Posts

Information security programs are around to protect the data of the businesses they are a part of. Understanding risk is an important part of that, but ultimately it’s the business’s job to make decisions on what types of risks they are willing to accept. It’s the information security program’s job to make informed recommendations about those risks. Sometimes, though,  those recommendations are ignored.

While it’s important to make decisions that are best for the business, deviating from security recommendations can pose challenges. It’s important that you maintain a simple, standardized, and defensible information security program (and vendor risk management specifically). Certain business decisions detract from that.

Simplify

simplified-vendor-risk-management

We fully understand that a business’s first goal is to make money. That’s why businesses exist. Security programs are meant to create efficiencies that align with your business objectives to be a driving force for profit— not the other way around. However, if you chose to make decisions independent of our security teams’ recommendations, you can actually do the opposite.

Information security programs (and their vendor risk management initiatives in particular) can have a monumental impact on the efficiencies of an organization— especially as it pertains to employee time.

People in information security programs are often required to chase down vendors. You need to have an inventory of all of our vendors so that we know who poses threats to you. In order to do that, your security team will start at accounts payable, get a list of the current vendors your business works on, and then spend ludicrous amounts of time trying to understand the level of risk that vendor poses.

Because your information security professionals have a limited understanding of what each vendor does, they have to get an idea from the person who works with them most closely how their interactions may pose security threats. You now have two employees taking up their time to get this information figured out.

Once this is finally determined, the information security employee is going to send out a questionnaire or spreadsheet to the vendor in hopes that the person on the other end is the right contact, that they’ll fill it out correctly, and that they won’t have to be chased down every three weeks to see if it’s been completed yet.

Do you see how time-consuming this can be?

A vendor risk management tool automates many of these processes. It eliminates the chasing, the back-and-forth, and the manual entry your information security employees would otherwise go through. Because of this, their time can instead be used on the things that will make the most positive impact on your bottom line. The same is true with the non-security employees that have to assist.

You may decide that you don’t want to spend the money on an automated solution to help you smooth down these processes. Doing these things without systems, though, creates unnecessary complexities— and complexity is the enemy of security and business.

Standardize

choosing-to-not-follow-standards

Standards are crucial when it comes to information security. There are rules, guidelines, principles, and best practices that should help feed your information security decision-making.

Information Security Industry Standards

Certain industries have requirements and regulations they are asked to follow with regards to information security. If your organization fits their threshold, you likely have no choice but to comply. While these standards don’t necessarily provide the perfect example of what security is, they do provide good foundational rules to follow. Deviating from the rules of industry standards can have two effects.

This is actually an example of where deviating from rules and standards can be a good thing. As mentioned before, security standards often provide a good foundational base for your security programs, but they are often just that— a minimum requirement that helps you get started. Businesses can (and should) deviate from industry standards by adding to them. Adding measures on top of what the industry standards suggest you accomplish in your security program is an important step in bolstering your protections.

The opposite side of that coin is choosing to skip or ignore standards that are required by your industry regulations. Doing this can severely damage your business. Payment card industry (PCI) compliance is a good example of this. Many small businesses choose not to go through the steps of being PCI compliant because of the time, effort, and money that goes into complying. However, a breach that impacts your customers’ credit card information often creates irreprehensible financial and reputational losses that could end up forcing you to close your doors permanently.

When it comes to vendor risk management, the same concern applies. You can choose to deviate from acceptable industry norms, here too. Some organizations choose to change up the assessment questions that they ask their vendors to complete regarding their risk. Doing so may push you outside the compliance threshold within your industry standards and it also requires someone to justify the changes. Justification relies on subjectivity, rather than objectivity, and makes it significantly more challenging to explain if you needed to defend your decision.

Internal Standards

Standards are one way to get everyone within your business on the same page about things like acceptable risk levels, information security spending, incident response measures, and more. Implementing a set of policies and procedures that are standard across your organization, and across organizations similar to yours, ensures that you’re taking the appropriate measures to mitigate risks and protect your business.

Deviating from your internal standards proves that they aren’t the right standards. If you feel that you need to make decisions that go against the standards of your organization, they clearly aren’t working for your business. And you won’t be able to expect others to follow them if you aren’t either.

Your risk increases as you deviate from standards too. Take the FISASCORE® for example. You can use risk assessment metrics like FISASCORE to set a risk threshold you want your organization and vendors to uphold. You might make a decision that everyone needs to be above a 650 in order to continue working with them. Sometimes, though, the business might feel the need to make a decision outside the standards set in place. You may work with an organization whose business is critical to the success of yours. Therefore, you may want to accept them as a vendor despite their FISASCORE being 550 instead. While it’s important you make these kinds of decisions if you feel they’re critical to the business, it’s also important to understand that this increases the likelihood your data is compromised.

Defend

information-security-rules-standards-and-procedures

Ultimately, creating standards and sticking to them is all about making your organization more defensible in the event that something does go awry and your data is compromised. Breaches do happen. Often. It’s impossible to prevent all breaches.

Deviating from standards makes your business less defensible when a breach happens.

If your business feels they need to make exceptions to rules for its benefit, that’s fine. If you make a system standard, you just have to defend the standard. Make sure you’re taking a logical and objective approach to all of your exceptions before implementing them. This will help you stay defensible (and help you ensure that your decisions aren’t going to have a negative impact on your security).

If you make decisions that deviate from standards, customize systems too much, etc., it becomes increasingly more difficult to explain your case to those who are asking. Unfortunately, a breach’s impact stretches beyond your boardroom. Customers, news outlets, lawyers, and more will be asking questions about how and why things happened the way they did— and what you plan to do about it.

Particularly on the legal side and the industry regulator side of this, you’re going to have to explain why this incident happened. If you make exceptions to rules, you have to defend the logic behind the exception. Why you didn’t go with your standard? This is important to think about as we consider making decisions that extend beyond the scope of industry and internal standards that have already been implemented.

Conclusion

While it’s important for businesses to take information security recommendations seriously, it’s also important to remember that information security programs are around to supplement the business’s objectives. For that reason, businesses should be allowed to make decisions outside the scope of industry and internal security regulations. If they do though, there can and will be consequences. Weighing those consequences can be challenging, and it can be difficult to defend the logic behind any deviations. At the end of the day, make if you’re going to make decisions outside the recommendations of information security standards, ensure they still help your business simplify, standardize, and defend.

Douglas County Hospital is a system of healthcare providers that includes Heartland Orthopedic Specialists, Alexandria Clinic and Osakis Clinic. This 127-bed, non-profit regional hospital and clinics located in Alexandria, MN includes 875 staff and 72 physicians and advanced practice professionals providing integrated health care services to the patients, families and communities they serve.

The hospital is heavily focused on customer care, and because of this, saw a need to keep the organization’s patient data as safe as possible. Its leadership understood that compliance is only a small part of risk management and that it needed to expand its thinking beyond the ordinary security measures. Heating and cooling systems, outside foliage and camera placements were just a few potential vulnerabilities the hospital was looking to measure vulnerabilities on.

asset-management

So, Douglas County Hospital looked to SecurityStudio®.

SecurityStudio® was vital in helping the hospital mature its information security program. It provided an intensive independent review of the hospital’s security practices. To do so, it used the FISASCORE® assessment, a security rating system that measures internal, external, administrative and physical security controls. This assessment was the crucial first step in improving the hospital’s security program, as it indicated strengths, weaknesses and threats that could help determine where the focuses for improvement should lie.

“Our information security program and policies should be based on an independent and unbiased standard. This assessment is helpful as it gives us a foundation on which to mature our program, develop new policies and rework current practices,” Director of Information Security, Joyce Beck said.

“We wanted to understand our security position and its effectiveness. After the assessment we learned that strengthening logical segmentation protocols via restrictive VLAN would protect our overall network from unauthorized access in a more effective way. Systems such as heating, cooling and camera control were given limited access and could only communicate on their assigned VLAN networks,” IT Lead Ryan Engelbrecht added.

The implementation of the additional protocols through the assessment added an additional layer of security to the hospital’s overall security. On top of this, it shifted their focus from reactionary thinking to a proactive mindset with a systematic handling of their known vulnerabilities, and it guided the hospital on recommended lifecycles for its hardware and software.

“Asset management was one of the tools we utilized but not to its fullest potential. Improved documentation was implemented and additional methods for auditing and ensuring the necessary follow through were added. The assessment gave us an approach that was modest and a directive to keep it simple, by starting at square one and building this plan from the ground up. This made the process of managing our hardware less overwhelming and cumbersome,” Engelbrecht said.

The FISASCORE® security assessment not only pinpointed vulnerabilities for immediate improvement but also provided a roadmap for enhancing the overall security posture of Douglas County Hospital. Overall, this open, collaborative and mentoring approach is what made the difference to improving the hospital’s security position now and into the future.

 

 

fisascore

Vendor risk management is a critical portion of every organization’s information security program. The number of vendors the average business works with is growing, and the amount of sensitive data we let them have access to is as well. Despite this, many organizations still struggle to effectively manage the risk of their third-party vendors. By not understanding and handling these risks well, your organization is more prone to experiencing an information security incident through one of these vendors. Do you know where you stand in protecting your data from vendor risk breaches?

Almost all organizations fit into one of four categories when it comes to managing the data risk their vendors pose— none, painful, partial, or good. Let’s find out where you fit.

None

vendor-risk-management-program-category-none

The largest category of the four is the “None” category, in terms of the number of organizations. According to our estimate, more than 50% of organizations in the United States do not have a third-party information security risk program.

Some of the reasons you may end up in this category include:

  • Not knowing any better.
  • Not knowing where to start.
  • You’ve tried before and failed or gave up.
  • You don’t see the value in establishing a good third-party information security risk management program.

If you’re in this category, what legitimate justification do you have?

If the numbers don’t lie, then you can assume that a data breach will happen by, or through, one of your third-party providers. An estimated 60% of all data breaches are caused by third-parties— directly or indirectly.  Your decision to not account for this significant risk is difficult to defend against in the court of public opinion, the court of law, or the court of regulatory compliance.

The bottom line is; not doing anything to address third-party information security risk is not defensible. It would a difficult defense to claim that you didn’t know. Either you did know and you’re not being truthful about it, or you legitimately were ignorant to how important this is. Both are bad defenses when trying to explain how and why you were breached. You’re admittedly and willingly avoiding one of the most significant information security risks facing your organization.

Painful

vendor-risk-management-program-categories-painful

This second category is organizations that are doing some type of vendor risk management, but it’s a painful process. This category is typically comprised of organizations who either want to do the right thing or are being forced to do the right thing.

Want to do the right thing

These are mostly well-run organizations that want to secure information because it’s the right thing to do in their opinion.

Forced to do something

These organizations are being pushed or forced into implementing a third-party information security risk management program by one or more regulatory (direct and/or indirect), legal, or contractual requirements.

The Typical Painful Approach

Regardless of why the organization has implemented a third-party information security risk management program, the program is painful. It is usually wrought with subjectivity, inefficiency, ineffectiveness, and disorganization.

Here’s a typical real-world example of a painful program. A person within the organization has been appointed as the “Vendor Risk Manager.” She begins by developing a policy and a process. The process includes vendor on-boarding, some training, and questionnaires. She inserts the first vendor into the newly designed process and quickly finds that there are some serious pain points:

  • She must run and maintain the entire process.
  • She doesn’t know each third-party provider, what they do for the organization, or how much information they have access to. The upfront research she needs to do is cumbersome and disruptive to her other duties. She tries to get the business to help, but the business views the process as a hindrance and isn’t enthusiastic about helping.
  • She sends questionnaires out to third-party providers with the best contact information she can find, but many of the questionnaires end up going to the wrong people. Some questionnaires even go to the wrong third-party provider.
  • Most of the third-party providers don’t really want to complete the questionnaires, and when they do, the subjective nature of the questions is interpreted in the best possible light for the provider, not the company trying to assess risk.
  • Tracking which questionnaires that were sent to which third-parties is difficult.
  • Following up with third-parties to get their questionnaires completed is often inconsistent or forgotten altogether.
  • Addressing third-party questions about the process and about how to complete questionnaires is time-consuming.
  • Reviewing each questionnaire and marking them for remediation is subjective and inconsistent.
  • Fighting with third-party providers for remediation of specific risks (or perceived risks) is contentious and draining.
  • Fighting with the business leaders within the company is useless.

Eventually, the third-party information security risk program falters as employees and vendors think it as more of an inconvenience than a way to improve the organization. If it’s made too painful for the vendors, they may even choose not to do business with our organization.

The painful approach is expensive and a waste of valuable resources. 

Partial

vendor-risk-management-program-categories-partial

The partial approach is where organizations end up if they either don’t fully understand information security risk or don’t care if they’re not addressing information security risk well. These organizations often ask for things from a third-party that don’t specifically address risk or attempt to employ an easy button that only addresses a part of information security risk.

Ask for Things

Are you an organization who asks for something like a SOC 2 report or maybe ISO certification?

Asking for these things just so that you can check it off a list is not sufficient.  It’s important to read the reports and certification documents to make sure they address which risks are applicable to you and your work with the third-party. The motivation for the third-party in obtaining these things is to do as little as possible to obtain the report or certification. They are motivated to narrow the scope and get to a passing grade as quickly and cheaply as possible.

This may or may not sufficiently address third-party information security risk, and needs to be properly vetted before the box is checked. Businesses who ask for things and don’t vet the responses are only practicing partial vendor risk management.

Easy Button

A popular partial option used by many organizations is to employ an easy button. There are products and services on the market today that pose as third-party information security risk management tools, but only address one or two parts of information security risk. The most popular of these easy buttons are threat monitoring tools, security ratings tools based on external and/or internal vulnerability(ish) scans, and continuous monitoring solutions.

Each of these tools are good at addressing one part of information security risk— most often external technical risks.

But information security risk is more than just external technical risks. Information Security is managing risk to information confidentiality, integrity, and availability, using administrative, physical, and technical controls.

How do we address physical risk? After all, it doesn’t matter how well our firewall is operating if someone can steal our server.

People are often our biggest risk. It’s important that information security programs take administrative controls into account to mitigate the human error of information securirty.

The easy button solutions work well for the easy parts of information security, but they leave out the most significant risks. Use them for what they’re good at, but don’t assume you’ve got yourself covered if they’re all your using.

The partial approach is incomplete and leads to a false sense of security, which is sometimes worse than no security at all.

Good

vendor-risk-management-program-categories-good

A good third-party information security risk program is one that doesn’t compromise any part of our previous definition of third-party information security risk. It conducts its information security program in a manner that is simplified, standardized, and defensible.

Simplified

The simplest approach to third-party information security risk management is one where all third parties are vetted, and where vetting is done in a consistent and objective manner.

Simplified and easy are not the same. Simplified means that there isn’t any waste, and everything in the program has a specific purpose. The components must all work seamlessly together and processes must be streamlined.

In the simplest sense, a good third-party information security risk management is made up of five components;

  • Policy (and supporting documentation)
  • Inventory
  • Classification
  • Assessment
  • Treatment

Standardized

A good third-party information security risk management program must be standardized. The same process must be followed every time. It’s not that we don’t continually refine and improve the program, it’s that we do so in a manner that is planned and consistent. In order to ensure standardization, the following must be true:

  • All third-parties must be assessed for inherent risk the same way.
  • All third-parties must be assessed for residual risk the same way.
  • Inherent and residual assessments must be objective.
  • Risk scoring must be consistently applied.
  • Thresholds must be set for all third-parties; driving risk treatment decisions.

Standardization can be achieved through rigid processes, but that could easily defeat our efforts to simplify. The best way to standardize is to use automation. Automation ensures that specific business rules are applied in a consistent manner, and it removes the non-standardization that often comes with human behaviors and decision-making.

Defensible

No matter what we do, we cannot prevent all bad things from happening. We live with a certain amount of risk, and there is no feasible way to eliminate it all. Organizations must consider how to defend themselves against the potential onslaught of regulatory investigations, civil suits, and loss of revenue.

Nobody expects a perfect approach to third-party information security risk management, but everyone should expect a reasonable approach to third-party information security risk management. Terms like due care, due diligence, and reasonable (or prudent) person are all very important when it comes to defensibility.

We aren’t lawyers, so we’ll borrow from publicly available sources to define these terms.

  • Due care refers to the effort made by an ordinarily prudent or reasonable party to avoid harm to another, taking the circumstances into account. It refers to the level of judgment, care, prudence, determination, and activity that a person would reasonably be expected to do under particular circumstances.
  • Due diligence in a broad sense refers to the level of judgment, care, prudence, determination, and activity that a person would reasonably be expected to do under particular circumstances.
  • Reasonable or Prudent man is a hypothetical person used as a legal standard especially to determine whether someone acted with negligence. This hypothetical person exercises average care, skill, and judgment in conduct that society requires of its members for the protection of their own and of others’ interests. The conduct of the reasonable man serves as a comparative standard for determining liability.

It seems perfectly reasonable for a person to establish a third-party information security risk management program according to the terms that we’ve defined. It’s easier to make the case that you practiced due care, which makes you more defensible.

Doesn’t Compromise

The last characteristic of a good third-party information security risk management program is that it doesn’t compromise what we define as information security or risk.

If we’re going to call it a third-party information security risk management, or something similar, it must account for information security risk. If we’re going to address only technical controls or the technical aspects of information security risk, then call it something like third-party IT risk management or third-party cybersecurity risk management. These things are different. The differences may seem subtle in wording, but they are monumentally different in practice. There are no shortcuts in third-party information security risk management, we must account for administrative, physical, and technical controls or aspects.

A good third-party information security risk management program accounts for administrative, physical, and technical risk.

Take Action

Almost all organizations fit into one of four categories when it comes to managing the data risk their vendors pose— none, painful, partial, or good.

If you need assistance in determining where your vendor risk management program sits, and how you can help to make your organization more simplified, standardized and defensible, schedule a demo.