is pending

Target- $18.5 million in lawsuits. CEO had to resign

Home Depot – $25 million in settlement.

On average (from what I have read, it is $3.92 million), companies have spent over $ 4 Million in settlements. Additionally, there is the damage to the reputation, customer confidence, countless hours spent in investigations and lawsuits and even forced resignation of the CEO.

That is a steep price to pay.

These incidents remind us about the potential impact if you do not have a methodical approach to TPRM.

General Consensus

A recent survey published in Allianz Risk Barometer 2019, consistently ranked cyber incidents as the top 3 areas of concern. Another interesting insight comes from Deloitte. In the survey conducted by Deloitte between March - July 2018 with respondents from 94 financial institutes around the world, almost 67% of the respondents named cybersecurity as one of the top 3 challenges they will face and a risk that they feel is only going to increase in nature. The more interesting fact is that the Deloitte survey showed that respondents felt more confident in being able to handle breaches due to disruptive attacks, financial loss, and loss of data by customers. But they did not feel as confident if the breaches occurred due to nation states and risks from third party providers. The survey along with the examples shows that we need to be proactive in addressing the issue and we need to be proactive NOW.

Now that we have enough data to convince the leadership that TPRM is essential as part of a robust vendor management system, and needs to be done, let us talk about the cost and ROI. In short, let’s talk numbers:

With data breaches, the losses are generally in millions of dollars. Companies take a hit in their reputation; some have had to file for bankruptcy. Now if we compare the cost, they would have incurred had they been proactive. Assessments are proportional to the level of risks. ComplyScore does vendor risk assessments for as little as $200 per assessment. So if you spend between $250K to $500K, you can assess and secure a major part of your supply chain and de-risk your company to a great extent. Now that’s a significant ROI.

Value of assessments

You might ask “How reliable are the questionnaire-based approach?” I have seen that a lot of clients are initially apprehensive about the process and reliability. For those with questions and apprehensions, these are ways and means that you can use to ensure that the assessments are answered honestly. The security rating agencies add value as well. ComplyScore will cover the topic on the value and reliability of the questionnaires and how to validate the answers in our upcoming blog.

I hope that I have been able to cover some talking points that you can use to address the benefit of TPRM with your leadership. Cyber incidents are only going to be more frequently seen in the future. You need to secure your organization by diligently including TPRM and supplier risk management in your organization’s vendor governance program. Address it now, contact us and request your demo today.

This blog was originally posted on https://complyscore.com/value-of-a-third-party-infosec-assessment-program/

Enterprise Vendor Risk Management: Is Your Organization Proactive Or Reactive?

Organizations often fail to anticipate the risks associated with 3rd party vendors. The threats they have exposed their own data to, and possibly their customers’ data, are realized, on many occasions, only after the breach has happened and all they can do at that point is damage control.

Without a proactive approach to vendor risk management, your organization can open itself up to increased levels of risk that can have a negative impact on its financial standing, compliance posture, and overall ability to serve its customers. If you want to drive competitive advantage and sustain future growth, the focus must be on vendor risk management that is proactive, not merely reactive.

Proactive Vendor Risk Management

While anticipating and assessing all potential vendor risks may be tedious and even seem impossible, proactive vendor risk management is really a discipline that must be integrated into your organization’s overall risk management culture.

Traditional IT vendor management solutions take a reactive approach, using programs that assess, report, and mitigate risks after they happen. The emphasis is placed on reducing fallout and minimizing damage to the business. This focus on events that have occurred instead of leveraging predictive digital tools such as AI, data analytics, and process automation can be compared to the proverbial barn door that’s closed after the horse escapes.

For most businesses, 24/7 coverage of IT systems is not financially feasible. It is advisable to partner with a vendor risk management company that:

•    Provides end to end services including distribution, completion, and evaluation of assessments

•    Creates customized assessments based on the company’s exclusive vendor profiles

•    Immediately identifies potential issues before they turn into critical security breaches

Working with a managed service provider to move from reactive to proactive enterprise vendor risk management helps ensure that your vendors have the right controls in place to properly serve your organization. It also allows your business to improve compliance with regulatory demands, prepare for unexpected risk events, and maintain its reputation.

Putting Proactive Vendor Risk Management to Work

Adopting a vendor risk management strategy that uses the right tools to evaluate vendors and their processes improves your company’s ability to manage and/or avoid existing and emerging risks. Internal IT staff can also adapt more quickly to unwanted events or crises while building an understanding of how to assess and mitigate risks. Your organization then has a better view of potential future risks, how they might impact your business, and how to keep those risks at bay.

ComplyScore’s managed third party vendor risk assessment solutions help your organization approach risk management and vendor governance proactively and effectively at the enterprise level. By using a more forward-looking approach to vendor risk management, your business avoids unexpected events and expenses. That, in turn, results in improved compliance, a greater business value, and ensured sustainability. The bottom line? When choosing an MSP for your organization’s unique vendor risk management needs, look for one that can maintain a proactive approach that evolves as your organization’s vendor landscape unfolds and grows.

This blog was originally posted on https://complyscore.com/blog/enterprise-vendor-risk-management-is-your-organization-proactive-or-reactive/