Shift to Online Audits

The Shift to Online Audits

Recent events related to COVID-19 have had a huge impact on the way organizations operate and function. Along with posing many challenges, it has also opened many possibilities and ideas to a new way of doing things. Auditing, a traditionally very hands-on and in location process, adopted by organizations to ensure that the vendors they work with have a comprehensive and robust security posture, to ensure that the data shared with the vendor is protected with maximum security at all levels and services provided, if any, can continue without fail. With social distancing norms and advisory in place, in-person auditing has become a challenge and auditors have been forced to adapt to a remote process. Some companies have just started implementing various changes to accommodate this new demand as these uncertainties may repeat. ComplyScore, as always, has been a few steps ahead of the game. We have been offering Online Audits as part of our supplier risk assessment services for the last 3 years. We have done numer

ous vendor audits as well as ISO 27001 surveillance audits.

The Transition has Generally Not Been Easy

ComplyScore as a vendor risk management company has performed online audits for three years now, and has mastered this process when the world has just begun adapting to this new change and process. While the online audit process is a new process and a forced change rather than a self-adopted one, it poses significant challenges to auditors. Below are a few challenges experienced on the road to performing an online audit:

•    Validating the controls and their operating effectiveness over a period of time remotely can be challenging

•    Evaluating risks associated with data collection, processing, and compliance

•    Covering the entire security posture and all controls in a limited amount of time

•    Identifying all strategically important activities and bringing them under security scrutiny remotely can often prove to be a challenge

Exponential transformation, innovation, and advancement in technology, their implementation in the organization and the impact on the informational and operational security can be another piece of the puzzle that requires great attention especially when conducted remotely

Recent development of remote work in organizations has posed a completely new challenge where every employee can be considered as a sub-entity with many times access to sensitive and confidential information while being in a non-company managed network and workplace.

It is Important to Establish Comprehensive Processes

Highly qualified staff trained especially for the process of online audit and the experience of several audits has ensured that these audits are performed by the most experienced experts on the subject within ComplyScore. An elaborate and comprehensive process to verify and validate the implementation of controls is established through online screenshare where all controls are validated, documents are reviewed, evidence is gathered, and operating effectiveness is also checked by timestamped evidence from past to the present. Additionally, collection of pictures, videos, and a mobile screenshare during the audit provides the ability to further validate the presence of controls. ComplyScore auditors fully understand the nature of business engagements between two entities and hence can determine all the controls that would need to be implemented which are checked and mapped against various security standards such as ISO/NIST/SOC etc. The auditors with their expertise and experience are able to analyze the risks that the data faces at every junction in the network from source to the destination while it is at rest and in transit by completely evaluating the data flow diagrams and mode of transportation. Complyscore questionnaire, which is another part online audit process, provides additional controls in addition to the standard audit process to further evaluate the completeness of security controls implemented in an organization. Regular security and vulnerability training provided to auditors on innovation and advancement in technologies keeps them at par with the newest technology and vulnerabilities, the knowledge of which proves to be highly beneficial during such audits. Our vendor risk management solutions include remote assessments developed by experts in ComplyScore and incorporated as a part of online audit, keeping in mind the security threat and vulnerabilities related to organizations working remotely has helped immensely to assess the controls implemented by such organizations to safeguard process and data.ComplyScore has especially trained staff and the technology to support this process. This new module of online audit is helpful to organizations in many ways. One of the most important and biggest advantages of this process is the reduction in cost. Traditionally where audits require an auditor to travel to the location, stay at hotels, take Uber and taxis to reach the destination and perform the audit, online audits cut all these costs and save organizations a lot of money. As is said time is money and online audit saves a lot of time on both ends which further saves costs. Online audit further allows the organizations' staff to continue with their work and does not engage them all at once, and hence does not take away time from your staff who could have spent a productive day doing regular work.

While online audit does prove very beneficial for organizations, it does pose a challenge to the auditor in terms of increased workload and effort. The job to verify all security controls remotely is an elaborate task. Looking for evidence and artifacts can be time consuming and can demand extra effort from the auditing team. All the additional steps undertaken to ensure control completeness, their implementation and effectiveness in an organization, and steps undertaken to overcome the challenges listed above add a bit of an extra workload on auditors. Utilizing remote assessment, checking for additional controls as compared to standard audit controls through ComplyScore questionnaire, verifying pictures and video footage, etc. is expected to further increase the overall workload. In totality, all this has resulted in a 20% increase in the workload and effort of an auditor. Many such online audits have been successfully completed till date and organizations have been helped to save a lot of unnecessary costs without compromising with the quality.

ComplyScore has Been an Early Adopter of Online Audits

The audit process is an elaborate process and hence involves a lot of looking around to find the gaps and loopholes in the information security posture of the organization. ComplyScore has adopted a very well-defined online audit process that covers from the most granular controls to the most explicitly important and standard controls. Here are the few highlights of the online audit process:

•    Vendor and data classification (CIA) based on business engagement.

•    Preparing scope and agenda for online audit.

•    Prepare a list of documents, policies, artifacts, and evidence required to verify the implementation and effectiveness of a control and share it with the vendor.

•    Send meeting invites to all participants and if necessary designate individual parts of the audit to specialists.

•    Perform the online audit (Screenshare, policy review, effectiveness of controls, certifications and test results, etc., collect artifacts and evidence)

•    List all the observations, findings, and recommendations.

•    Prepare Closeout Report

ComplyScore also ensures that the answers provided by the vendor are validated to be most accurate and we also ensure that the collection of misguided information can be reduced to maximum extent with our experienced staff performing several rounds of cross-checks to validate a control. A single control is evaluated in more than one place and in more than one way.

As this is a new process that the world is looking to master, ComplyScore has been ahead in the game and has already initiated the identification of challenges and problems faced in this process. We have been coming up with ideas and solutions to counter these challenges and iron out the fault lines, which would help us provide improved and better services with increased accuracy and finesse.

This blog was originally posted on https://complyscore.com/blog/shift-to-online-audits/

Reliability of Questionnaires & How to Validate Answers

Risk assessment questionnaires play an important role in an organization’s vendor governance program. Questionnaires based due diligence is essential to understanding how your third-party vendors manage cybersecurity risks as well as the investments they have made to mitigate exposure across people, processes, and technology.

Yet for all their value, questionnaires can have shortcomings. They are often open for interpretation, and create questions of their own. In addition, there is always the question that do the answers reflect the reality. How do you know the answers given are accurate and helpful?

ComplyScore performs thousands of third party vendor risk assessments every year. Based on our experience and discussions we have had with industry experts, here are what we consider to be the best practices to enhance your third-party risk management strategy while getting the most value from your organization’s vendor risk assessment questionnaires.

How Reliable are Vendor Risk Questionnaires?

Third-party vendor management programs rely on trust and verification. Questionnaires play a big role in establishing both but assessing third-party risk does have some challenges.

It is our belief that asking the right questions is the start to getting the right answers. Just like no two organizations are alike, each vendor comes with their own environment and risks. When creating questionnaires it’s important to:

•    Know the scope of what’s being asked. A good questionnaire is thorough but intentional. That means only asking questions you need to be answered.

•    Factor in inherent bias. Because questionnaires are answered by the vendor being assessed, the responses will never be fully objective.

•    Customize to get better results. Generic questionnaires that ask questions irrelevant to the vendor relationship frustrate the vendor and waste your time. Drilling down on the specifics of the risks associated with environments particular to the vendor ensures getting the best picture of potential risks.

Validation Best Practices

To ensure accuracy, organizations should establish assessment processes and guidelines on how to gather data, review answers, and remedy pending issues. Specific controls should be used to evaluate the vendors’ environments. For example, if your third-party vendor hosts on AWS, AWS-related best practices questions should be asked instead of generic cloud ones. For vendors who use multiple operating environments, each system should have its own set of questions.

ComplyScore uses proven practices to evaluate and verify the accuracy of vendor responses. Questions are separated by asset types such as datacenter network, corporate network, and log management for different device types. To gain clear direct insights into the specifics, questions are kept simple and direct, and clubbing multiple questions into a single question is avoided.

Once you are confident that you are asking the right questions thus enabling the right answers, it is time to move on to other techniques to validate the answers.

The practices used to validate answers include:

•    Documentation review

- Verifying the scope of security-related certifications like ISO 27001 and SOC2 and ensuring they are properly renewed.

- Checking the quality of documentation, verifying consistency of style across documents, and cross-checking for consistent policies.

- We find that documents that have not been deployed in practice, lack specificity and generally have a different style than mature documents

- It’s a good idea to drill down on these documents if they address critical areas of info security

•    Discovering, mapping, and scoring a vendor’s digital footprint to identify threat models and defend against fraud.

- Digital review of a sample of the vendor’s online assets reveals if the documents are put in practice.

- Multiple open-source tools can be used for this purpose.

- Areas that you can analyze are the existence of malware, patching cadence, previous history spam/ virus originating from the vendor & social standing

•    Assessing a vendor’s website to discern company health, GDPR and other regulatory compliance, and security patch level.

- The overall rating of the website will reveal things like commitment to details, compliance with regulations, adequacy of resources, and general security related culture.

•    Conducting a quick 10 to 15-minute interviews at the start of the vendor assessment process reveals the level of security talent heading the infosec program, the confidence of the vendor in their program, openness, and other key traits. We have found these personal interactions reveal a significant amount of information leading to the inference of the infosec program maturity.

Trust and Verify

Information security, aka InfoSec questionnaires provide valuable insight into a third-party vendor’s risk and security culture. To get the most out of a questionnaire, it is important to ask precise questions of each vendor. Empowering vendors to provide specific answers reduces ambiguity and improves the validation process. ComplyScore’s vendor risk management solutions are designed to streamline the validation process and help you get the most from your vendor questionnaires.

For more information or an evaluation of your company’s questionnaires, don’t hesitate to contact us here.

This blog was originally posted on https://complyscore.com/blog/reliability-of-questionnaires-how-to-validate-answers/

Managing Inherent Risks in TPRM

A successful vendor management program needs to invest heavily in managing risks associated with 3rd party vendors. While doing TPRM, we generally assess risks such as Information Security and Compliance Risk. However, a one size fits all approach for vendor risk management is not optimal. The program needs to be tailored to the risks associated with the specific engagement(s). This risk, which is associated with the nature of the engagement, is called the Inherent Risk. Inherent risk is the risk associated with a given engagement regardless of the control/s that the vendor has implemented. It gives you an indication of the level of due diligence you need to do on the vendor.

For an engagement with low inherent risk you may choose to assess basic controls while for a high inherent risk engagement, you may want to do an onsite audit and validate all controls.

What is Inherent Risk?

Mathematically, Risk = Likelihood * Impact.

It is the likelihood of a breach happening multiplied by the impact of the breach on the business.

To explain this better, let us consider 2 scenarios.

In scenario 1, your client is sending sensitive data to Amazon. In scenario 2, they are sending the same sensitive data to a little-known offshore company. Is the inherent risk the same in both scenarios?

In the above case, where sensitive data was sent to 2 different vendors, the impact was high regardless of the vendor. (If data for Likelihood is not available, you may choose to go with the same likelihood across all engagements. If you are being conservative, you will prefer to go with high likelihood). The likelihood of data being breached at Amazon is low while the likelihood of data being breached at an offshore company is high.

The result is that the inherent risk in scenario 2 is higher than scenario 1.

Inherent risk is different from Residual Risk. Residual risk is the risk that remains after assessing the controls that are implemented to mitigate the risks. This is calculated by multiplying inherent risk with the effectiveness of the control.

In this article, we are going to focus on Inherent Risk. Let’s start with the basics:

IMPACT and LIKELIHOOD:

Impact - will help you figure out the kind of data that can be compromised and how much of a data can be compromised. It gives you a sense of the extent of damage you will incur and the kind of impact it will have on your business. In some cases, it will be the financial loss that will be incurred whereas, in others, it might be a reputational loss. What kind of loss will be more harmful to you? How much of a damage can you survive? These are some areas you will get clarity on.

Likelihood- This will help you figure out the probability of a breach happening. Determining the likelihood depends on several factors. You can take the highest rating if you want to be conservative or you can take an average. Where is the data being accessed from? The rating is typically considered low if the data is being accessed from inside your office. The risk is considered medium if the access is offsite from a country with low CPI (Corruption Perception Index) and it is high in all other offsite access. How is the data being accessed and/or transferred? The risk is inherently high if the access and transfer are manual, to factor in for human error. In the case of automated access, the rating is considered low. In cases where the data is accessed by VDI but there is no transfer of data, the rating is inherently medium.

CATEGORIES of RISK

Inherent risk can be categorized into different areas:

Technology – the risk you face due to a failure in the vendor’s technology,

Compliance- is the vendor being compliant in the manner in which the data is handled,

Finance- the risk you might incur if the vendor fails to deliver,

Legal- the risk you face when the vendor does not keep up with the laws and regulations,

Privacy- the risk you face if your vendor does not put sufficient controls in place to protect the privacy, and

BCP (Business Continuity Process) – the risk you face if the vendor goes out of business.

Since the risk area assessed depends on the type of engagement between the vendor and the client, once the type of engagement is determined, an inherent rating is provided.

For each area/category of risk to be assessed, you will need to develop specific factors to calculate the impact and likelihood. We had seen earlier for Cyber Security risk the impact depends on the type of data and the volume of data accessed. The likelihood depends on the how the data is accessed. Develop similar factors for each area.

QUESTIONS TO ASK:

In this part, we will cover the bare minimum questions you need to ask to help you calculate the inherent risk.

You need to know:

Access to the data: Is the access to sensitive data being separated by roles and responsibilities? Is there hierarchical access and ownership of data? Or is it, free for all.  

Storage and protection of data: Is it in a place with open access? Are there controls in place to safeguard it?

Physical controls: Are there physical controls in place? Is the room hosting the data locked? Is there keycard access in place?

Here is a snapshot of some of the questions posed by our vendor risk management solutions to assess our client’s risk. Contact us to learn more about Complyscore’s it vendor management services.

This blog was originally posted on https://complyscore.com/managing-inherent-risk-in-third-party-risk-management/

Value of a Third-Party InfoSec Assessment Program

Background:

Information Security (InfoSec) professionals realize that their infosec program is only as strong as the weakest link. 3P (Third Party) vendors with access to sensitive data are generally regarded as the weak link, hence the focus on securing the 3P. However, given the scope and possible costs on securing this link, and the doubts regarding the assessment methodology, it is easy to doubt the value of the third party vendor risk management (TPRM) program. InfoSec managers are often challenged by their seniors to prove the value of the TPRM program.

As a leading vendor risk management company, at ComplyScore we manage thousands of assessments annually and are asked to assist in showing the value of the program. Here are some points that I would like to share with you.

Let us first consider what happens if you don’t have a strong it vendor management program. Let us look at instances where companies suffered because of their vendors.

Visser Precision: In Feb of 2020, a data breach at Visser compromised contract data, pricing and other highly sensitive details of companies like Tesla, Lockheed Martin and SpaceX.

LabCorp: In august 2018, a data breach at LabCorp’s vendor American Medical Collection Agency (AMCA) compromised data of almost 7.7 million patients

Home Depot: In 2014, a data breach compromised credit card details of almost 56 million customers. Hackers used stolen credentials from third party vendors to gain access.

Target: In 2013, almost 40 million customer credit and debit card details were compromised during a breach. The culprit? Again, a third party that had privileged access.

These are just a few of the reported incidents I have used as an example. The above examples demonstrate that even though there is an increasing awareness regarding cybersecurity and even though companies are spending a huge amount of money on security, third party breach is still one of the weakest links.

Now, let us look at the impact of these incidents.

Visser has taken a hit in reputation with this breach. The magnitude and the details are still being assessed but sensitive contract details like pricing and manufacturing details are compromised.

LabCorp spent almost $2.5 million after the breach to ramp up their security. A class-action lawsuit is pending

Target- $18.5 million in lawsuits. CEO had to resign

Home Depot – $25 million in settlement.

On average (from what I have read, it is $3.92 million), companies have spent over $ 4 Million in settlements. Additionally, there is the damage to the reputation, customer confidence, countless hours spent in investigations and lawsuits and even forced resignation of the CEO.

That is a steep price to pay.

These incidents remind us about the potential impact if you do not have a methodical approach to TPRM.

General Consensus

A recent survey published in Allianz Risk Barometer 2019, consistently ranked cyber incidents as the top 3 areas of concern. Another interesting insight comes from Deloitte. In the survey conducted by Deloitte between March - July 2018 with respondents from 94 financial institutes around the world, almost 67% of the respondents named cybersecurity as one of the top 3 challenges they will face and a risk that they feel is only going to increase in nature. The more interesting fact is that the Deloitte survey showed that respondents felt more confident in being able to handle breaches due to disruptive attacks, financial loss, and loss of data by customers. But they did not feel as confident if the breaches occurred due to nation states and risks from third party providers. The survey along with the examples shows that we need to be proactive in addressing the issue and we need to be proactive NOW.

Now that we have enough data to convince the leadership that TPRM is essential as part of a robust vendor management system, and needs to be done, let us talk about the cost and ROI. In short, let’s talk numbers:

With data breaches, the losses are generally in millions of dollars. Companies take a hit in their reputation; some have had to file for bankruptcy. Now if we compare the cost, they would have incurred had they been proactive. Assessments are proportional to the level of risks. ComplyScore does vendor risk assessments for as little as $200 per assessment. So if you spend between $250K to $500K, you can assess and secure a major part of your supply chain and de-risk your company to a great extent. Now that’s a significant ROI.

Value of assessments

You might ask “How reliable are the questionnaire-based approach?” I have seen that a lot of clients are initially apprehensive about the process and reliability. For those with questions and apprehensions, these are ways and means that you can use to ensure that the assessments are answered honestly. The security rating agencies add value as well. ComplyScore will cover the topic on the value and reliability of the questionnaires and how to validate the answers in our upcoming blog.

I hope that I have been able to cover some talking points that you can use to address the benefit of TPRM with your leadership. Cyber incidents are only going to be more frequently seen in the future. You need to secure your organization by diligently including TPRM and supplier risk management in your organization’s vendor governance program. Address it now, contact us and request your demo today.

This blog was originally posted on https://complyscore.com/value-of-a-third-party-infosec-assessment-program/