Assessing partner risk
The first step in managing risk is to understand the business impact of a compromise. To do this, you must clearly identify the kind of information that is involved in the partnership. If your organization follows a security framework, like ISO 27002, you will have a catalog of the information assets, including a definition of who the owner is and what makes the information sensitive and to what degree. Understanding the nature of the information is critical to risk mitigation. You must be able to answer the following questions:
- Is the information sensitive because it needs to be kept confidential [e.g., sensitive customer information protected under privacy laws and the Gramm-Leach-Bliley Act (GLBA)]?
- Is the information sensitive to integrity compromise [e.g., financial data critical to Sarbanes-Oxley Act (SOX) compliance]?
- Is the information availability critical to continued business operation?
- Any combination of the above.
Once you understand the sensitivity of the information, you can determine the level of scrutiny to apply to the method of information exchange, the security of storage, and the prospective partner's general security practices. The most effective way follows a model of ranking services and their providers based on information sensitivity (and their incumbent risks). Rankings fall into one of three tiers:
Tier one: Services that require no customer, competitive, or regulated information
This tier carries very little risk of embarrassment or monetary risk. Loss of availability will not affect business operations.
Tier two: Services that do not require customer or regulated information
Some aggregate competitive information may be present. Loss of availability may cause inconvenience but no direct impact on profitability or customer experience.
Tier three: Services that have customer, competitive, or regulatory information, and/or may affect the continued operation of the business
This tier carries high risk of embarrassment, monetary risk and impact of business operations.
Assessing the provider
Once you have established a service/risk ranking, you can assess the provider to the required degree.
Tier one services do not require an in-depth security assessment. This is not to say that you should ignore these providers entirely. All providers should be made aware of their responsibilities in maintaining the security of connections, assets and information with which they have been entrusted. Furthermore, it is important for financial organizations to protect themselves from attacks and compromises coming from so-called low-risk services. At a minimum, you should segregate non-critical services from sensitive ones and ensure that service provider agreements establish responsibility for damages resulting from poor security practices on the provider's part.
Tier two providers require more investigation. Given that the service provider has access to information or systems that could pose a risk to the business, you should conduct a lightweight assessment of the provider's practices. This is typically accomplished by requiring the provider to submit documentation of their practices and/or answer a security practice questionnaire. While many organizations design their own questionnaires, some have modeled them after standards such as ISO 27002.
Tier three providers represent real business risk in the form of loss of customer information, competitive information or operations. In many cases, regulations such as GLBA, the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry's Data Security Standard (PCI-DSS) and guidance from agencies like the FFIEC require organizations to exercise due diligence in ensuring that information entrusted to outside parties is protected. The best approach requires an in-depth assessment of both the specific data exchange method and the security practices supporting the operations associated with the service. Financial organizations often augment the skills of their internal security organization by contracting independent assessors. This practice allows for more reviews in a shorter period of time while exploiting the additional expertise of external experts. The best arrangement is for internal business and security representatives to accompany the assessors to allow better focus on the company's needs and to acquire and internalize institutional knowledge of the proposed partner. In other words, do not outsource this job completely.
Planning for the long term
Once a review is complete, both parties need to establish plans for dealing with weaknesses and how they relate to the service start date.
In the longer term, the parties need to work out how they will communicate, notify each other of suspected security events, respond to intrusions, and coordinate when services cease to operate. All these issues, including the consumer's right to reassess the partner's security and the right to be informed when significant changes occur in the business or infrastructure need to be addressed in service agreements. As in all legal arrangements, both parties need to come to an agreement that meets each party's needs while not burdening the other unnecessarily.
Looking backwards and forward
While this approach works well for financial firms establishing new partnerships, what happens to the relationships that already exist? The most effective approach is to add your existing services to the partner management program and conduct a risk assessment on each one as if they were new services. Contract renewal may be a convenient time to start a review, but you shouldn't wait too long for critical services. Each existing service can be ranked according to the tiered model and service agreements can be assessed for adequacy. Slowly but surely, each relationship will find its way into the partner management program and be managed appropriately.
For any partnership, old or new, each year, you should cycle through your documented set of partners, assess the current risk (including changes to the partner, the service, or regulatory requirements), determine if the current controls effectively mitigate risk, and modify controls as necessary. Financial organizations that follow this pattern not only manage risk effectively, but also prepare themselves for the scrutiny of auditors and partners.
About the author:
Richard E. "Dick" Mackey is a frequent speaker and contributor to magazines and online publications. He has advised leading financial firms on compliance with PCI, GLBA, and SOX. He has also provided guidance to a wide range of companies on enterprise security architecture, identity and access management, and security policy and governance.
This was first published in August 2008