Posts

Vendor Risk Management Strategy

Got a vendor risk management strategy defined? Need help? You’re not alone.

Introduction

People are not inherently good at defining strategies. This is a problem. The problem is worse when considering information security strategy, and more worse when considering vendor (and third-party) security risk management strategy. These assertions come from observations made over more than 25 years, working with a wide variety of organizations.

If you engage in vendor risk management activities, you should have a strategy defined. If you don’t have a strategy, then you’re going to be less effective in achieving anything meaningful to the organization.

This article is dedicated to helping you define an effective vendor security risk management strategy. An effective strategy will help you achieve your organization’s goals with measurable results.

Rule of Thumb: The larger the effort, the more important the strategy. In terms of vendor risk management:

  • More vendors = more important.
  • More people involved in vendor management = more important.

Now, let’s define a basic strategy together.

Start with why.

Strategies start with why. If yours doesn’t, it’s probably not a good strategy.

Another word for why is purpose. I prefer why because it seems that people can relate to it better. I think this is because they can keep asking themselves why for every piece, part, and process in whatever it is we’re trying accomplish.

Simple question. Why are you doing, or thinking about doing, vendor security risk management? If you don’t know the answer to this, then you have no “why”.  If you struggle with your “why”, look at some of these common ones, and consider them when developing yours:

  • We want to manage vendor security risk well.
  • We have to do it because our regulator told us we had to.
  • We want to be defensible, meaning to be able to defend ourselves in court when/if a vendor-related breach occurs.
  • Everybody else is doing it, so we should do it too.
  • We suffered from a vendor-related security breach in the past, and we don’t want it to happen again.

I’ll tell you our why, where I work. We believe that managing risk is core to the definition of information security. We can’t manage information security without managing risk. Vendors pose a risk to the security of our information, so managing risk must include vendors; therefore, vendor security risk management is core to our security program.

There it is; we do vendor security risk management because we believe that it is core to our security program.

You can have more than one why, and I actually encourage it. The more you have, the more focus it can bring. Now, document your why. Document it so you don’t forget it, so you can share it with others, and so you can make sure other parts of your strategy align with it.

Set goals.

Our goals are set by what we define as success.

Goals must be…

  • Measurable.
  • Associated with some function of time (timeline, timeframe, deadline, etc.).
  • Aligned with our why.

Think of the ways you can set measurable goals on a timeline that enables your why to be adequately supported. Your why may be different than ours, but I’ll use us as an example again. We’ll use SecurityStudio in our example. Not only do we sell SecurityStudio , but we certainly use it too!

Our Why:

We believe that vendor security risk management is core to our security program

Goals:

To support our vendor security risk management efforts, we have defined the following goals:

  • 100% of all vendors will be inventoried in a central repository by 3/1/2019.
  • 100% of all vendors will be classified according to inherent risk (sometimes called “impact”) by 6/1/2019.
  • All high and medium impact vendors will be assessed for residual risk by 1/1/2020.
  • Every vendor will be re-classified on an annual basis by the 1st of each year.
  • All high impact vendors will have a S2SCORE of 660 or higher by 6/1/2020, any exceptions must be formally approved by the business unit Vice President.
  • All medium impact vendors will have a S2SCORE of 660 or higher by 6/1/2020, any exceptions must be formally approved by the business unit Vice President.
  • At no time will a vendor S2SCORE of 600 or less be accepted by the organization.

Define how.

Now this is where the rubber meets the road. A strategy is worthless if it can’t be enacted or executed against. How will we accomplish our goals? In order to achieve the goals that we’ve set, we’re probably going to need something, or maybe a lot of somethings.

Obviously, one of things that we leverage is SecurityStudio. If you don’t use SecurityStudio, you can either choose to use it, or you’ll need to find something else. If you’re unsure of SecurityStudio and/or how to implement it, schedule a demo with us today. Whatever you use, it must allow you to accomplish all of your goals. SecurityStudio is one thing, but you’re going to need more. You’ll also need (at a minimum):

  • A policy. See our previous article about developing and using a vendor security risk management policy (/blog/vendor-risk-management-policy/). There’s even a free policy template there.
  • Personnel (or time). Somebody will need to do the work. SecurityStudio takes all of the dirty-work out of way, but there still needs to be some involvement. We have a vendor risk management ROI calculator if you’re interested in how much time and money is saved when you use SecurityStudio versus manual processes.
  • Training. The people who will be involved with vendor risk management are going to require some training. SecurityStudio is simple to use, but it’s still good to do some brief training anyway.
  • Procedures. Step-by-step guidance will ensure that the same thing is done every time. This gives us the ability to tweak things and make things more efficient.
  • Budget. Everything costs money nowadays, hard and soft dollars.

That does it for the how. Now combine the high-level how information into your strategy, and give everything a sanity check. Does everything fit, or do you need to adjust? I’ve gone through this same exercise with large companies, and it’s not uncommon to revisit all, or part of the strategy many times before you nail it.

Good luck! If you need help, contact us!

s2core

Estimate your score or book free demo today

/by

Vendor Risk Management Goals

 It’s easy for an organization to get caught up in establishing policies, workflows, and procedures for vendor risk management. Without context as to why these policies are important and stressing this to your team, many will lose sight of the primary goal of vendor risk management – to put the organization in a defensible position.  An organization owes it to their customers.  The goal of vendor risk management is to position the organization in a defensible position by taking inventory of all vendors, measuring how much of a risk each vendor poses, assessing each vendor objectively, and then systematically repeating this process.  That’s a hefty goal, so let’s break it down.  

Inventory – Taking inventory of all vendors

The first step to mitigating risk is to take inventory of all vendors.  This list includes everything from the organization’s HVAC technician, cleaning service, insurance broker, and even the free online software provider.  These are all considered vendors, and while not all of them have the same access to sensitive information, many vendors will have some access to the organization’s information either physically or otherwise.  The goal of taking inventory of your vendors is to make sure that all the vendors within an organization is accounted for.  Quite simply, you don’t know, what you don’t know.

Classify – Measuring how much of a risk each vendor poses

Not all vendors will have access to the same amount of information, but it’s important to sort your vendors into buckets.  Using the same classification method puts all your vendors into perspective, and puts the organization in a defensible position.  The HVAC technician won’t necessarily have the same impact as an insurance broker that has access to sensitive information.  However, both vendors pose a risk – SecurityStudio has three impact levels – high, medium, and low.  By classifying vendors objectively, the right course of action can be taken to assess them appropriately. 

Assess – Assess each vendor so that the appropriate action can be taken

The goal of the assessment process is to make sure that the right questions are being asked, and that the same questions are being asked of all vendors within the same bucket.  This again will put the organization in a more defensible position. The goal of the assessment process is to be as objective as possible and to complete due diligence.  It’s important to ask these questions now, so that in the case of an adverse event, the organization is still defensible.  Tools, like SecurityStudio, makes it easy.  SecurityStudio offers a comprehensive list of questions, and the program tags who answers the questions and timestamps when the questions are answered.  The ultimate goal of the assessment is to have an objective overview of the vendor’s security posture so that the organization is able to make an informed decision to either go into business or continue doing business with the vendor.  Once the results of the assessment are given, then it’s a matter of replicating the process on a regular timely basis, or as the business relationship changes. 

Now that the goal is broken down, it puts things in perspective.  Yes, organizations are pressured to develop a vendor risk management program by regulatory laws, but it’s more than that.  It’s just the right thing to do.  Organizations owe it to customers to make sure that the information they provide is secure by mitigating risk the best they can and putting themselves in a defensible position.  This is the primary goal of vendor risk management.

To put your goals to action and get an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!

Vendor Risk Management Goals
s2core

Estimate your score or book free demo today

/by

Vendor Risk Management Reporting

For most organizations, measuring vendor risk management is extremely difficult, if not, impossible.  That’s because they’re either doing nothing to manage vendor security risk or they are using a method that isn’t conducive to measurement.

Here are a few helpful statistics to measure in any VRM program:

  • Overall risk exposure
  • Trending of overall risk
  • Riskiest vendors both from an operational risk standpoint as well as impact
  • Individual vendor trending
  • Number of total vendors
  • Number of high risk vendors
  • Specific areas that are a significant risk across multiple vendors

Your VRM program should be reportable.  Most C-suites or boards would like an update at some frequency on both the overall security program but also the VRM program.  Having these types of statistics easily reportable is a huge plus to the information security program in general.

Use statistics like these to keep leadership informed of the current state of the program as well as to justify the need to continue managing 3rd party risk.

SecurityStudio leverages S2SCORE in order to be able to give you all the statistics and reports you need to stay on top of your VRM program. Schedule a demo with us today so see how we can help with your VRM program!

s2core

Estimate your score or book free demo today

/by

Vendor Risk Management Best Practices

Vendor Risk Management best practices (VRM) conjures up all manner of interpretation. As a business leader, I’m concerned with all aspects….

  1. Are my vendors financially stable enough to fulfill our agreements?
  2. Are my vendors operationally capable of fulfilling our SLA’s and contractual requirements?
  3. Are my vendors doing enough to protect the data I’m sharing with them?

Numbers one and two are easy to measure and offer a mathematically sound position by which vendors may be held accountable. Number three scares me.

What are we to do in the face of daily news, very public and embarrassing news, of vendors’ indiscretions leading to the breach of sensitive information? More questions lead to more questions and on and on it goes.

As a company on the rise, including an ever-growing number of vendors and third-parties in the ecosystem, the need to do due diligence on data protection is ever increasing. Here’s the thing – it doesn’t have to be technical or out of reach if you’re not a technically-minded person. Understanding risk is the lynchpin to the process.

Defensible Position

Defensible position is the mantra of VRM. Say it with me – “Defensible Position.”

Start here – put ALL of your vendors through the same wringer. When doomsday (a breach) happens, the only defense you have is that a process was followed and that exceptions to that process were minimal and for a VERY good reason.

Example:

  • Jerry’s lawn service handles landscaping services for your business. Jerry and his team never set foot into your office, they just mow the lawn and keep the flowers alive. Still, Jerry should be able to withstand a brief questioning of the nature of your relationship be filed under the “low risk” designation and put into a queue to review in a year. If, by next year, Jerry is also providing maintenance services INSIDE your building, you should ask more questions because Jerry and his team may have physical access to information they didn’t have before. Make sense?

Jerry’s likely not a risk if he’s outside your doors. He’s a potential HUGE risk once he has access to the office. Keep an eye on that with a standard process to reevaluate all vendors like Jerry on (at least) an annual basis.

Assess

Once you’ve put your vendors through the “smell test” of risk (officially called ‘classification’) then move onto assessing whether or not they are doing the right things with their access to your information. There are a number of ways to do this, but in the interest of being in a DEFENSIBLE POSITION, make sure all vendors of a particular classification (high, medium, critical, etc.) get the same assessment.

Lawyers love words like “assume, thought, maybe, about, approximately, etc.” so eliminate that possibility. By measuring your vendors with the same ruler, you take subjectivity out of the equation. Starting to see the advantage, here?

  1. You cannot protect yourself from the breach. There, I said it. The skill and nature of the “bad guys” are such that total immunity is impossible. Accept that and move on to managing the risk of the situation. What is the likelihood of a breach? How bad would it be if you were breached? If you don’t have the math to lean on for answers to those questions, you’re VRM (and overall security strategy) is inadequate. Period.

Five years ago, achieving a well-measured VRM program was incredibly expensive and often reliant on specialized expertise that was in increasingly short supply. Times have changed and there are options out there that have real effectiveness, such as SecurityStudio , which automates the process and put you in a defensible position.

So, now you’re in a defensible position and at least feel good that you’re doing what’s expected and being responsible. But, there’s a greater responsibility…

2. Help your vendors practice better security. You’re in a position to help the organizations who wouldn’t naturally care about security. Put the basics in place to better protect themselves and you. VRM is a GREAT way to lead your suppliers to best practices while also protecting yourself in a more effective way. It costs you nothing and has (potentially) enormous benefits.

The soapbox if officially unattended. To recap…

  1. Get all of your vendors in a common process.
  2. Rank your vendors according to the same criteria.
  3. Assess your vendors’ security and get some math around their risk to you.
  4. Help your vendors get better – don’t just point out problems and wish them luck.

Please get in touch with me, John Harmon, if you have any questions. There’s a lot of uncertainty and lip-service out there trying to profit from your uncertainty. Lean on people who have the experience and the propensity to serve to help you with VRM, or any other security concerns you have. The good guys are within reach and ready to help.

For an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!

s2core

Estimate your score or book free demo today

/by

The Importance of Vendor Risk Management

A common theme for many organizations is that they don’t have time to do third-party information security risk management, or they don’t have the time to do it right. There are so many competing initiatives in an information security professional’s life, I get it. Do you have a case for not prioritizing third-party information security risk management, or not prioritizing it higher?

Let’s use logic to figure this out together.

NOTE: Notice I use the words “third-party information security risk management” in place of “vendor risk management”, this is because I think one is a little more accurate than the other. Third-party information security risk management usually fits within the scope of a larger vendor risk management program. For this article we’re going to focus on third-party information security risk management.

Three primary questions come to mind when thinking about the importance of third-party information security risk management:

  1. Is there a problem with NOT doing third-party information security risk management?
  2. If so, how big is the problem?
  3. What should you do about it?

Is there a problem?

So, you’ve got other priorities that prevent you from assessing and managing information security risks related to your vendor/third-party relationships. The fact that you have other priorities isn’t a problem, it’s reality. The fact that you may not be prioritizing third-party information security risk management, or that you may not be prioritizing high enough, could be a big problem.

Inherently, I know two things when it comes to third-party information security risk management:

  1. Nobody cares about the security of my information more than I do.
  2. Third-parties are the cause (directly or indirectly) of most known data breaches.

Nobody cares about the security of my information more than I do.

You know this is true, right? You spend thousands of hours, and many dollars trying to implement and manage good security controls within your organization. You’ve developed sound policies, worked tirelessly to make sure people are trained and aware of good security practices, you’ve spent thousands (maybe millions) on expensive technological controls like firewalls, intrusion prevention, data loss prevention, endpoint protection, and on and on.

You use third-parties to provide certain services to your organization. Maybe printing, maybe hosting, maybe IT support, who knows? Do you think the third-parties you use have spent the same amount of effort in protecting your information? Is thinking they’re protecting your information the same way you are, good enough? Play it out. Stay with me on the logic here.

We know that no matter what we do, we cannot possibly prevent all bad things from happening. We cannot eliminate risk, but risk elimination isn’t the goal anyway. Risk management is the goal and it’s the only thing that’s even remotely attainable.

Let’s say a vendor loses your information (this is more likely than you know, read the next section). Or, let’s say that an attacker gains access to your information through some sort of access that we’ve granted them. What happens next?

You conduct an investigation. Maybe there are lawyers involved. Maybe there’s customer data involved. Maybe you’re not sure. One thing is for certain, somebody isn’t going to happy. When the right (or wrong) somebody isn’t happy, somebody else needs to pay. The unhappy “somebody” might be a customer or group of customers, a government regulator, or the board of directors. The unhappy “somebody” might be all of the above.

The unhappy somebody is going to want answers. What answers do you think they’re going to want? They’ll want answers to questions like:

  • Did you know that your vendor was doing x, y, and z?
  • Did you ask how the vendor was protecting our information?
  • What sorts of questions did you ask the vendor about protection?

The quality of your answers will often dictate what and how much you’ll have to pay. No answers or bad answers will cost you more. Somebody almost always pays when something bad happens, the degree to which they pay, will largely be dependent on what answers they’ll have to defend themselves. This, in a nutshell, is defensibility.

Can ignorance be defensible, claiming you didn’t know any better? Short answer is “no”. The reason is outlined in the next section.

Third-parties are the cause (directly or indirectly) of most known data breaches.

Soha Third-Party Advisory Group conducted a study (Source: http://www.marketwired.com/press-release/soha-systems-survey-reveals-only-two-percent-it-experts-consider-third-party-secure-2125559.htm) last year that concluded the following; “third parties cause or are implicated in 63 percent of all data breaches.” You might be skeptical of this number, but the Soha Third-Party Advisory Group consists of some heavy-hitters in our industry, security and IT experts from Aberdeen Group; Akamai; Assurant, Inc.; BrightPoint Security; CKure Consulting; Hunt Business Intelligence, PwC; and Symantec. I didn’t write the study, but I believe that much of the findings represent the truth.


Soha Third-Party Advisory Group

Can you claim you didn’t know better? When you’re tasked with answering the inevitable questions that are coming your way after a breach, do you really think you can claim you didn’t know?

To compound our ignorance as a defense problem, are the following facts:

Third-party data breaches are on the rise, at least in the United States. A study by Opus concluded the “percentage of companies that faced a data breach because of a vendor or third party was higher at 61 percent, which is up 5 percent from last year and 12 percent from 2016”. (Source: https://www.pymnts.com/news/security-and-risk/2018/third-party-data-breaches-cybersecurity-risk/)

A study conducted by Kaspersky Lab concluded that the costliest data breaches are those that involved a third-party, especially for small to medium-sized businesses (SMBs). (Source:  https://mobile.itbusinessedge.com/blogs/data-security/breaches-from-third-parties-are-the-costliest.html)

Opus & Kaspersky Lab

Do you need more justification for re-prioritizing third-party information security risk management? Maybe you run a security program based on compliance, only doing what you’ve been told to do. This isn’t a good idea because information security is about risk management, not compliance, but let’s say it’s the way you do things anyway. Compliance is king. What if I told you that regulators and examiners are aware of the risks, and they read the same news we do. They are increasing the pressure around third-party information security risk management, and they’re losing patience with organizations that haven’t taken the risk seriously. It’s better to get ahead of this curve now.

Back to our original question; Is there a problem with NOT doing third-party information security risk management? My opinion, using the logic we’ve outlined together, is “yes”. There is definitely a problem with you NOT doing third-party information security risk management.

Are you convinced that you need a third-party information security risk management solution? If so, let’s figure out the right solution. If not, we’ll still be here to help when you become convinced. I promise.

How big of a problem is it?

Our next question was how big of a problem is it, meaning how pervasive is the third-party information security risk management problem in our industry? I promise to provide a short answer.

At a macro-level, relying on my unscientific observations from working with (up to 1,000) clients and discussions with other information security professionals, I would estimate that as many as 90% of the companies ranging in size from 20 – 30,000 employees do not have a third-party information security risk management program of any substance (or formality).

The problem is big in our industry. I would caution against using this as justification for not have your own (program); however. The herd mentality seems to be less and less defensible too.

Our last question: what you should do about it (meaning third-party information security risk management)?

What should you do about it?

For your own good, hopefully I’ve convinced you that not doing anything or deferring this issue until it becomes a higher priority, is not a good option. If not, like I stated previously, we will be here for you when you change your mind.

A well-designed third-party information security risk management program fits the following characteristics:

  1. It’s not disruptive to the business. After all, your business is in business to make money (and/or serve a mission). If information security gets in the way, you’ve got problems.
  2. It’s measurable in a way that you can show progress. Going from nothing, or next to nothing, to a fully implemented third-party information security risk management program is not feasible or encouraged. A solution that allows for gradual adoption over time is the right way to go.
  3. Doesn’t take shortcuts. The definition of information security accounts for administrative, physical, and technical controls. Only accounting for technical controls isn’t going to cut it, especially when we consider the fact that your most significant risk is people.
  4. Organized, standardized, and repeatable. These things make your program scalable and useable. The way to accomplish this is to automate all parts of the program that can be automated, without taking shortcuts.
  5. Intuitive, easy to use, and easy to understand. Third-party information security risk management shouldn’t be rocket science. A well-designed third-party information security risk management solution should be logical, so much so, that you don’t need vast amounts of experience and expertise to run it.

We specifically designed SecurityStudio to fit all the criteria necessary in a best-in-class third-party information security risk management platform. We did so by using more than a combined 100 years of information security experience, and at a reasonable price that doesn’t unnecessarily take away from your other competing information security priorities.

I invite you to speak to a SecurityStudio representative about how SecurityStudio will work for you. Schedule a demo too while you’re at it!

s2core

Estimate your score or book free demo today

/by

Purpose of Vendor Risk Management

Historical Use of Vendors Over Time

Before we address the purpose of vendor risk management we need to spend a few moments to understand how we got here. Looking back 20 years ago third-party vendors were used differently and not used as much.  We did not perform any sort of vendor risk management.  Considerations to use a vendor would be primarily based on cost.  Today is a much different picture.  We can easily create an entirely new business with a laptop, internet connection and a credit card.  Software solutions can be purchased and used within organizations without getting IT involved; therefore, skipping the chance to properly evaluate the potential risk.  The threat landscape has changed vastly and continues to evolve seemingly faster all the time.

Shift Control from Internal to Third Party

I reminisce about my first job coming out of college.  The large company I worked for didn’t have internet access, we didn’t have email and we didn’t exchange data or allow others to access our data.  All the control was in our hands.  If we suffered some sort of incident it was up to us to fix it and get back on track.  Today we outsource to third-party vendors for strategic reasons (increased efficiencies, new services, focus on core business objectives, etc.). Risky vendors will then increase our risk if not properly evaluated and managed.  The control is shifted from us to the vendor.  How much data are we giving to the vendor?  Does a disruption in the vendor’s ability to provide services create an unaccepted situation?  Does the vendor have a formal approach to securing your data?  Do they have a risk management program that’s formally mandated and supported by their executive management?  Do they treat your data with the same standards as you do?

Purpose of Vendor Risk Management

A lack of a complete and effective vendor risk management puts organizations at risk.  Regulated industries like Finance, Healthcare and Public Utilities all require ongoing risk assessments.  The use of third-party vendors needs to be incorporated into the risk assessment.  A thorough and efficient vendor risk management program can make a difficult process run more smoothly. 

Another reason you should consider a formal vendor risk management approach is to address the business impact risk that’s introduced by utilizing third party vendors.  Your reputation could be tarnished by the actions of a vendor you use.  Your organization could suffer unacceptable downtime or lack of service due to a vendor’s internal (or lack of) business practices.  You could also be affected by a third-party vendor’s financial situation.  If a vendor provides a critical or unique service that is not easily replaced, it’s in your best interest that their finances are in good order.  Can they keep their lights on and provide you with the critical services you pay them for?

In a simple form, the purpose of vendor risk management is ensuring the use of third-party vendors and making sure they do not introduce a negative impact, business disruption or damage your reputation. It also puts you in a defensible position by showing you’re practicing proper due care and due diligence regarding information security and vendor risk management. 

Vendor Risk Management Process

The vendor risk management process comprises of four steps.  Once the initial process is started, new vendor and annual vendor reviews will be much faster and simpler to manage.

  1. Identify your vendors – Any individual or company who provides you paid services.  Working with Accounts Payable will cast the biggest net.  Don’t forget about services purchased on a credit card – so check those statements!
  2. Classify your vendors – Now you have the master vendor list you need to classify the vendor into high, medium and low risk categories.  Department managers are typically the best to determine this since they have an idea of the types and amount of data the vendor has access to as well as how the vendor is used and what impact the vendor has on the business.  This can sometimes be difficult at first because some managers might not understand their role in the vendor risk management process.
  3. Assess vendor risk – A risk assessment should be performed on all high and medium risk vendors.  The risk assessment should be the same criteria for all classes of vendors.  Higher risk vendors will be under the microscope a bit more than the medium risk vendors.  Low-risk vendors simply need to be evaluated for risk and documented.  It’s important to show you’ve evaluated and classified ALL vendors, not just the ones you feel are important. 
  4. Risk treatment – Once risks are identified you need to determine if the risk is acceptable or if you will ask\require the vendor to mitigate identified risks.  Remediation efforts by the vendor should be monitored and assurance made to you by the vendor that they did indeed address the risks identified.  This might come in the form of policy developed, audit results or verified risk assessment performed certified information security expert.

The entire process is repeated on a regular basis, preferably annually.  The initial startup of a vendor risk management program can be daunting but with the correct tools, it doesn’t have to be.

Who Do We Work For?

We all work for someone.  Our industries might be vastly different but the common item we all have is we work for people.  People entrust us with their finances, healthcare data, personal data, retirement funds, school grades, etc., the list goes on and on.  Behind all that data are mothers, fathers, grandparents, aunts, uncles, nieces, nephews, sons, daughters, friends and neighbors.  We owe it to them to do everything we can to protect their data as if it were our own.  This is the REAL purpose of vendor risk management.

If you want an easy-to-use automated workflow that evaluates all third-party vendors and brings your weakest links to the surface, schedule a demo with us today!

s2core

Estimate your score or book free demo today

/by

Healthcare Vendor Breach: Credit Card System Hacked

On September 29, 2018, Baylor Scott & White Medical Center – Frisco, a joint venture managed by United Surgical Partners International (USPI), discovered that more than 47,000 patient records may have been compromised when the hospital uncovered an issue with the credit card processing system of a third-party vendor. The Texas hospital was required to notify federal regulators under the HIPAA Breach Notification Rule.

Data that may have been accessed by hackers includes name, mailing address, telephone number, date of birth, medical record number, date of service, insurance provider information, account number, last four digits of the credit card used for payment, the credit card CCV number, type of credit card, date of recurring payment, account balance, invoice number and status of transaction.

The hospital assures it patients that medical record information and social security numbers were not accessed; however, name, address, date of birth and medical record number may have been accessed by hackers. Under HIPAA, name, address, date of birth and medical record number are all considered protected health information (PHI).

Corrective Action

In addition to terminating the relationship with the vendor, Baylor Scott & White Medical Center – Frisco is also offering affected patients or guarantors one year of free credit monitoring services through TransUnion Interactive. However, the damage may have already been done. According to an article by Health IT Security, health information is more valuable than just credit card information or financial data alone, and hackers could sell the information on the dark web for more money than a social security number.

Breaches on the Rise

The U.S. Department of Health and Human Services Office for Civil Rights maintains a breach portal, commonly called the “wall of shame,” of all breaches of unsecured PHI affecting 500 or more individuals. Currently, the list contains more than 400 breaches in just the last 24 months. Each breach is currently under investigation by the Office for Civil Rights.

Breaches can be inevitable, but healthcare organizations must do everything in their power to protect PHI and avoid a breach. To accomplish this, a good vendor risk management program should be implemented. Third-party vendors must be inventoried, classified and assessed to determine their level of inherent risk on the healthcare organization. Once assessed, you can determine if their level of risk is acceptable, if you need them to go through a remediation process, or if you need to discontinue your relationship with this vendor. By doing so, healthcare organizations can show due care and create a defensible position in the event of a breach.

s2core

Estimate your score or book free demo today

/by

Phase 4 of Vendor Risk Management: Risk Treatment

The final step in the third-party vendor risk management process handles how we decide to treat the risks associated with third parties. The most objective method for risk treatment in relation to third-party information security risk management is pass/fail, acceptable/not acceptable. Either the S2SCORE meets (or exceeds) the acceptable level or it doesn’t.  This is key to standardization and defensibility.

Acceptable

If the resulting S2SCORE is acceptable, the review of the third-party information security risk is complete for this cycle. Information security risks for this third party should be reviewed again in the future, according to a schedule defined by your organization.

Not Acceptable

If the resulting S2SCORE is not acceptable, the third party will need to improve one or more of their information security controls to bring their S2SCORE above the acceptable threshold. As is true in real-life information security, there are several things that the third party could do to improve their score. The final determination will be negotiated between you and your third-party provider.

As the third party undertakes remediation, new S2SCOREs are calculated, and remediation continues until an acceptable S2SCORE is obtained. Once an acceptable S2SCORE is achieved, the review of third-party information security risk is completed until the next cycle.

Repeat Reviews

Although the review of third-party information security risk is complete, the cycle must repeat because several factors are likely to change over time. Your organization may change the way you use a specific third party, threats change, and vulnerabilities change over time. The review cycle you decide to adopt is entirely up to you and the resources you have available. The SecurityStudio default is annual.

Annual reviews should start again at the beginning of the process, Phase 1 of VRM – Inventory, by validating the accuracy of your third-party inventory.

s2core

Estimate your score or book free demo today

/by

Phase 3 of VRM: Assessment

As mentioned in Phase 2 – Classification, High and Medium impact third parties need to be assessed for residual risk. Residual risk is another term that isn’t common to all people, so we’ll define it. Residual risk is the amount of risk that remains (residual) after the consideration of controls that are in place and any applicable threats. Residual risk assessments attempt to validate, qualify, and/or quantify risk related to threats and vulnerabilities, using inherent risk as a base input.

The first place to check for residual risk is an assessment that the third party may have already completed; an assessment that is high quality, fits our definitions of “information security” and “risk,” and represents risk. For SecurityStudio, this is the S2SCORE. The logic is simple: Does the third-party have a current S2SCORE or not?

Current Acceptable S2SCORE

If the third party has a current S2SCORE, then Phase 3 – Risk Assessment is complete for now, and the score is evaluated as part of Phase 4 – Risk Treatment. A threshold for S2SCORE must be set by the organization, and an automated comparison is made.

S2SCORE is calculated on a scale between 300 – 850, with 300 representing an infinite amount of risk and 850 representing no risk at all. Obviously, it’s not possible to have infinite risk or no risk, so all S2SCOREs fall between the range. Organizations that have not defined a specific threshold will typically accept a default S2SCORE of 660.

If the S2SCORE is acceptable, meaning it meets or exceeds your threshold, then the process is complete for you and the third party. That’s it!

If the S2SCORE is not acceptable, meaning it does not meet your threshold, then the process remains in Phase 3 – Assessment for next steps. An unacceptable S2SCORE follows the same process as not having a S2SCORE at all.

No Current Acceptable S2SCORE

Third parties that do not have a current S2SCORE and third parties that do not have an acceptable S2SCORE will receive a questionnaire that is commensurate with the level of inherent risk they pose to the organization. Third parties that are classified as High receive the High Residual Risk Questionnaire, and third parties that are classified as Medium receive the Medium Residual Risk Questionnaire.

All notifications to third parties are managed by SecurityStudio so that administrators don’t need to track and manage follow-up tasks.

All questionnaires are completed via an authenticated and secure online portal provided to the third-party provider.

High Residual Risk Questionnaire

By default, the High Residual Risk Questionnaire leverages simliar criteria* used in calculating the S2SCORE. This is important for (at least) five reasons:

  1. Validation of the questionnaire will result in a genuine S2SCORE that can be reused in other applications.
  2. The common set of criteria allows for better comparisons and consistent baselining across all third parties.
  3. Deliverables from the S2SCORE can be used to build the third-party security program and/or identify the greatest areas of concern accompanied by actionable recommendations. The S2SCORE provides value to the third party in this way.
  4. For the most impactful third parties, a S2SCORE can be validated by personnel who are certified by SecurityStudio® to complete validations. This ensures consistency across organizations who use SecurityStudio and S2SCORE.
  5. Validation of the S2SCORE can be done using in-house personnel, through SecurityStudio, or through any of the SecurityStudio partners. Today there are more than a dozen SecurityStudio partner organizations who are certified to perform validations.

Medium Residual Risk Questionnaire

By default, the Medium Residual Risk Questionnaire leverages the same criteria used in the calculation of the S2SCORE Estimator. The S2SCORE Estimator is a freely available assessment provided to anyone online and is also built into SecurityStudio. The important reasons why we’ve chosen to use the same criteria include some of the following:

  1. Any organization, with or without the use of VENDFENSE can get a score that can be leveraged without cost to the third party and be reused for third-party information security risk management if the inherent risk calculation results in a Medium classification.
  2. Ensures consistency within SecurityStudio and all other uses of the S2SCORE Estimator.
  3. The S2SCORE Estimator is an easy, and no-cost introduction to all that S2SCORE is and can be used for.

SecurityStudio S2SCORE

The result of the questionnaire process is a S2SCORE. The score is objective and automatic, and if the third parties are providing accurate and truthful information, the S2SCORE will be a true measurement of information security risk. There are times when you don’t believe that the information provided by the third party is accurate and true. These are times when you might want validation. There are also times when a third party is so critical to the success of your organization that you may want validation too. Regardless of the reason for validation, you are in control.

Now that the third parties have been assessed for residual risk, we move on to Phase 4 of VRM– Risk Treatment.

*Vulnerability scanning data, crime rate index, and natural threat data is not employed in the High Residual Risk Questionnaire but is used in the full S2SCORE and validated S2SCORE.

 

s2core

Estimate your score or book free demo today

/by