Don't forget the cleaning crew in your vendor management program

By Marcia Savage, Site Editor 05 Oct 2009 | SearchFinancialSecurity.com

Digg This!     StumbleUpon     Del.icio.us

When it comes to their vendor management program, financial institutions often overlook non IT-vendors -- the cleaning crews and other service providers that can pose a real risk to sensitive information, industry experts said.

Banking regulators require financial institutions to have vendor management programs that ensure customer data is protected. However, many banks focus only on IT vendors, said Ruth Razook, CEO of RLR Management Consulting Inc., a La Quinta, Calif.-based firm that provides IT, strategy and other services to community and independent banks. That leaves out suppliers like janitors and plant maintenance providers whose after-hours and unsupervised access to office facilities makes them a high risk for stealing confidential information left on desks or in trash cans, she said.

Regulators are looking for an enterprise-wide vendor management program that takes into account all types of vendors, Razook said. They stressed the point during a conference panel she recently moderated with representatives from the FDIC and the Office of the Comptroller of the Currency (OCC). "Most banks still concentrate on their IT vendors and it's got to change," she said.

David Schneier, a compliance consultant who works with financial institutions, said an example of unchecked risks with non-IT vendors occurred while he did some late-night risk assessment work for a credit union last year. Sitting in the executive office suite, he heard a sound and peered out the door. To his surprise, a preschooler, followed by his father, was ambling to the restroom.

The next morning, he asked the credit union's CEO about it, who in turn asked the facilities manager. It turned out that the man was the husband of a woman working for the cleaning vendor, and that he and his son regularly brought her dinner to the office. "Think about the scenario: A completely unknown entity, the husband, within a secured area and no one from the credit union had any idea about it," Schneier said.

On further questioning, he learned that the credit union didn't have any assurances that the cleaning crew was properly vetted or any contractual clauses to govern such a situation.

"Now ask yourself how you'd feel if you had money deposited with them and knew there was the potential that your account number or Social Security number was on a form or printed report left out in the open and where any number of unknown entities potentially had access to it," Schneier said.

By overlooking non-IT vendors and not implementing proper security controls, financial institutions run the risk of violating GLBA if the vendor gains unauthorized access to sensitive information, said Susan Orr, a financial-services consultant who spent 14 years as a banking examiner. They also are putting customers at risk for identity theft. Other third parties to consider include accounts payable and HR vendors to ensure corporate and employee information is secure, she added.

While physical theft is the main risk with vendors like cleaning services and security guards, there is the chance that criminals could plant a person with technical skills on a cleaning crew to break into computers and steal data, said Paul Rohmeyer, a consultant and assistant professor at Stevens Institute of Technology in Hoboken, N.J.

The proliferation of small and cheap storage devices also provides criminals with a way to siphon off data if they can access machines, he added.

Financial institutions need to educate users about shutting down and locking systems during off hours and not writing down passwords, but they also need to deploy technical measures such as controls that prevent someone from plugging a flash drive into a PC, he said.

Razook said a good place for banks to start an enterprise-wide vendor management process is with a vendor list from accounts payable. "Do a risk assessment on those vendors and decide who should be incorporated into a vendor management program and who you can exclude but it should be noted that you went through that process," she said.

An exception might be a food service that doesn't have access to the building unsupervised, Razook said. For higher risk vendors, a company may want to verify they're insured or that a confidentiality agreement is in place.

"Banks should go through that process," she said. "The regulators are going to be looking for that."

Orr said a written vendor management program is a regulatory requirement and regulators will be reviewing banks' programs. "Granted, this year there have been credit situations that are occupying examiners' attention, but institutions should not get complacent or lax in thinking that because this year no one looked at it or commented on it that they will get by next year," she said.

Tags: Business partner and vendor security issues,  GLBA compliance requirements,  Risk assessment and management in financial institutions,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Business partner and vendor security issues New vendor risk assessment tools address cloud computing Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights Data breach protection: Implementing vendor breach safeguards Vendor risk management: process and documentation How to manage security risks in vendor contracts Download presentations from Financial Information Security Decisions 2009 Advocacy group looks to foster trust in foreign service providers Shared Assessments aims to ease third-party security evaluations Security questions to ask SaaS vendors when outsourcing services GLBA compliance requirements Regulators issue standardized privacy notice form for GLBA compliance Massachusetts data protection law has mixed impact on financials Regulatory reform will require much work ahead Download presentations from Financial Information Security Decisions 2009 Two conversations about risk assessment For financial firms, numerous compliance requirements demand baseline controls GLBA risk assessment steps to success GLBA's focus on data security has helped financial services, say industry observers Gramm-Leach-Bliley and you Insuring compliance: Nationwide tackles GLBA Risk assessment and management in financial institutions New vendor risk assessment tools address cloud computing Shifting to a flexible information security framework Threat of insider fraud growing with bad economy Social engineering tests should make sense, not headlines How to combat the insider threat ACH fraud on the rise, experts say Social media: Risk management strategies for financial institutions Podcast: Detecting and investigating insider fraud Download presentations from Financial Information Security Decisions 2009 Two conversations about risk assessment

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Shared Assessments Program  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary