ZenGRC

Simply Powerful GRC

ZenGRC Team

How Vendor Risk Management Can Impact Your GDPR Compliance

· ·

GDPR - General Data Protection Regulation

Risk exposure is indiscriminate, regardless to the size of the company. Now that GDPR is in full effect, organizations should be engaged in activities to display compliance. This includes implementing a solid vendor risk management program to identify, track and monitor your company’s risk exposure. Under GDPR your company could face fines, penalties and other possible legal ramifications.
To prepare for GDPR, organizations should have overhauled critical business operations, one being their vendor risk management program. The expressed language in GDPR regarding data controllers and processors is very clear, you are liable if one of your third party’ processors encounters a breach that leads to customer data being compromised. The illustration below provides a high-level overview of the applicable GDPR articles that may be impacted by vendor risk management.

Although, GPDR has many articles that impact data processing by both controller and processor. More specifically, Article 28, mandates controllers must use processors that have demonstrated and provided sufficient guarantees that they have implemented the appropriate technical and organizational measures that ensure data protection the of data subjects rights. This means you must perform due diligence and assess your third-party vendors to ensure they are meeting GDPR compliance requirements. Furthermore, the process must be documented.
To help you understand how your vendor risk management program can impact GDPR compliance you must first ask a few questions:

  • What type of personally identifiable information are you and your vendors collecting, processing or storing?
  • Who is processing personal data on your behalf?
  • Where is this data stored?
  • How and when is it disposed of?
  • Does the data belong to EU citizens or residence?
  • What personal data is being processed?
  • What is the purpose for the processing?
  • Who can access this information?
  • Do you have policies and procedures for data collection, use and compliance?
  • What protections and precautions are being taken by the both the controller and processor to protect your customers/employee’s personal data?
  • What is the process for beach notifications?

Identify Key Risk Areas:

  • Did you inform your EU citizens that you are sharing their data with third parties?
  • Are you sure your vendors can guarantee adequate level of protection – how can you provide proof?
  • Have you conducting vendor risk assessments to determine the impact of GDPR and how it applies to you and your vendors?
  • Are you conducting data privacy impact assessments before you onboard new systems/vendors?
  • Have you established policies and procedures to onboard/offboard vendors, monitor their compliance and assess them regularly?
  • For high-risk vendors, conduct controls testing of internal data sources, onsite reviews and periodic questionnaires to ensure third party vendors are not altering or deleting data.
  • Centralize your vendor management program – ZenGRC can support this process effortlessly.

Effective vendor management requires a systematic approach to identifying and managing vendor risk. It is not unreasonable to believe that sometime soon you will have to demonstrate your compliance with GDPR and vendor management. Audits will ultimately happen and your behavior in response to managing vendor risk will be assessed, questioned and tested. Building a good strong program in a tool like ZenGRC will help you navigate the way.

A Plan To Help You Successfully Manage Your Vendors

· ·

reviewing documents with a vendor

Increasingly, companies rely on vendors for continued success. Whether you’re using a SaaS marketing platform or a payroll processor, you share employee and customer private data with vendors. Protecting the data entrusted to you requires you to create a vendor management plan that mitigates and monitors the risks vendors pose.

What is a Vendor Management Plan?

Your vendor management plan establishes a set of rules that allow you to identify, rate, and mitigate the risks third-party business partners pose to yourself and your customers. In the same way that you establish a risk tolerance,  you need to make sure that you hold your vendors to the same level of accountability. Creating a vendor management plan follows the same steps as creating your information security plan. Vetting vendors and monitoring them helps create a stronger overall cybersecurity stance.

Step 1: Identify the Information Your Vendor Accesses

Vendor risk directly relates to the information that your vendor accesses. Vendors come in a variety of types. The same way that you need to identify internal information assets, you need to identify vendor information assets. To appropriately determine the risk your vendor poses to your organization, you need to ask yourself the following questions regarding your vendors:

  • What is the role my vendor plays in my business?
  • What company information does the vendor need to meet these needs?
  • What employee information does the vendor need?
  • What customer information does the vendor need?
  • Does the vendor need access to my systems and networks?
  • What systems and networks do my vendor need access to?
  • How long will my vendor need access to my systems and networks?

Service providers can be people or software systems. To appropriately evaluate your risk, you need to understand how they fit into your business objectives as well as how much information they need to enable those objectives.

Step 2: Set a Risk Tolerance for Vendors

Once you determine the information that your vendors access, you need to align your information risk tolerance to match the access your vendors need. You need to decide what risks you want to accept, transfer, mitigate, or refuse. Looking at your vendor needs, you need to ask yourself the following questions:

  • Does this vendor play a critical role in my business operations?
  • How much company information does the vendor need?
  • How much customer information does the vendor need?
  • How much employee information does the vendor need?
  • How many critical networks does the vendor need to access?
  • How many critical systems does the vendor need to access?

Criticality to your business operations acts as the first step to understanding the impact the vendor can have on your organization.

Your IT department may use a cloud service provider to house all your electronic data. Meanwhile, your marketing department may be using a vendor to manage email distributions. Each of these vendors has access to valuable information, but the information differs in criticality to your business operations. Your cloud service provider houses information such as customer or employee names, dates of birth, or financial information. If this data is compromised, you face legal issues. If you lose a batch of email addresses for outreach, your liability is less, especially if the information does not personally identify any of the potential individuals linked to the emails.

Therefore, your cloud service provider is a more critical vendor to business continuity and houses more important information making them a high risk.

Step 3: Create Procedures to Guide Your Vendor Relationship

If good fences make good neighbors, then good contracts make good business partnerships. Creating the right documentation to formalize your relationship outlines a set of shared best practices that you expect your vendor to follow. A service level agreement (SLA) is a contract that outlines the role your vendor will play in your company.

Primarily focused on the services provided and the completion expectations for a project, SLAs increasingly also define security requirements for vendors. These contracts, especially for long-term relationships, create boundaries that define legal responsibility for data protection. When creating your SLA, you want to incorporate, at a minimum, the following:

  • Access authorization protocols
  • Information access controls
  • Password management requirements
  • Network and system security protections
  • Network and system update requirements
  • Employee Security Awareness Training requirements
  • Encryption and decryption requirements
  • End-point security requirements
  • Liability for security incidents

Vendors need to have a clear set of security expectations. Additionally, you need to know that they meet your security requirements. For example, if you require multi-factor authentication for application use but your vendor does not, they can put you at risk. If you’re constantly updating your systems with provider patches, but they do not do this regularly, they put your information at risk. You need to have some assurance that they know your requirements and their responsibility in case they do not meet them.

Step 4: Ongoing Vendor Monitoring

Your vendors’ security posture poses the same risk to your data that yours poses, except you have less control over their activities. Lacking control over vendor security protocols and controls feels unnerving. Knowing that their missteps become your missteps can escalate even the calmest CISO’s blood pressure. Continuous monitoring strategies include:

  • Reviewing SOC reports
  • Making site visits
  • Engaging in vendor audits either annually or more frequently
  • Requesting penetration testing documentation
  • Reviewing copies of internal audit reviews
  • Reviewing IT diagrams and architecture
  • Reviewing security documentation

Vendor oversight and monitoring require both trusting your vendors to meet contractual obligations as well as verifying that trust with documentation. Meeting your compliance requirements, both regulatory and industry-imposed, requires you to create an effective monitoring process that protects your downstream partners and customers.
 

Automating Vendor Management with ZenGRC

ZenGRC eases the burden of monitoring your vendors by providing you with a single location to track and store the information you need to prove your oversight. Our SaaS platform eases the consuming document collection process by allowing you to automate tasks and track their completion. Rather than emailing everyone responsible for gathering documentation, you can send reminders in the system with one click of a mouse.

Moreover, ZenGRC offers a vendor questionnaire aligned to PCI DSS that you can send to help with the monitoring process. Not only do we allow you to track the information, but we ease the burden of creating the documentation yourself.
For more information on how ZenGRC can enable your organization’s vendor management program, schedule a demo.

Who’s Really Responsible for Third-Party Vendor Breaches

· ·

Third-party vendors, suppliers, and partners pose more risks to your reputation and bottom line than ever before. Recent surveys indicate as many as 63 percent of breaches stem from third-party access. Some of the most devastating cyberattacks in recent years, in fact, have occurred not to big companies, but to their vendors.

The sheer number of third-party contractors may be a factor. Enterprises are turning increasingly to contractors to not only save on the costs of hiring full-time employees, but also to fill a temporary need or a very specific niche such as IT or data analysis. As your own circle of trust widens, how will you ensure that your enterprise’s data, that of your clients and customers, will remain safe and secure?

The 2015 hack of the credit-processing agency Experian, among other high-profile vendor breaches, indicates the damage that could happen to your business if just one of your vendors, suppliers, or partners drops the ball on security. Cybercriminals breached Experian’s database, but it was T-Mobile’s data they stole-confiscating personal data on 15 million T-Mobile cellular service customers.

T-Mobile’s CEO said he was “incredibly angry” about the breach, and rightly so: Experian had neglected to install security patches. But whose job was it to safeguard that data? Several class-action lawsuits are pending against both organizations, holding T-Mobile equally responsible.

Regulators seem to agree, The European Union’s General Data Protection Regulation (GDPR) puts the onus on enterprises to secure and keep track of the personal data they collect, process, store, and share. Furthermore, the regulation stipulates that organizations must notify the European Supervisory Authority and customers promptly in the event of a breach.

Financial regulators have increasingly held banks accountable for third-party issues. In New York, 23NYCRR 500 became effective March 1, 2017, now state regulators are now requiring financial firms to verify that their vendors’ cybersecurity measures are adequate.

Trust and Verify

Even with the vendors you know and trust, a handshake is no longer enough; nor is a contract. Today, you must verify the trustworthiness of your third-party contractors and document that you have done so. How?

Assessments and audits are the most common methods of vendor verification. For many enterprises, an assessment will suffice – but not just any assessment. To get the most out of yours, I suggest you keep it simple.
Too often, organizations throw everything including the kitchen sink into their questionnaire, muddying their view of what is really going on. But in most instances the right questions are not being asked. Craft a meaningful assessment by asking yourself some questions first:

  • What does this vendor do for my enterprise?
  • Do they collect, process, or store customer or employee personal data on our behalf?
  • What kind of access does it have to our data, systems, and networks?
  • What are my chief security concerns with this particular vendor?
  • How can I know if the vendor is protecting data to our standards?
  • What happens to the data I share with this vendor?
  • Can the vendor provide certifications to prove compliance with important frameworks and regulations?
  • Which third parties does the vendor work with? What access do these have to your data?
  • How does the vendor ensure security and compliance with its third-parties or subcontractors? A chain is only as strong as its weakest link.

Each set of questions will be unique not only to your organization, but also to each vendor you’re assessing, taking into consideration the nature of your relationship and what you think is important.

Quality, not Quantity

Create your survey carefully and take a risk based approach. Remember that a human will be analyzing the results, and distractions could cause them to miss something critical. The more concise your questionnaire, with an emphasis on understanding how the vendor is using your data, the more readily you will be able to identify risks.

In some cases, you will want to audit a vendor. Vendor audits are a growing trend, although they can be a hassle. To make the task easier, find out if your vendor has SOC-2 or other relevant certification. If so, you can lay to rest many broad-based concerns you might have, and focus on what matters most to your company.

But if the data you’re sharing is particularly sensitive, or if you spot red flags in the survey phase, you may opt to conduct an audit. If you do, again, keep the process focused and specific. Don’t adopt a list-based approach but a risk-based one, considering your enterprise’s threats and concerns first, and looking to see how the vendor protects you or doesn’t.

Third-party vendors are no longer the exception, but the rule. As they proliferate, so will cybercriminals’ efforts to hack their databases, hoping that their systems are less secure than yours. Don’t let that be the case and most certainly don’t take a chance they your third-party vendors are secure and compliant…. Trust but verify!
Data is the new gold. Getting yours breached, no matter where it occurs, could cause staggering fines, penalties, and reputational damage. That is why, when it comes to protecting your data, the buck stops not with your third-party vendor-but with you.

PCI Compliance & Network Segmentation

· ·

PCI Compliance & Network Segmentation

Network segmentation acts as the starting point for determining the scope of your Payment Card Industry Data Security Standard (PCI DSS) compliance journey. Segmentation means creating controls focused on the data’s security needs. To appropriately meet the PCI network segmentation requirements, you need to understand the standard’s purpose and objectives.

PCI DSS Network Segmentation

What is the cardholder data environment (CDE)?

PCI DSS defines cardholder data (CHD) as personally identifiable data associated with someone’s credit or debit card. This definition includes the primary account number (PAN) in conjunction with either cardholder name, expiration date, service code, or sensitive authentication card data.

In short, CDH constitutes any information that could be used to steal an identity or make fraudulent charges to someone’s card.

The cardholder data environment constitutes any computer or networked system that processes, stores, or transmits this information. The CDH includes system components such as network devices, servers, computing devices, and applications. These can be security services, virtual components, network components, server types, applications, or anything connected to CDE.

If employees or systems can access CHD on something, then that needs to be set off separately from all other areas of your company.

What does PCI DSS mean by network segmentation?

Network segmentation requires looking at the way information travels on your systems. Think of your CDE as a river and the CHD as a kayak navigating the rapids. Just like rivers have multiple access points for boats, networks have various data access points. Networks act like rivers with tributaries that are connected to them. If your CHD can float down a path on your network, you need to either protect that tributary or build a dam.

For example, PCI DSS defines connectivity as physical, wireless, and virtualized. At any point on that river, CHD can enter. Physical connectivity may be a USB drive. Wireless connectivity includes Wireless LANs and Bluetooth connections. Virtualized connectivity incorporates shred resources such as virtual firewalls or virtual machines. Each of these data access points needs to be secured.

How do companies scope systems?

PCI DSS scoping requires critically evaluating all the different data access points and tributaries on your CDE river.

A PCI DSS assessment starts with cataloging how and where you receive CHD. Walking up and down the banks of your CDE, you need to find all payment channels and methods for accepting CHD and then follow the information’s journey from collected through destruction, disposal, or transfer.

Next, locate and document the places throughout your CDE where you store, process, or transmit data. This identification means understanding how not only who handles data, the processes and technologies that touch the data as it flows through your networks.

After you’ve tracked the information’s flow through your organization’s networks, you want to make sure that you’ve incorporated all processes, system components, and people who influence the CDE. This step differs from the last because it requires you to look outside of those that interact with the information and focus on those who drive the environment.

Once you’ve reviewed your data river, you need to create controls to protect the information. In the same way that some rivers have landings to help protect boaters accessing certain points, you need to have controls. You also need to determine how to limit where the information can go and who can access it. To do this, you want to put up the data security version of dams, including firewalls and encryption methods.

After you’ve established control, you need to make sure that you apply them to all in-scope system components, processes, and personnel.
Finally, and most importantly, you need to monitor controls and make sure to make changes as your CDE evolves.

Are there any out-of-scope systems?

The Payment Card Industry Security Standard Council (PCI SSC) defines out of scope systems as those with no access to any CDE system. Increasingly, finding out-of-scope systems is difficult.

The PCI SSC requires that the system component must not store, process, or transmit CHD AND must not be connected to any network segment that touches CHD AND must not connect to any system in the CDE AND cannot gain access to or impact a security control of the CDE AND doesn’t meet any previously discussed criteria.

Going back to the river analogy, even the trees in the neighboring forest might be in scope if they can access the same water table as your river. Therefore, before declaring a system out-of-scope, you need to think very carefully about it.

Can organizations transfer their risk using third party service providers?

Third parties and service providers also fall within the scope of your PCI security standards compliance.

Third parties and service providers are the forest rangers for your river. These business partners, entities providing remote support services, or other service providers may engage with your environment and therefore can place it at risk. Just as a forest ranger may move a branch that topples a kayak, so your third parties can impact your PCI DSS compliance. Therefore, you need to engage in third-party monitoring and manage your vendor ecosystem.

If you use a third-party service provider, you need to assess their services carefully. The contract should delineate the parts of the PCI-DSS requirements covered by you and the services provider.

The service provider needs to prove its compliance.

Vendors can either provide an annual assessment done by a qualified security assessor (QSA) or allow clients to request on-demand assessments. If the service provider chooses to provide a QSA assessment, you need to make sure that it covers your compliance needs and is part of the contract.

How ZenGRC can ease the burden of PCI DSS compliance

With ZenGRC, organizations can rapidly deploy a governance system that provides easy-to-read insights. For example, our PCI DSS compliance dashboard allows organizations to review control health at a glance while also listing critical issues facing the organization.

ZenGRC’s ongoing monitoring abilities provide updated, in-the-moment insights enabling organizations to continually respond to changing threats and vulnerabilities in a continuously evolving threat environment. Moreover, organizations can store their penetration test and audit findings on the ZenGRC platform to help enable better cross-enterprise outcomes.

To read about how scoping your PCI DSS compliance can help you better manage your compliance needs, download our ebook, PCI-DSS: Steps to Successful Scoping.

The Most Important Part of GDPR Compliance

· ·

highlighting Compliance definition with a green highlighter marker

With the May 25th deadline for GDPR compliance now long gone, is your organization currently in compliance?
If your answer is “no,” take heart: You are not alone. Most CIOs report that, when this sweeping new privacy-and-security law takes effect, their enterprise will not meet its mandates. Many say they are confused about exactly what they must do to avoid the heavy penalties-and loss of reputation-they may face as a result.

Granted, a regulation with 99 directives can be intimidating. But non-compliance with the GDPR is not an option, not for those wanting to do business with people and companies in the EU. The penalty, if you do not comply, may be steep: up to 4 percent of annual global revenue or 20 million euros, whichever is greater. The impacts on your brand could be even greater.

CIOs and managers would do well to plunge in now, if you haven’t already, and begin to crack the GDPR compliance code. That way, even if your enterprise falls under scrutiny, you will be able to show a good-faith effort-crucial for mitigating penalties and protecting your organization’s good name.

Laying the Foundation: Step One

A good first step toward GDPR compliance is understanding what the GDPR is and does, and how it differs from its predecessor, the Data Protection Directive 95/46/EC (the 1995 Data Directive).

As its name implies, protecting privacy is the impetus behind the GDPR. Historically, the EU has already required organizations within the EU to secure citizens’ personal data. The GDPR codifies those expectations and expands them in a law that applies not only to EU-based enterprises, but to all organizations worldwide that collect, process, store, or share EU resident citizens’ information.
The GDPR establishes specific rights for individuals, requiring that:

  • Citizens actively consent to each proposed use of their information,
  • Certain “special categories” of data be handled in specified ways, and
  • Organizations delete or return, upon the owner’s request, the data they have collected.

And no longer is the concern only with EU-based organizations. Because the GDPR is a citizens’-rights law, its mandates affect every enterprise around the world doing business with EU citizens who live in any of the EU’s 28 member states.
Essentially, if your operation has an online presence and your website, products, or services are accessible to people in Europe-if they might join your mailing list or give you their credit card information-you will need to obey this law.

Policy Matters

To reach compliance, you almost certainly will need to scrutinize and enhance your organization’s policies and procedures from beginning to end, from the drafting stage all the way through editing, approving, updating, distributing, implementing, training, documenting, updating, maintaining, and auditing.

Having the proper policies and procedures in place is key to GDPR compliance. Why? Because policies and procedures are the backbone of your organization, comprising set of shared standards designed to strengthen and support your organization’s success.

Do you even have a written policy for handling, tracking, storing and sharing the data you collect? Do you have clear steps defined in the process, including how to tag data so you can easily retrieve it no matter where it goes?

Once you’ve got the proper policies in place, you’ll need to determine which of them your enterprise is in compliance with and where it falls short, and what you must do to reach compliance. This stage, policy management, is too often overlooked or given short shrift-which could result in falling out of GDPR compliance after you have worked so hard to reach that goal.
Recommendations for successful policy management include:

  1. Build a policy management system
  2. Take a risk-based approach to building policies and procedures.
  3. Automate as much as possible.
  4. Maintain a consistent format across all policies and procedures.
  5. Maintain a system of record for reporting and auditing.
  6. Restrict changes to policies and procedures to applicable staff.
  7. Link all documents to GDPR principles.

At the end, you should have a policy inventory with detailed information about each policy and which GDPR controls it addresses, and how. You must also make sure to update your policies whenever the GDPR changes or other new industry requirements come along, and make sure employees have access to the latest versions-including translations for international audiences.

One Step at a Time

Once you have the proper policy management system in place and your policy inventory complete,you can take the next practical steps toward GDPR compliance. Fortunately, many of these can be handled with ease if you have the right technologies at your fingertips. These steps include:

  • Conduct a risk assessment to identify where your policy, procedures and risks may be across the enterprise.
  • Set a budget for policy management software, storage, GRC, staff and other resources.
  • Harmonize and map GDPR controls based on standard frameworks and existing compliance controls.
  • Automate policy management to save time and reduce costs.
  • Track attestations consistently, and keep records in one place for ready retrieval in the event of legal action.
  • Consider how you can use policy management tools to meet third party and auditor needs.
  • Make sure the processes and program you build will be auditable, and will stand over time.

The GDPR is here to stay, and pretty much every enterprise doing business online-and some that don’t-will need to comply with its mandates. The bad news is, it’s a big and complex law, and it’s taking effect very soon. The good news, however, is that there is an app for that, offering a simple, worry-free path to GDPR compliance.

The Zen of GDPR Compliance

ZenGRC’s governance, risk, and compliance software is designed to turn a confusing, even overwhelming set of tasks-GDPR compliance, for instance-into a streamlined, one-step-at-a-time process.

ZenGRC’s System of Record Dashboard tracks your progress as you build your GDPR policies and procedures. Fully deployed in just six to eight weeks, it provides easy mapping of your organizational policies and procedures to show how they correspond to risk, controls, and requirements. It lists which objectives your enterprise complies with and which still need work, and tells you what you need to do to check each item off your list.

Better yet, ZenGRC will automate the workflows needed for each task, saving you time and money.

It provides role-based information access to help you better manage policies, including updates and keeping track of various versions of each, and notifies you when changes come along requiring updates. Should your business fall out of compliance, you will know.

With ZenGRC, you will also know whether your employees fully understand the GDPR and your company’s related policies. This powerful software surveys workers to measure their comprehension, and helps them improve where needed.
ZenGRC also tracks your efforts to comply with the GDPR. Its self-auditing feature gives you full confidence that you’re in compliance, and provides all the information needed for quick, accurate, and defensible external audits, where needed.
With the deadline looming for GDPR compliance, you may feel tempted to bury your head in the sand and hope that your enterprise won’t be scrutinized. The impulse is understandable, given the regulation’s complexity.

But compliance doesn’t have to be so difficult. Help is at hand, and simplification right at your fingertips. Contact ZenGRC today to find out how our ZenGRC software can ease your GDPR compliance worries–freeing your mind, and your business, to focus on what matters most: your customers.