Monday, February 16, 2015

Third party / vendor management - due diligence standards



Third Party Due Diligence Standards

Things every organization should look at when conducting initial or annual due diligence on a vendor/client.
 
The third party’s controls must either meet or exceed the defined controls required by PCI and meet GLBA compliance.


 


The GLBA safeguard rule requires all financial institutions to have security plans in place to ensure the confidentiality and integrity of customer data. An Information Security Plan must make use of the following:


 


  • Administrative safeguards, such as employee oversight and training;
  • Physical safeguards, such as restricted access to hardware and disaster recovery plans;
  • Technical safeguards, such as firewalls, encryption, access controls and secure computer networks.


 


Safeguards must be implemented in proportion to the scope of and risk to the institution and the information it handles. Furthermore, the safeguards rule requires that an employee oversees the development and coordination of security in the institution.


 


The following areas should be reviewed during the due diligence process.


 


Incident Response


Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. An incident response plan includes a policy that defines, in specific terms, what constitutes an incident and provides a process that should be followed when an incident occurs.


 


  • The incident response document should include the following:
  • Define an incident response team with assigned roles and responsibilities
  • Categorize or identify what types of detected activities require incidence response
  • Define incident response investigation and validation requirements. For example all administrative and/or privileged activities must be logged including date, time, activity performed and any suspect information identified.
  • Define evidence gathering and handling techniques that will be used as part of the response activity
  • Define a containment strategy and who has the authority to make critical or business impacting decisions when a breach occurred. Time is critical waiting for executive approval could be costly.
  • Define requirements for who must be contacted, and within what time period should that contact occur when reporting a compromise or breach.
  • Include requirements to use an association approved forensics vendor listed or referenced within the document
  • Reference the creation of a formal incident report. Include historical tracking, training and lessons learned.
  • Include a schedule for the plan to be practiced and reviewed.
  • Assign responsibility for creating and distributing security incident response and escalation procedures.


 


Information Security


A security policy is a document that states in writing how your organization protects the company’s physical and logical information technology assets. A security policy is often considered to be a “living document”, meaning that the document is never finished but is continuously updated as technology and employee requirements change. A company’s security policy may include an acceptable use policy, a description of how the company plans to educate its employees about protecting the company’s assets, an explanation of how security measurements will be carried out and enforced, a procedure for evaluating the effectiveness of the security policy, and steps taken to ensure that necessary corrections will be made.


 


The Information Security Policy should include the following:


  • Define access controls for device management (routers, firewalls and switches)
  • Define roles and responsibilities
  • Define the process followed for user creation and modifications
  • Define the process for removing/disabling user accounts immediately upon termination
  • Define the requirements that all employees and contractors sign an acceptable use policy
  • Define the requirements that all employees and contractors sign non-disclosure agreements regarding confidential information
  • Define server hardening procedures
  • Define system patching procedures and schedules
  • Define logging requirements for all critical systems as well as review retention requirements
  • Define authentication requirements
  • Define a formal access approval process
  • Define the requirements that criminal background checks are performed on employees
  • Define the frequency for penetration tests and location of documented results
  • Define anti-virus standards including actions to be taken when a virus is detected
  • Define the risk management program
  • Categorize data based on sensitivity
  • Define due diligence preformed on third parties
  • Define data encryption requirements
  • Define encryption key management requirements
  • Define remote access procedures
  • Define a log and  firewall review schedule
  • Define automated alerts on security, logging and monitoring systems
  • Define security awareness training is performed annually
  • Define data retention and destruction procedures
  • Define how visitors are identified and logged
  • Define data center environmental controls
  • Define how facility entry points are secured including the use of cameras to monitor sensitive areas, a definition of the retention plan for these videos
  • Is wireless being utilized, define strong authentication and encryption that is in place for mobile devices
  • Define the process for the inventory and review for all computer equipment maintained



Business Continuity


Business continuity describes the processes and procedures an organization has in place to ensure that essential functions will continue during and after a disaster. Business contingency planning seeks to prevent interruption of mission-critical services and to recover as swiftly and smoothly as possible. A document review and update should occur at least annually or as systems are modified and/or enhanced.


 


  • The business continuity plan should include the following:
  • Include a risk analysis or reference to  risk assessment in the document
  • Include a Business Impact Analysis in the document
  • Define redundant processes that are in place to continue business
  • Define roles for all crisis management team members
  • Define cross-training in the plan
  • Define the BC/DR testing, including the frequency of the test (at least annually) and make sure the results are documented
  • Define communication responsibilities for clients and staff
  • Document the locations covered by the plan, including data center locations
  • Document that backup recovery testing occurs annually


 


Change Control


Change control is a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. It reduces the possibility that unnecessary changes will be introduced to a system without forethought, introducing faults into a system or undoing changes made by other users or software. The goals of a change control procedure usually include minimal disruption of services, reduction in back-out activities, and cost-effective utilization of resources involved in implementing change.


 


  • The change control procedure should include the following:
  • Define how infrastructure and software changes are documented and formally approved
  • Define the user acceptance testing process
  • Define how changes are tested in a separate user acceptance testing (UAT) environment prior to implementing into production
  • Define documented back out procedures required for changes
  • Define segregation of duties
  • Define change release cycles
  • Define the process for emergency changes


 


Risk Assessments


An effective risk management process is an important component of a successful IT security program. The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage IT systems, but as an essential management function of the organization.


 


Risk assessments are an important part of assessing your organizations controls and overall security.


 


The risk assessment should include the following:


  • Clearly defined process for accessing and scoring the threat likelihood, business impact, controls in place and residual risk of effectiveness of the control.  If the residual risk score exceeds the defined acceptable risk level a plan for remediation including proposed additional controls needed should be included.
  • Assessments should include all methods of handling customer information including;
    • Access, Collections, Storage, Use, Transmission and Disposal


 


Following publications can be used to assist in the development of the program.






 


CVV/PIN Generation Policy (Processors only)


Section 3.2 of the PCI DSS standards spells out specific requirements for CVV and PIN generation. CVV and PIN are some of the items that cannot be stored and must always be generated. The CVV/PIN generation policy should include:


  • Describe the equipment and methodologies used to ensure PINs are kept secure
  • Define the key creation and key management procedures
  • Define how are keys conveyed and/or transmitted
  • Define the process used to administer keys
  • Define the process used for key loading to hosts and PIN entry devices
  • Define how unauthorized key usage is prevented or detected
  • Define the manner in which equipment used to process PINs are keys are managed
  • Define key storage and management procedures
  • Define if PINs or CVV/CVV2s are stored anywhere on the network and how we detect if they were or ensure they are not in the future


 


SSAE16


The following information and controls should be included in this document.


  • An Information Security Policy exists and has been approved by an appropriate level of executive management
  • Procedures exist and are followed to authenticate all users of a system (both internal and external) to support the existence of transactions
  • Procedures exist and are followed relating to the timely action of requesting, establishing and issuing user accounts
  • Procedures exist and are followed relating to the timely action of suspending and/or changing user accounts
  • A control process exists and is followed to periodically review and confirm access rights
  • IT security staff monitors and logs security activity at the operating system, application and database levels and identified security violations are reported to senior management
  • Access to facilities is restricted to authorized personnel and requires appropriate identification and authorization.
  • Request for program changes, system changes and maintenance (including changes to system software) are standardized, logged, approved and documented and subject to formal change management procedures
  • Emergency change requests are documented and subject to formal change management procedures
  • Controls are in place to restrict migration of programs to production by authorized individuals only
  • The organization has a system development life cycle (SDLC) methodology, which includes security and processing integrity requirements for the organization.
  • Post-implementation reviews are performed to verify controls are operating effectively
  • A testing strategy is developed and followed for all significant changes in applications
  • The organization has policies and procedures regarding computer operations which is periodically reviewed, updated and approved by management
  • Management protects sensitive information – logically and physically, in storage and during transmission – against unauthorized access or modification
  • Management has implemented a strategy for critical backup of data and programs
  • The restoration of information is periodically tested


 


 


 

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Protecting Your Business From Your Remote Employees

A significant portion of your workforce is currently moving to perform full- or part-time remote work as a result of COVID-19.  As you modif...

  • Home Depot information
    Home Depot   said today that cyber criminals armed with custom-built malware stole an estimated 56 million debit and credit card numbers fro...
  • Data Privacy Day
    Nearly every day is some kind of holiday or special observance at the local, state or national level. Some days are assigned to multiple ca...