Security blog

Manage Operational Risk Like a Bank!
posted: 08 June 2009 by Eric Tompkins
 

See more articles in the Security blog

There is no contractual verbiage that absolves you of the responsibility and accountability for the security of the information residing with your vendors. It will be your name that clients remember a year after a security breach; not the name of your negligent vendor.

During 2007, it is estimated that as many as 5 pieces of sensitive customer data were lost or stolen every second amounting to more than 162.5 million records. One study, conducted over four years, found almost half of data breaches implicated business partners.

Extending Security Controls to Privileged Third Parties

Today’s extended enterprises include third parties and business partners that often have privileged access to your customers’ sensitive data. Examples include service providers, webhosting, data processing, contractors, outsourcers, supply-chain nodes, consulting services, and travel services.

Organizations have increasingly turned to service providers to supplement and complement service delivery and business operations. According to the IT Compliance Institute, the second most important movement in 2008 in IT security is extending security controls to privileged third parties. “Scores of information breaches have been tied to such privileged third parties over the past several years, but third-party security has generally remained peripheral to managerial focus. In the next year, managerial confidence in internal information security, coupled with ample documentation of policies and procedures, will allow managers to contractually enforce security controls across broader business relationships,” said Cass Brewer, Editor and Research Director for the IT Compliance Institute.

A program aimed at classifying and evaluating third party risk allows IT managers to monitor and verify security controls contracted to business vendors.

The CIBER Approach

Business functionality in our current information-driven world often requires sharing data with organizations and individuals that may include partners, service providers, and other organizations need to ensure that their data is protected, even when it is in the custody of a third party. Many of our clients network with of hundreds of third party vendors, and a large percentage of those have access to sensitive corporate information in one way or another. With CIBER’s Third Party Risk Management service, CIBER helps you identify and manage the risks associated with third parties.

CIBER’s turn-key service evaluates third-party vendors to determine:

• which third parties interact with sensitive corporate data
• how they are handling, protecting and securing your data—the data itself as well as the infrastructure processing, storing, or transmitting it
• whether they maintain acceptable security controls, adhere to your security requirements, applicable regulations, and contractual obligations
• the level of risk each third party represents to your company and/or your data.

All forms of sensitive data are addressed by this service including customer data, intellectual property, non-public personal information (NPPI), personally identifiable information (PII), sensitive personal information (SPI), electronic protected healthcare information (ePHI), credit card data, account information, and services and transaction data. For information covered by privacy and security regulations, CIBER’s service helps clients ensure that regulatory requirements are being fulfilled by their service providers and business partners.

Classifying, Evaluating and Correcting

The service begins with the classification of your vendors based on the sensitive data that is accessed, stored or processed as part of your business relationship. Next, CIBER evaluates the level of risk posed by each vendor. In this step, we evaluate the security practices of the third-party vendors to determine if they meet your security requirements or accepted standards, such as ISO 27002 or applicable regulations. With security issues documented, the Security Practice provides corrective actions to the vendor for reducing identified risks. Vendor remediation efforts are tracked to ensure the corrective actions are addressed satisfactorily. Since security is an ongoing process, CIBER’s service provides annual reviews of each vendor and updates their risk status.

The Third Party Risk Management service can be customized to meet business and security needs regardless of industry or business model. CIBER is currently performing Third Party Risk Management for clients in the banking, financial services, healthcare, and retail industries. We have performed similar risk assessments for other clients in the banking and government sectors.

Services
Application Development
& Management
 
Business Intelligence / Data Warehousing
IT Outsourcing
IT Security Solutions
Mobility Solutions
Physical Security Solutions
Quality Assurance & Testing
Service-Oriented Architecture
Supply Chain
Global Solution Centers

ERP/Package Solutions
Customer Relationship Management
Lawson
SAP
Oracle
 · Oracle E-Business
 · Oracle PeopleSoft
 · Oracle JD Edwards
Technology Solutions
CRM | ERP | SCM

Industries
Charities & Not-for-Profits
Consumer Products & Retail
Energy & Utilities
Financial Services
Food & Beverage
Government: Federal
Government: State & Local
Healthcare & Life Sciences
Higher Education
K-12 Schools
Manufacturing & Mining
Telecommunications
Transportation
Travel, Sport & Leisure

Service Finder Tools
Alphabetical Sort
Line of Business Sort
Industry Sort
Services Map