Pub. 9 2020 Issue 1

15 s p r i n g | 2020 can create security issues, too. Who has ownership of the risks? It’s better to have that conversation before there is a problem instead of after. Think about the information vendors need to do their job; they should not be given information beyond what they need. • Security plans should include plans for emergencies, whether that emergency consists of violent actions or natural disasters. It can be paralyzing if something bad happens, especially if you don’t give people a straightfor- ward plan for handling problems. If people are in shock, a plan may be the best way to help them get moving again in helpful and constructive ways. • Use industry frameworks to support your business when applicable. • Be sure to pay attention to the physical protection of as- sets as well as digital protection. If someone comes into a building and physically takes equipment such as comput- ers, servers, or phones, digital protection alone may not be effective. • Think about how to handle exceptions. Nobody can fore- see everything, but you can and should create a process for dealing with the problems you didn’t see coming. • If you have multiple agreements having to do with security, there might be a need to determine the order of precedence for them. • Think about what happens to data when your business is done with it. If vendors have data, require that they re- turn it in a usable format and that they give you a way to retrieve data if necessary. Vendors should delete all sensi- tive data after they have returned it, and they should give you an affidavit to that effect. Deletions should include backup data and data vendors gave to subcontractors. • Have one or more attorneys you can consult when neces- sary. They should understand cybersecurity, privacy law and technology. Your attorneys can tell you about limita- tions of liability and can help you navigate problems such as a vendor who suspends or ends services, vendors who don’t negotiate terms with their vendors, and vendors who don’t tell you when they revise policies but still hold you to complying with the revised policies. What are some standard industry frameworks to consider? • NIST cybersecurity framework or SP 800-53: These can give you guidance about preventing, detecting and responding to cyberattacks. For information about NIST’s cybersecurity framework, visit www.nist.gov/ cyberframework. To get a copy of SP 800-53, visit https:// nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST. SP.800-53r4.pdf. • 20 Critical Controls at https://www.cisecurity.org/ controls/cis-controls-list/. • ISACA’s COBIT 5 at http://www.isaca.org/cobit/pages/ default.aspx. • CSA Assessments Initiative Questionaire (https://cloud- securityalliance.org/artifacts/consensus-assessments- initiative-questionnaire-v3-0-1/) or Cloud Controls Matrix (https://cloudsecurityalliance.org/research/ working-groups/cloud-controls-matrix/). If you need to review a vendor, start by reading an online report called the 2019 Gartner Magic Quadrant for IT Vendor Risk Management, which was published in November 2019. It reviews 16 providers. Gartner placed the providers in a coor- dinate system where the x-axis ranks companies on complete- ness of vision and the y-axis ranks companies on their ability to execute. • Leaders are those with a complete vision that also execute well. • Niche players are those whose vision and ability to ex- ecute are both limited. • Visionary companies have a complete vision but can’t execute as well as the leaders. • Challengers execute well but don’t offer completeness of vision. You might consider some of the following software solutions to help you: • A web-based platform called RSA Archer Vendor Man- agement. Gartner identifies it as a leader. • A third-party management app from MetricStream for vendor risk management. Gartner identifies the company as another leader. • A cloud-based platform called the Prevalent Third-Party Risk Management Platform. Gartner identifies the com - pany as a visionary. • LockPath’s risk management software, KeyLight. It isn’t listed in the 2019 Gartner Magic Quadrant. When you are planning a review, you will need to answer some questions: • When are reviews going to take place? Schedule them on a regular, reasonably frequent basis. Annual reviews are the bare minimum for high-risk businesses. A moderate- risk business should have a security review every three years, and a low-risk business should conduct a security review when contracts are renewed or every five years, whichever comes first. • Which business aspects need a review? You could review everything, or you could break the job down into specific categories, such as a physical security review at one point during the year and a cybersecurity review six months later. • Who has ownership of the review? Who has the authority to approve of review findings, to decide when the follow-up will be done, and to select someone to follow up? • What will you require employees to do as part of the review? • How will you communicate policy changes and train employees about them? You can’t prevent every bad thing from ever happening, but if you conduct an annual security review, you can improve your odds of weathering bad things as much as possible. F E A T U R E