Where Is Your Sensitive Data Wp

ID# 11WP0009 Last Modified 01.09.2012© 2012 FishNet Security. All rights reserved.Corporate Headquarters 1710 Walnut St. Kansas City, MO 64108 • 888.732.9406

Securely Enabling Business

Where is Your Sensitive Data - And Who is Protecting It?

(Keys to managing business partner relationships - Part1)By Bill Carver, Director - Governance Risk & Compliance • CISSP, CISM, CRISC



Where is Your Sensitive Data - And Who is Protecting It?(Keys to managing business partner relationships - Part1)By Bill Carver, Director - Governance Risk & Compliance • CISSP, CISM, CRISC

Introduction As organizations continue to move toward outsourcing and other extended business relationships as part of their primary operating models, information security related to those relationships continues to be a serious issue. Organizations have moved so quickly to enjoy the benefits of the “World is Flat” business model, that data security has been relegated, in many cases, to an afterthought. The business plan for many organizations is to outsource a portion of their operations, or in some cases, as much as possible. This outsourcing typically involves sharing sensitive information with external partners, and in most situations, we know very little about the security posture of these partners. The result has been an increase in the number and severity of data breaches that are often a direct result of this information-sharing.

Newspapers and other media outlets report, almost daily, stories about corporate data loss. While organizations feel the negative financial and reputational impact of data breaches, growing organizations are not the only ones to realize there is a large problem with data security as it relates to the outsourcing/partnering model. The U.S. government, in addition to many state and international governments, have implemented legislation that requires organizations to assess the information security risks associated with their extended business relationships. Regulatory requirements and vertical-specific mandates such as HIPAA, GLBA and PCI, to name a few, all require the assessment of information security risks related to third-party relationships.

These factors have created a situation where organizations have a glaring need to assess the security of their extended business relationships, but they lack the in-house expertise or resources to execute these assessments. Given the need to avoid even the suggestion of risk to reputations and the potential imposition of sanctions or fines, many organizations are feeling increasing pressure to implement business partner assessment programs and the need to get started as soon as possible. (Note: For purposes of this white paper, the term “business partner” will refer to any type of extended partner relationship, which may include: vendors, contractors or other third parties.)




The Challenges

When it comes to assessing the risks related to business partner information-sharing, most organizations are faced with several challenges. One of the primary challenges is not knowing where to start. Many organizations have hundreds, potentially thousands, of third-party relationships. How can an information security professional, tasked with helping protect the organization, possibly handle assessing the overwhelming number of the organization’s business partner relationships? There are so many different assessment methodologies and approaches out there to choose from; where does one begin?

Another challenge is resources. Most information security organizations are stretched thin as it is, and that’s without the added work of assessing the security risks associated with business partners. Managing business partner risk typically takes a backseat to other information security tasks. Some feel as if outsourcing certain business operations is a way to “outsource risk.” This is a dangerous approach, and could not be further from the truth. Sharing sensitive information with third parties does not exclude your organization from the standard obligations associated with data protection. In fact, the sharing of sensitive information with outside organizations increases your risk profile — and obligations. Claiming a lack of resources will not provide a defensible position in the face of a data breach or other information security-related incident. If you are part of one of the few organizations that has a formal business partner assessment program, chances are that you are struggling with some of the many other challenges inherent in managing the program and business partner risk issues. Primarily, how to assess all of your partners, how to manage and address the mountains of assessment data, and how specifically should partner issues be handled?

What to do Tackling the problem of where to begin does not have to be as daunting as it seems. By leveraging a risk-based “crawl, walk, run” approach, you can make enormous strides toward improving your business partner security profile in a short period of time, without a tremendous drain on your resources.

Step 1: Ensure there is a corporate policy in place related to business partner relationships

Establishing a corporate policy for business partner relationship requirements will ensure that the requirements for data protection are clearly stated in high-level business terms, and will establish the foundation for the business partner assessment program. The policy will also lay the groundwork for enforcement and accountability.




Step 2: Identify the types and risk profile of a majority of your partners

One of the most common mistakes that organizations make is trying to assess all of their business partners using the same approach. All business partners are not created equally, and accordingly, each type of partner should be assessed in a specific way. A simple method to accomplish this quickly and easily is to define business partner “tiers” based on inherent partner risk (e.g., High, Medium and Low). Develop a short set of questions that can be used to identify the inherent risk of a partner. A typical approach may include questions related to:

• Amount and type of information shared with the partner• The method that is used to share the information between the organizations• Understanding what the partner does with the data once it is in the partner’s possession• Determining the impact to the business if the partner were not available• Understanding the financial impact that could result from the partner incurring a data breach• The potential regulatory impact associated with the partner• Other questions specific to your organization that can help determine the inherent risk profile of a

business partner

The questions used to help us determine inherent business partner risk will not provide us with any information about the partner’s security posture; the goal is to understand the “out of the gate” risk the partner presents to the business. This will help us determine the level of effort we apply to each tier of partner as part of the assessment process. We want to ensure that we are spending the most time assessing the partners that present the most inherent risk.

As a general rule of thumb, when determining which partners will be included in the different inherent risk categories, if more than 10-15% of your total partner population falls into the “high risk” category, you may want to consider reevaluating your criteria and scoring algorithms. As we will review in the upcoming sections, high-risk partners will require a substantial amount of effort, and having too large of a population of this type of relationship will compound some of the challenges described earlier. For example, it may be difficult to sustain a business partner assessment program that includes 30% of your partners being in the high-risk category, simply due to the amount of assessment time and remediation time required.

Step 3: Establish the assessment type and frequency requirements for the different partner tiers

Once we have developed our process for “tiering” our business partners, we now must establish the assessment requirements for each category and the necessary frequency of review. Below are some high-level examples of what the assessment activities may include for each category. The examples are by no means exhaustive or appropriate in all situations, but they should provide a foundation for the basic concept of increasing levels of assessment rigor based on inherent partner risk.




Examples:

• Low-Risk level assessment - This assessment type generally consists of some type of information security questionnaire only. Due to the low level of risk that the relationship poses to the organization, a basic, high-level questionnaire is used to determine the security posture of the extended business relationship. The types of questionnaires vary slightly depending on the type of organization being reviewed and they are typically 50–200 questions in length. The questionnaires are not intended to be exhaustive, but they should provide the organization with a general understanding of the information security risks related to an external partner. The questionnaires are typically emailed to a partner, then completed and returned. The focus at this level is to ensure that that the questionnaires are being completed and returned and that the results are evaluated. Because the partner was determined to be a “low inherent risk,” we are comfortable only spending a minimal amount of time focusing on an assessment (approximately 3–5 hours). This approach helps to ensure that we are not simply ignoring the partner, but that the amount of time we spend with assessment is commensurate with the level of risk. There is the possibility that, based on responses to the questionnaires, that additional follow-up is required, but ultimately, the level of effort spent with the low-risk partners should be small compared to the medium- and high-risk levels.

• Medium-Risk level assessment - Increasing in the level of rigor, this assessment typically consists of the same activities conducted in the low-risk level assessment, but then adds additional activities. Due to the increased level of risk that the relationship poses the organization, a questionnaire is used to determine the security posture of the extended business relationship, but then other assessment activities can be added as well. The questionnaires used at this level are typically more comprehensive, 100–300 questions, and additional information may be requested from the partner, such as:

ͳ Independent assessment reports ᵒ SAS 70 (SSAE16) ᵒ PCI/ROC ᵒ * Shared Assessment SIG or AUP ᵒ ISMS Certification ᵒ Third-party vulnerability assessments or

penetration tests

ͳ Any supporting information that helps demonstrate the security posture of the third party

*http://www.sharedassessments.org




• Generally at this level, we increase the amount of visibility and communication with the business partner as well. This may include conference calls, or potentially even a site visit. By spending more time interacting with the business partner, more information can be gained, and a greater understanding of its risk profile can be determined. In most cases, the amount of time spent assessing the medium-risk level partners is approximately 10–20 hours, depending on their complexity.

• High-Risk level assessment - Based on the high level of inherent risk that these partners present to the organization, we want to ensure this is where we focus the majority of time and energy. Not to suggest that the other risk level relationships do not warrant attention, but sticking to our risk-based approach, we want to focus most intensely on the high-risk relationships. The high-risk level assessment typically consists of the same activities conducted in the medium-risk level assessment, but then adds additional activities. In addition to a more comprehensive questionnaire and supporting documentation reviews, on-site physical security reviews and interviews are strongly recommended, along with more general on-site time for interviews, inquiry and analysis. Additionally, at this level, if there are technical components to the relationship, we may want to include vulnerability assessments, penetration tests and, potentially, targeted application assessments. At this assessment level, the questionnaires are primarily used to help set up our on-site interviews with key personnel of the business partner being included. Typically, at this risk level, we would expect to spend approximately 80–120 hours, possibly more, assessing these partners. Referring back to our recommendation regarding the number of high-risk level partners you have, you can see why having too large of a percentage will likely result in serious challenges for maintaining the program.

Regarding frequency, as a general practice, low-risk level relationships can be revisited once every two years, whereas medium-risk and high-risk partners should be evaluated annually (unless specific regulations or other factors necessitate a more frequent analysis).

An important note about partner tiers: Don’t forget to reassess the inherent risk of existing partners on an annual basis to ensure they are still properly categorized. Stakeholders within your business will often change the manner in which the partner is being used. They may increase the level and sensitivity of information being shared; there may be changes to the methods of data transmissions or other factors that could increase the level of inherent risk a business partner poses to the organization.




Step 4: Follow up and remediation activities One of the common pitfalls for many business partner assessment programs is the failure or inability to follow up with your business partners regarding discovered issues and required remediation. It’s imperative that once issues are identified with a partner, that those issues and subsequent remediation activities are assigned to people for accountability purposes and that they are followed through with until completion. Identifying risk and failing to ensure that risks are managed to your requirements, either mitigated or properly accepted, may actually function contrary to the intent of developing the program in the first place. Assigning internal “relationship managers,” usually from the business area responsible for the partner relationship (or even from information security or your project management office) to help manage the process, is an effective way to help ensure the partners are addressing security issues and that remediation activities are not falling through the cracks. Step 5: Ensure proper contract language exists Once the program has been established, and the assessment criteria defined, it’s then necessary to ensure your information security requirements are built into your business partner contracts. When defining your information security requirements within the contracts, be sure to include breach notification requirements and the right to assess (including on-site). These are two of the areas that are commonly absent from third-party contracts.

Benefits There are many benefits to developing and executing a business partner assessment program. From meeting regulatory and vertical-specific mandates to reducing the organizations risk profile, developing this type of program has several invaluable benefits. Even if your organization is one that is not highly regulated, you may not be in a position to withstand the negative publicity that comes from a partner data breach incident. Reputation risk is critical to almost every organization, and when data breaches occur as a result of partner negligence, the news outlets typically do not elaborate on the partner’s involvement, but rather focus on the fact that “Company X” (your organization), was responsible for losing sensitive information. That type of negative impact to your reputation can be difficult for many organizations to overcome.



About FishNet SecurityWe focus on the threat so you can focus on the opportunity.FishNet Security, the No. 1 provider of information security solutions that combine technology, services, support and training, enables clients to manage risk, meet compliance requirements and reduce costs while maximizing security effectiveness and operational efficiency. For more information about FishNet Security, visit www.fishnetsecurity.com, www.facebook.com/fishnetsecurity and www.twitter.com/fishnetsecurity.


Conclusion With the outsourcing-focused business model that many organizations are leveraging, information security risks are introduced via external relationships. The risk is that, with any extended business partnership, there is the possibility of data-sharing. While sharing sensitive data with business partners may reduce cost or lead to increased efficiencies in business operations, it also creates risks for the organization. This risk cannot be passed along to the business partner and smart organizations will develop strategies for managing the risks associated with using business partners.

A organization’s security posture is only as strong as its weakest link, and an extended relationship is often the weak link. Many times the outside services being leveraged by an organization require sharing sensitive data. The data may be an organization’s critical proprietary data, employee/customer personally identifiable information, or other non-public information that the organization has an obligation to protect. Organizations have a need to assess the risk associated with these relationships and make decisions regarding risk mitigation. With this paper, we hope to provide you and your organization with enough information to get your business partner assessment program “crawling” … maybe even “walking.” In our next white paper — Part 2 of this series, we will focus on enhancing the program, and expanding upon the benefits of a well-performing third-party assessment program. This will include:

• Casting the net – making sure that all third parties are included in the process• Automation – how to use tools to automate some of the manual assessment processes• Cost savings – exploring ways to leverage the program in a way that helps reduce third-party

expenditures across the organization• Metrics and reporting – understanding key metrics and reporting options that can help

demonstrate a return on investment for the program• Training and awareness – how to promote the program and educate the organization about the

requirements and benefits• Process improvement – looking for ways to continuously evaluate and improve the third-party

assessment program

Where Is Your Sensitive Data Wp

Documents

Transcript of Where Is Your Sensitive Data Wp