The recent SolarWinds and Microsoft security issues remind us of the importance of Third-Party Risk Management (“TPRM”). If your organization is using a one-scorecard-fits-all approach to TPRM, you may be wasting resources and missing critical vulnerabilities. Using FAIR™ principles ensures the right questions are being asked and meaningful controls are selected, tested and reported.
Applying FAIR quantitative analysis methodology to my view of risk management opened my eyes to significant problems and inefficiencies in the standard approach used to develop expensive independent attestations like Service Organizational Control (“SOC”) reports, penetration tests and other independent attestations.
Donna Gallaher, CISSP, C|CISO, CIPP/E, CIPM, FIP, OpenFAIR, chairs the Atlanta Chapter of the FAIR Institute and serves on the Institute’s Board of Advisers. She is President & CEO, New Oceans Enterprises, LLC, providing fractional and virtual CISO services, board advisory services and strategic planning
Too often, the attestation process fails to address the assets and threats associated with an organization’s products or services. This leads to follow-up requests for information that waste resources for everyone involved in the due diligence process. Incorporating FAIR principles into Third-Party Risk Management programs improves the quality of due diligence assessments of vendor-provided artifacts and will make you a hero to the business.
Understanding the Service and Probable Loss Scenarios
Chief Information Security Officers (CISOs) strive to build a culture of security within their organizations, but how to accomplish this aspiration is a challenge. The FAIR methodology achieves the goal by stimulating discussions with the business leaders to define and scope probable loss event scenarios. Credibility and teamwork are established through the process by placing the CISO in the desired advisory role assisting the business leadership in managing departmental risk. The first step in FAIR methodology is to define the service being provided, the assets shared between the customer and the vendor and the threat community involved in the product or service.
Service Organization Controls or “SOC reports” are commonly used as an independent assessment of a company’s security program effectiveness. The “Service Description” section of the SOC report describes the service provided, assets at risk, threats and probable loss scenarios associated with the product or service.
Vendor screening requests from business owners as part of a Third Party Risk Management program should identify the data and/or assets the vendor has access to, the personnel with access to the assets, and the processes and technology involved in delivering the product or service.
Other questions to ask in the due diligence process include:
- Roughly how many people from the vendor’s organization have access to our assets?
- Do contractors or other third parties have access to our assets?
- How many records or assets are shared with the vendor and what is their value?
- What level of access is appropriate for the vendor to perform their function?
- What loss events are most likely for this product or service?
Once the department managers understand where their risks are, reviewing vendor documentation will become an eye-opening experience, and serve to more fully engage the business in the risk management process.
FAIR TRAINING AND CERTIFICATION
Take Your Career to the Next Level with Courses from the RiskLens Academy and CyberVista. Get the details on FAIR training.
Putting Context into the Scenarios
Each loss scenario developed in the scoping exercise should describe whether confidentiality, integrity or availability of the service is at risk. This allows the reviewer to add context to the independent auditor’s report to assess the overall vulnerability to the loss scenario. For example, a company with redundant internet connections from different internet service providers is less at risk of availability of service than a company with a single carrier. Similarly, if a company relies on a critical component for the manufacture of their product, the company should include alternate sources.
Risk to the availability of service also depends on the number of defenses in the cyber kill chain. An organization that relies on a single control is more vulnerable to a company with several controls to insulate the organization against the risk of a particular loss event.
Improper Service Offering
When performing a due diligence review, it is important to confirm the documentation provided by the vendor addresses the controls for the specific product/service used by the company. The controls tested in an independent review of a security program include both enterprise-wide and product-specific controls.
Although the enterprise-wide controls such as workforce management, threat intelligence and knowledge exchange strategy may be meaningful, the product-specific controls such as Software Development Life Cycle (“SDLC”) processes from a company providing more than one software product may or may not be applicable to the services the company is receiving from the vendor. The SOC report or other independent assessment should describe which product or service lines were included in the evaluation.
Understand Regulatory Requirements
Regulatory compliance is one of the business drivers behind an organization’s security strategy. The independent attestation report should describe the regulatory requirements for the jurisdictions in which the company operates. Even if the company is not directly impacted by a regulation in their jurisdiction, the company can still be impacted if one of their critical vendor’s other customers causes the vendor to become embroiled in a regulatory or legal compliance problem.
For companies whose security programs and SOC audit reports are heavily geared towards technology controls, recent privacy legislation like GDPR (General Data Privacy Regulation) and CCPA (California Consumer Privacy Act) can be a sucker punch that the company never saw coming. Particular attention should be paid to direct marketing and sales efforts since new privacy regulation has drastically affected the requirements for the vendors supporting those functions. In some cases, a complete product/service redesign is needed to anonymize or pseudonymize data exchanges between customer and vendors, respond to customer privacy rights inquiries and produce mandatory compliance reports to regulators or face heavy regulatory fines.
Improper Control Selection
Tests on security controls that have minimal impact in the loss scenario provide minimal value to the due diligence reviewer. Even large accounting firms who routinely produce attestation reports for their audit clients can sometimes fail to address the true risks associated with the products and services in their control selection.
A TPRM program that uses the SOC report as a vanilla compliance check for due diligence screening is missing a valuable risk management opportunity. The audit firm should ensure that the selection of the controls tested reflects the assets, threats and probable loss scenarios related to the company’s service description. Otherwise, the audit is a waste of resources because it fails to provide customers with independent assurance of the security program.
For example, one of my client’s key partners relied heavily on subcontractors to deliver the service. Reviewing the client’s information security policy and SOC report revealed that the audit tests were only performed on employees. No information was available on the background screening, training or monitoring of their critical subcontractors. Furthermore, these subcontractors used internally developed proprietary software and technology as part of the service. The SOC report contained no references to secure software development or testing controls.
Although this partner organization provided a “clean” SOC report in their due diligence response, assurance of an effective security program was impossible. The partner who invested significant time and money on the audit to produce this report for my client had to expend additional resources addressing the follow up questions.
“Improper Organization” is the term given referring to an assessment performed on one organization while the service contract is with a different division or organization. Each time I encountered this problem in TPRM reviews, a red flag went off for me as an indicator that the organization didn’t understand the risk associated with their product/service and it prompted me to ask more questions.
Independent attestations are not supposed to be aspirational; they should reflect the controls in place for the company performing the service. For example, the company contracted to provide a product or service may be acquired by a larger company with a more established security program. The SOC report of the parent company may be provided in subsequent due diligence responses to make the security program look better, but it does not accurately represent the state of the security program for the company delivering the product or service.
I will share a short story to tie these concepts together. I previously served as a risk management executive in a company with a low-margin, high volume business providing commodity services in numerous service lines.
Due to our limited resources, we were only able to include a subset of the company’s portfolio of products for assessment each year to help manage costs. As a result, the annual SOC 2 report the company provided to customers did not reflect all the products the company provided, and was limited its usefulness to customers in the product lines that were not tested by the auditors. The limited staff in the risk management department struggled to respond to all the follow up requests from the company’s customers.
To address the gap, the company assembled an “FAQ” that included significant detail covering the assets, threats and loss scenario discussions to satisfy the customer inquiries. We also produced a penetration test summary for each of the service lines not included in the annual SOC report. This supplemental information was enough to provide the customers with reasonable assurance regarding the state of the security program and provided more time for our internal resources to focus on their regular responsibilities.