June 2015 SAFE Newsletter
Going Beyond Compliance with Vendor Management
Managing vendors has been a standard practice in the Financial Services industry due to the highly sensitive data that exists in financial organizations and the growing reliance on third party service providers to support them. Sarbanes Oxley, the Gramm Leach Bliley Act, Dodd Frank and other financial regulations all agree: Third-party service relationships involving key functions of the financial organization and/or its critical data, must be properly managed to ensure that third party access to highly sensitive information is secure, that information is protected once in the hands of the vendor, and that service levels are met.
One approach to vendor management is to contract with third parties in order to address departmental compliance requirements while also gaining some commercial benefit and maintaining acceptable service levels (the compliant approach). A more strategic approach is to select vendors that not only address a compliance requirement, but can be beneficial to other parts of the organization. This strategic approach to vendor management goes "beyond compliance" and really begins to analyze Vendors based upon their overall value vs. risk to the financial organization. A strategic "beyond compliance" approach to vendor management can lead to increased operational efficiencies and enhance the value of third party services. This can lead to greater long term cost savings and potentially collaborative or even joint efforts in developing service and process innovations.
Implementing vendor management at an organizational versus departmental level can lead to cost savings, increased security and a better vendor relationship. Although a formal Vendor Management Office (VMO) is not always the norm in mid-size organizations, it is a good idea to implement the principles of a VMO Framework when defining a vendor management program for your business. Some of the key operational elements of a solid VMO Framework include:
- Governance and Oversight - The financial organization's governance model should address proper oversight and monitoring of the vendor management program.
- Requirements Definition and Risk Assessment – Financial organizations should evaluate the ability of the vendor to meet requirements, assess the risk of doing business with them, utilize spend analysis to maximize buying leverage and perform due diligence on vendor activities.
- Service Provider Selection and Due Diligence Classification of Vendors – This element should classify vendors in accordance with the vendor's importance and value to the business, and assess how resources are assigned to manage vendor relationships accordingly.
- Contracting - All contracts should be centralized and easily available to the appropriate relationship manager resources within your organization. Contracts should contain provisions to ensure vendor has the proper security controls in place and vendor activity can be monitored.
- Monitoring and Reporting Metrics - All service agreements should contain defined qualitative and quantitative metrics to assist your organization in evaluating the vendor's performance.
- Relationship – The financial organization should continue to hone the relationship of those vendors who have top performance and are utilizing a "beyond compliance" approach in an effort to reduce risk, improve performance and/or enhance value. Additionally, termination procedures should be clearly defined.
By utilizing the above basic elements to create a centralized vendor management program that incorporates vendor risk into the evaluation, financial organizations can begin to leverage regulatory compliance and operation optimizations to go "beyond compliance" in vendor management.
Utilizing SIEM to Strategically Manage Vendors
Every financial organization is ultimately accountable for all activity on their network. Monitoring and reporting on vendor activity, especially information technology vendors and other third parties who have the ability to access the financial organization's network is a requisite for meeting cybersecurity compliance obligations. Security information and event management (SIEM) can provide an approach to cybersecurity management that gives a complete picture of an organization's information technology security, including vendor network activity. The multitude of cyberattacks on major retailers and other financial industry companies over the past couple years resulted out of a lack of security on vendor networks. This realization has built a strong case for financial organizations, especially those that rely on third parties for information technology, to implement solutions like SIEM to monitor vendor network activity consistently and efficiently.
SIEM is a combination of Security Information Management (SIM), a solution that collects data in a central repository producing automated reporting for compliance, and Security Event Management (SEM), which centralizes the storage and interpretation of logs and allows near real-time analysis of security events. It gathers information via network and security devices, identity and access management applications, vulnerability management and policy compliance tools, operating systems, database and application logs, and external threat data. It provides a method to manage users and security privileges, analyze system configuration changes, review audit logs, and determine the type and severity of incidents that occurred on the network. By implementing a SIEM solution financial organizations can produce measurable business impact by ensuring that vendor activity is appropriate and meets the contracted service levels.
For the following scenarios, indicate whether the organization has a taken a compliance or strategic approach to vendor management.
- Annabelle, the executive assistant to the bank's CFO, reviews SIEM reports, issued by the bank's managed service provider, on a monthly basis. Annabelle is 23 years old, graduated with an associate degree in accounting, and was a bank teller before becoming the CFO's executive assistant. Although her scheduling and word processing skills are fantastic, she has never been a technological person and admits she really doesn't understand what she is looking for when she reviews SIEM reports. Recently, the IT Manager came to her with a concern that a vendor's access to the network was not restrictive enough and it seems this vendor could access proprietary files. Annabelle tells the IT Manager she will look into it and refers to one of the SIEM reports. It indicates that the managed service provider has administrative access. Since the vendor is the managed service provider and probably understands these SIEM reports more than she does, Annabelle decides to inform the IT Manager that the access rights are fine.
Annabelle was recently replaced by Betty Sue to review SIEM reports. Betty Sue has several years of experience in forensic monitoring and has been assigned to review the SIEM reports. She notices that the access rights of all the bank's IT vendors is set to administrative access. Betty Sue realizes there is an increased risk to the security of the network due to the access rights of all IT vendors. She immediately brings this to her manager's attention. Due to the bank's new strategic initiative to better manage their vendors Betty Sue's manager knows to contact the head of the vendor management program to ensure that all IT vendor access is reassessed and appropriate access is assigned.
1)Compliant Approach 2)Strategic Approach