By Latha Sunderkrishnan
Latha Sunderkrishnan (CISA, ISO27001 LA, COBIT 5 Foundation) is an Executive director at Valsec solutions India, http://valsecsolutions.com/. She is an Electronics Engineer with more than 20 years of experience in IT with various multi-national organizations working with a wide variety of technologies. She has worked in Information Security Audits and Consulting, Information Security trainings, Project Management, Quality Assurance and Customer Support. She can be reached at lsunder@hotmail.com or lathasunderkrishnan.valsecsolutions.com
1. Introduction
Companies today have third party contracts with various vendors. Most of the process are outsourced to various companies. This is the most convenient and flexible way to work, so that overall management activities are limited to just vendor management alone. The quantum of work that is outsourced to third parties include not just IT, data management and security providers, but also facilities management (cleaning HVAC – Heating, Ventilation and Air Conditioning) along with any vendor that may have access to network, data or facilities. However, outsourcing to third parties comes with significant risks such as adverse vendor incidents, and sometimes even penalty from regulators.
In today’s paperless and highly competitive environment, it is in the interest of the company to safe guard its information Therefore it becomes imperative that the company does everything to manage and maintain its IT infrastructure. This means a need to evolve a Vendor Risk Management, which will look at various aspects of information security associated with the vendor. This would include management of risks right from identifying the vendor, contract management, risk management, Business continuity plans etc. Managing external vendors should be a key competency for every enterprise and can lead to optimally mitigated risk and significant benefits.
In order to establish an effective vendor management process with goals and objectives, the enterprise needs to ensure the following:
- Vendor management strategy is consistent with enterprise goals.
- Effective cooperation and governance models are in place.
- Service, quality, cost and business goals are clearly defined.
- All parties perform as agreed.
- Vendor risk is assessed and properly addressed.
- Vendor relationships are working effectively, as measured according to service objectives.
2. Approach
- A Risk assessment needs to be done for choosing the vendors. The controls implemented need to be evaluated and if need be the policies and procedures need to be audited. The selection procedure should have been performed with due-diligence. This should be properly documented based on needs and appropriate criteria.
- Site visits to the vendor office needs to be carried out. The financial capabilities of the vendor needs to be assessed, along with previous experience, staff capabilities, any pending litigation or customer complaints etc.
- Skill levels and training of the vendor needs to be assessed. This will help in understanding their capabilities for the contractual work undertaken.
- Checks for adequate documentation present to convey the program management of the vendors to the relevant staff of the company.
- The contract needs to be well defined. It should be vetted by internal/external legal counsel.
- Adequate staff should be deployed in order to fulfill the requirements of the contract. The third party staff should be well aware of their roles and responsibilities. They should also have had confidential agreements signed.
- All records pertaining to activities needs to be managed in an organized manner, Methodologies for updating and archiving documents need to be defined.
- The results of the activities performed by the vendor needs to be reported to the management on a timely basis. This should be reviewed by Management periodically. There should be a feedback mechanism in place. Thus, the performance of the vendor needs to be evaluated continuously.
- All precautions need to be taken to ensure that the data of the organization is protected and secure at all times.
- The organization should ensure that compliance is met and all policies and procedures are complied with. It should also plan for regular audits of the third party process and ensure that those are also complied with at all times.
- In case if the outsourced vendor is a foreign company, then the organization should take care that the legal requirements are met with. There should be penalty clause or fines that can be adhered to.
- The vendor organization should also have Business Continuity Plans and Disaster Recovery plans in place in case of any disruptions. It should ensure that the activities are performed in case of a disaster.
3. COBIT 5 framework for Vendor Management
COBIT 5 has defined a fame work for Vendor Management. Here it defines the roles and responsibilities of the different stakeholders in the contractual agreements. The RACI (responsible, accountable, consulted and informed) chart is as shown in the figure below:
Vendor Management RACI chart |
||||
Contractual Relationship Life Cycle |
||||
Stakeholders |
Setup |
Contract |
Operations |
Transition-Out |
C-level executives |
A |
A |
A |
A |
Business process owners |
R |
R |
I |
R |
Procurement |
R |
R |
I |
R |
Legal |
R |
R |
C |
C
|
Risk function |
C |
C
|
R |
R |
Compliance and audit |
C |
C |
C
|
C |
IT |
R |
R |
R |
R |
Security
|
R |
C |
R |
C |
Human resources (HR) |
C |
C |
C |
C |
C-level Executives – They are accountable for the vendor management process depends on the scale of outsourcing
Business Process Officers – Business Process Officers should be actively involved in the vendor management life-cycle
Procurement – Many responsibilities within the vendor management life cycle belong to the procurement function
Legal – To effectively mitigate vendor-related risk, the legal function should be involved throughout the entire vendor management life cycle.
Risk Function – The risk function should be consulted throughout the vendor management lifecycle to obtain a complete view on risk that is related to the relationship, services or products.
Compliance and Audit – The compliance and audit functions should be consulted throughout the vendor management life cycle to ensure compliance with internal and external laws, regulations and policies
IT – The IT role is significant because its members may be more familiar with the products and services and their market availability.
Human Resources – The HR stakeholder should be consulted throughout the vendor management lifecycle to ensure compliance with the enterprise’s worker statutes, local regulations, and code of conduct and labour law.
4. Managing a Cloud Service Provider
Cloud computing security is the set of control-based technologies and policies designed to adhere to regulatory compliance rules and protect information, data applications and infrastructure associated with cloud computing use.
The cloud is a shared resource, hence identity management, privacy and access control are of particular concern. With more organizations using cloud computing and associated cloud providers for data operations, proper security in these and other potentially vulnerable areas have become a priority for organizations contracting with a cloud computing provider.
Cloud computing security processes should address the security controls, the cloud provider will incorporate to maintain the customer’s data security, privacy and compliance with necessary regulations. The processes may also include a business continuity and data plan in case of a cloud security breach.
Cloud using the public cloud effectively is an IT governance issue. The impact cloud is having on the organization is initially assessed in order to devise a strategic and workable approach.
It is important to identify and categorize data already within the organization and the business processes around them. For example, storing credit card data in house currently and outsourcing the storage would mean an increased scope for PCI DSS (although outsourcing the payment transactions themselves to an approved provider usually makes sense). Storing personal data could have legal ramifications, if stored or replicated outside the country of the data subject
Firstly there is a need to address the new threats that virtualization pose within cloud computing. The second is the ability for SMEs to perform due diligence effectively for an outsourced provider, given that they rarely have in-house technical or legal expertise.
Google Plus cloud service helps me keep my contacts, calendars, photos, etc., synchronized across my various computing devices. Thus I like this feature and service. When suddenly I had to switch mobiles as my previous one was not working, I got back all my data intact from this service. But I am also careful about the data I put there.
5. Metrics for SLA
SLA would define the service level agreements between the vendor or the service provider and the company. It would also include how the services would be measured. This would define if the expectations are met in terms of the services provided.
How to go about choosing the various factors for the Metrics?
Firstly there is a need to define the KPIs that could be used to measure the Metrics. Secondly it would include the type of KPI like
- Objective – Number of Major incidents in a month
- Subjective – Improvements in client satisfaction.
When selecting KPI, need to understand what the indication of value to the customer is:
- Enhanced performance in the business
- Constraints removed from the business
- Availability & Reliability of the Service
- Performance of the service
- Security of the service
- Service Continuity (ability to recover from disaster)
Metrics type could be
- Service metrics which reflect the end-to-end quality of service or ‘user experience’
- Process metrics to inform the service provider and customer of the effectiveness (achieving goals) and efficiency (use of resources) of key activities within the service delivery function.
- Technology metrics to inform the IT provider at the component level, enabling the identification of issues and improvement opportunities
Penalty clauses should be used only if
- There is a reasonable lack of performance.
- If it is only the service providers fault, which means that the company is not at fault at all.
- It should be done in a fair manner with overall understanding of the incident.
Above all else, never forget the #1 rule – Nothing should be included in an SLA unless it can be effectively monitored and measured at commonly agreed points.
6. Third Party Audits
These can be conducted once in a while depending on the criticality of the services. For these Audits, the general controls used are:
- Risk Assessment – Based on the risks pertaining to Confidentiality, Integrity and Availability, access should be provided to the third party. Access control rights can be given based on sensitivity of data. This should also be taken care as a clause in the contract. The Risk Assessment can decide the further action that needs to be taken.
- Screening – Background checks for vendors/partners need to be performed vigilantly. This is very important aspect of vendor management. The company also needs to be checked for its financial viability. Depending on the criticality of the business and contract, audits could also be performed to their existing information security controls and processes.
- Information transfer Agreements between the external party needs to ensure that need to address that the transfer of information between both the parties happens in a secure manner.
- Selecting clauses in the agreement – Based on the risks assessed, the clauses should be present in the agreement. Penalty clauses based on the risk identified should exist. Turnaround time should also be mentioned in the clause.
- Access control – Accessing data by the third party contractors need to be monitored at regular intervals. It should be given only on needs basis and minimum access necessary should be provided.
- Confidentiality and Non-Disclosure Agreements – Confidentiality and non-disclosure agreements need to be signed by all employees of the third party who are contracted by the organization. This needs to be reviewed on a periodic basis.
- Compliance monitoring – Ensure that the third party complies with all clauses pertaining to security. This needs to be monitored and also they can be audited for the same. This needs to be controlled based on access and other rights on data.
- Termination of the agreement – When the agreement is terminated or the contract has expired and the company has decided not to extend the contract, the proper controls for this needs to be monitored, All assets should be returned by the vendor, and all access rights removed for the vendor. This again needs to be part of the contract.
7. Need for an effective vendor risk assessment
An effective and efficient vendor risk assessment provides benefits to the enterprise in terms of:
- Delivery of Costs savings
- Meeting Stakeholder needs
- Risk Management
- Assurances of Quality
- Standardization
- Flexibility and efficiency
IT Security has become an important aspect for any business. Most Companies are not willing to budget enough for IT security in general and vendor risk assessment in particular, despite the fact that Security of data processed by the enterprise including vendor resources is pivotal. Data Security may not be the primary business of any company, so companies do not spend higher amounts for IT security in general and in particular for vendor risk assessment.
Financial Services companies are inclined to have higher budgets for IT security in general and for vendor risk assessment as compared to other types of companies. This is because regulators have mandated security and confidentiality of customer data processed by these companies, albeit using many vendors. Consequently, these companies are forced to implement IT security standards. A vendor risk assessment will assure us that a vendor has become conscious of protecting the confidentiality, integrity and availability of the data and the associated information assets. This brings a culture change at the vendor company. Controls of IT security can be implemented only if the management of the vendor company supports the initiative.
References:
http://www.employeeservices.gov.sk.ca/projectsecurity
www.isaca.org Vendor Management Using COBIT 5