RISK MANAGEMENT: DATA PROTECTION AND THIRD PARTY VENDORS
By: Lisa Marie Waugh, MJ
Corporate Intelligence Consultant
A Third Party Vendor is a vendor or supplier that is involved in a business’s (“Primary”) process/services/goods that are provided or sold to another party (“Client”) but is not party to the agreement between the Primary and Client. In fact, the Client normally does not even know that there is a third party involved in the production of goods or services.
REQUIREMENTS AND REWARDS
In today’s market, it can be virtually impossible to avoid using third parties. For example, there are laws that require larger organizations to use small businesses (minority companies) and regulations requiring independent (Third Party Vendor) to audit financial records (see Sarbanes Oxley- aka SOX). Rapid growth and innovations afford organizations the positions to prosper by using Third Party Vendors.
Tasks that would drain an organizations resources or that would not be cost effective could be outsourced. A lot of times certain task and projects will require outsourcing due to the lack of viable internal resources of an organization.
For protection, internal checks and balances, and growth of an organization, it is beneficial to contract with a Third Party Vendor to ensure the organization is functioning with the utmost efficiency, accuracy and protection in order to successfully compete in our ever changing fast paced global market. The benefits also are combined with laws and regulations that require Third Party Vendors audits as noted above.
The risk involved with Third Party Vendors is endless it seems. The more you identify and research potential issues or events the more elements of risk appear.
The main drive behind risks of using Third Party Vendors is the exposure of data of both the Primary and its Clients. Not only could protected and regulated information be exposed such as payment card information (see PCI DSS) or medical information (see HIPAA), but also strategic internal business information (internal development, mergers, incoming/outgoing employees). Obviously, such data breeches and exposures can have not only a financial loss but also branding damage as well. Additionally, internal and external investigations will mostly likely occur because of a breech which can result in loss of employees, resources and of course income.
The release of private information (PHI, PII, PCI and strategic internal business information) to a Third Party Vendor can be nerve wracking for an organization and those with the authority to do so- as it should be. An organization that is entrusted with such information has a duty to safeguard not only the data they hold but to determine if they have the authority to disclose such information to a Third Party Vendor and then if that Third Party Vendor is trustworthy. Such authority to disclose or transfer information should be obtained in writing.
Human error is the leading cause of errors and breaches.
SUPPORT OF APPETITE
There is no reward without some form of risk. Yet, some organizations are in the business of taking greater risks than most, but regardless of appetites there must be managed support dedicated by high ranking official(s) in an organization.
RELIANCE ON AUTOMATION TOOLS
Automation tools that are used for an array of services but primarily to identify, organize and analyze risks and potential issues to mitigate or transfer the risk(s). They are also very useful in tracking the use of vendors throughout an organization, especially should a negative incident occur if identifying controls are place. Yet from experience and applying logic, there will probably never be an automated tool that can replace the human ability of connecting the dots or replacing the gut feeling of something being dishonest or misleading. This is due to many factors such as human networking and instinct as well as exposure to information not accessed by the software. Yet, the utilization of both automation tools and human oversight will champion any organizations pro-activeness, transparency and decrease liability and mitigate risks.
There tends to be a lot of rogue employees trying new apps or downloading collaborative software and in turn either disclosing PII or strategic internal business information (or both). This is due to the lack of training, guidance and oversight. Additionally, IS can be overloaded and not have the appropriate tools and resources to keep up with the vetting of new vendors.
Being a proactive steward of data protection and vetting the Third Party Vendors will save an organization valuable time, resources and of course money. It will also afford for their ability to focus on the development of their business and grow with the global community. But, retain control and management of your data regardless because shifting the liability and transferring the risk will not absolve an organization from liability.
KNOW YOUR DATA
It is worrisome that so many organizations do not even know what data they have and what data of theirs that their suppliers/vendors (and their subsequent vendors-i.e. 4th party vendors) have. As noted above in Unauthorized Vendors, a lot of control can be exerted to abstain from rogue employees, compliance programs, training and the monitoring of subordinates by managers and directors.
If an organization cannot easily identify the data, they have then it is time to start auditing and mapping. Start at the departments and points of contact wherein such data would be obtained and stored (i.e. HR, Sales and Marketing, IT/IS). There should be books of records for each department relating to vendors used, approved, what data is exposed, contract term, business owners, etc.
Thankfully we are living in a more privacy driven world regardless of social media and the internet – yes this is a bit of an oxymoron.
KNOW YOUR VENDORS: VETTING, ASSESSING, AND MONITORING THIRD PARTY VENDORS
Due Diligence. Due Diligence. Due Diligence. (Not: Deny. Deny. Deny)
Develop security practices and implement such into both compliance and risk management programs.
The SIG: There are so many tools available to vet and assess Third Party Vendors. When it comes to Information Security the best practice leader is presently the ISO SIG 27001 (aka SIG, SIG LITE). The SIG is about 1,000 questions designed to give detailed insight into an organizations security posture. The SIG Lite is about 100 questions and designed to give a broader overview as to an organizations security posture. A lot of organizations have their own SIG and disburse upon security requests. **Caveat there will normally be a lot of push back in completing a blank SIG and even requesting an organization send its own SIG. Some organizations get an ISO certification through ISO authorized agencies (but this is rare). However, even with the ISO certification a thorough IT Security audit will require the documents that were used to accomplish the ISO Certification.
Unfortunately, an organization will experience the pressure and pushback from its own staff when SIG requests are involved. This should be handled under a regimented chain of command method, coaching and re-training (and if necessary documentation of blatant reckless pushback of employees).
Business Owners, Managers and IS should also be involved in the monitoring Third Party Vendors. Each department should be required to maintain a log or book of record to document vendors used.
“As long as it is legal you can add it in the language” a lawyer taught me.
Time and again, there are clueless resources negotiating and executing contracts. Then there is the value method wherein not much caution, oversight and even insight is given to a contract if it is under a certain amount of money- this is just as bad as not knowing what contracts are binding an organization and not having a contract management system. Alarmingly, a lot of organizations are in this nightmare that you do not want to be a part of.
IT security, maintenance, what data, data access, storage and location should be covered in the contract along with the regurgitation of the basis of information used to vet the Third Party Vendor and going to be used in the service/product basis for the agreement.
Compliance programs should lay out the path for employees and contractors use of approved (i.e. vetted) Third Party Vendors. Business owners, managers and directors should be able to manage the access of websites, software programs and other media sites by their subordinates, as well as random use of vendors. It is important to note that it is common to use random vendors for random projects (common with agile methods) or in emergency situations, wherein the normally course of vetting is not feasible, illogical or just not available. Thus, secondary measures/controls should be in place for such instances. Processes should be in place for onboarding a new Third Party Vendor.
There should also be a special process team in the event of a wayward high level executive or board member, as well.
It is beneficial to have either internal liaison(s) (or external for that matter) work with internal and external clients to advise on operational and legal risks, mediate and track the project(s) or programs, as well as to be the front line to pacify, negotiate situations to obtain the requested/required due diligence. (aka corporate influence and intelligence) This liaison is separate from a project manager. Any executive should be able to reach out to this liaison and find out what a vendor does for the organization, what data the vendor has of the organization, etc.
LIFE CYCLE – DATA DESTRUCTION
Just as it is important to know who has what data and when, it is as equally as important to know what happens with the data when an agreement or relationship ends. It is typical to have viable proof of the destruction of such data, as well as such language to be included in contracts or agreements.