At the Morningstar Security Summit on June 26th, 2017, Morningstar's CIO and team gathered industry experts to discuss best practices in cyber security and risk assessment. Sessions throughout the day included: State of the Security Industry, Understanding Emerging Threats and Regulatory Trends, Amazon Web Services Security, Protecting What Matters and a panel discussion on "Should You Trust Your Third Party Vendors?."
The panelists included Anders Norremo, the CEO of ThirdPartyTrust, a leading vendor risk management platform; Amy Voegeli, the moderator from Morningstar's IT Risk and Compliance team; Dan Nellessen, IT Risk and Compliance analyst at Morningstar; Vince Concilaldi, Partner at Grant Thorton LLP; Ryan O’Leary, Vice President at Whitehat Security; and lastly, Jay Schulman, a Principal of Security and Privacy at RSM US LLP.
Are SOC reports sufficient?
Voegeli moderated the panel of security experts and started the conversation by asking if a SOC Report was sufficient to properly assessing the risk of third and fourth party vendors. System and Organization Controls (SOC) reports came about from the introduction of the Statement on Standards for Attestations and Engagements (SSAE) 16 auditing standard for service organizaitons in 2011 replacing SAS 70. Concilaldi from Grant Thornton says his firm has been performing SOC audits for enterprises for years and sees them as a great baseline.
The panelists agreed that there exists a multitude of additional measures to assess vendors, such as app scans, pen tests, risk assessment questionnaires, cyber insurance, perimeter scanning, and other certification requirements. However, the number of necessary measures depends on the level of risk associated with each vendor. SOC reports have created a base standard companies to default to during an audit but the enterprise still must asked themselves which principles will be included in the scope of the SOC audit. Concilaldi from Grant Thornton says
Where do I start as an Enterprise?
According to Anders Norremo of ThirdPartyTrust, the first step of a good vendor management program entails, “examining your vendor inventory and then measuring these entities’ inherent risk ratings.” The level of risk, says Norremo, will determine the level of necessary precautions in your risk management procedure.
Shulman of RSM suggested abiding by a framework, more specifically a framework your industry or clients adhere's to most closely. The ISO 2700 family of standards can help organizations manage the security of assets such as financial information, intellectual property and healthcare data. Another set of standards was put out by The National Institute of Science and Technology (NIST) focusing on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. But again, before investing time, money and resources, understand what you're customers want.
What does a holisitc view look like?
Anders Norremo and the other panelists advocate a holistic and customized approach to cyber security and to achieving third and fourth party assurance.
A holistic approach includes considerations to applications and software, infastructure hardware and software, remote and mobile hardware with software, network components and other technology considerations. For further reading on security considerations, read up on the security basics.
ThirdPartyTrust is making it simple to assess third and fourth party vendor information to ensure your gaining every insight to potential cyber risks. It's a supply chain security tool for companies wanting a holistic approach to vendor risk management.