Blog: ISO

By: (Security+)

How do you know what due diligence documents to gather from each of your vendors? There are many methods available, but some result in more accurate documentation than others. Today, I'm going to review two of the primary methods and discuss the effectiveness of each method.

Method #1: The Bucket Method

I often see, what I will call, the bucket method.

It Goes Something like This

Imagine you have a list of questions you ask about vendor characteristics, and then you classify that vendor based on the number of questions answered as "yes." For example, a vendor should be considered:

  • "Level 1" if two or less are answered as "yes."
  • "Level 2" if three to four are answered as "yes."
  • "Level 3" if five or more are answered as "yes."

Then, you could define the required due diligence based on the level of the vendor, or based on the bucket in which the vendor is grouped. At "Level 1," collect only a service level agreement. At "Level 2," collect a contract, a confidentiality agreement, and financial statements. At "Level 3," collect all document types (e.g., a contract, confidentiality agreement, financial statements, SOC report, examination report, BCP, etc.).

What Happens Now?

This method seems relatively simple to carry out. But in reality, it can create a lot of unnecessary document exceptions, and occasionally miss opportunities to request relevant documents.

  • Unnecessary Document Exceptions in a Bucket Method
    Consider a vendor who is "Level 3." While five characteristics applied to them, several of the required documents are both unnecessary to request, and at some rate, unreasonable. This results in an exception record to explain each case and ultimately, requires more effort from you, as the vendor manager, to oversee the relationship.

  • Missed Opportunities for Requesting Relevant Documents in a Bucket Method
    Consider a vendor who is "Level 2." While only three characteristics applied to the vendor, one of them is very important. If this vendor were to be unavailable for 24 hours, it would be detrimental for our business. We should get their BCP, but we did not because it was not required for "Level 2" vendors.
What This Means for You

The bucket method costs a lot of time and effort even though the labelling process seems quick and simple.

[Learn how to review your 3rd party vendor SOC reports in 15 minutes or less. Plus, download our free SOC review checklist.]

Method #2: The If-Then Method

Instead of the bucket method, consider the more accurate if-then method.

It Goes Something like This

Imagine you have a list of questions you ask about vendor characteristics. You could say that if you answer Question A as "yes," then you should collect a specific type of document related to the effects of that characteristic, Document A. Here are a few examples to consider:

  • If a vendor performs critical functions or provides critical services, then you should get a service level agreement.
  • If a vendor uses subcontractors in the performance of critical functions, then you should get their Third party Due Diligence of Subcontracts.
  • If a vendor stores customer information, then you should get a SOC report.

method for collecting vendor management due diligence documents

What Happens Now?

By using the if-then method, you only gather the documentation that is appropriate to the third party relationship. This method can be continually refined. If you notice you are creating a lot of document exceptions for a specific type of document, revisit the question you are asking that instigates this requirement. Consider what assumptions are being incorrectly made about the characteristic's effects. Update your list to appropriately account for this.

Let's say you thought, "If a vendor stores, transmits, or accesses customer data, then I should get their SOC report." You would quickly find that not every vendor who can access your customer's data is going to have a SOC report, and that the SOC report is quite unnecessary for the service you are receiving. In this case, you could create two separate questions. One question would be about storing customer data, in which you would require a SOC report. Then another about accessing and transmitting customer data, in which you would require a confidentiality agreement, but not a SOC report. Making this adjustment would greatly reduce the number of documented exceptions.

What This Means for You

The if-then method will eliminate unnecessary document requests and ensure pertinent documents are obtained.

In Summary

While both methods provide standardized ways to gather due diligence documentation from vendors, the bucket method can actually cause more problems for your vendor managers.  By using the if-then method, you can manage your vendors based on the services that are being provided to you and easily change your program to meet the developing needs of your environment. Couple this method with the Tandem Vendor Management Software, and increase the efficiency in which you conduct your program. 


 

In September 2016, the Federal Financial Institutions Examination Council (FFIEC) released an updated Information Security Booklet as part of the IT Examination Handbook. Among other contemporary concepts, the FFIEC placed an increased emphasis on the role of Information Security Officers (ISOs) in financial institutions. In section I.B Responsibility and Accountability (Page 5), the FFIEC provides a list of six key qualities of the ISO role. Here are the six qualities and a brief interpretation of how this can be applied in your organization.

1. Sufficient Authority

Each ISO should have sufficient authority to perform their assigned tasks. While the ISO ultimately reports to the board or senior management, they must also be a trusted employee (or group of employees) who is authorized to make organization-altering decisions on their own. In short, your ISO should be someone you can, and will, trust.

2. Stature within the Organization

Each ISO should have stature within the organization to perform their assigned tasks. In addition to being a trustworthy part of the organization, the ISO should also be a respected part of the organization. The role of the ISO is a position that should be held with esteem. This is a tone that is set from the top. If the board and senior management respect the role of the ISO, the organization's employees will respect it, as well.

3. Knowledge

Each ISO should have knowledge to perform their assigned tasks. The ISO is tasked with oversight of the information security program. This is a broad-scoped topic which requires knowledge of the physical, technical, and administrative functions of the organization. If no one employee has sufficient knowledge to make decisions for each of these areas, it may be wise to consider appointing multiple individuals to fill the organization's ISO role as a committee.

Click here to find out more about a 6 part webinar training series created specifically for ISOs.

4. Background

Each ISO should have background to perform their assigned tasks. Similar to knowledge, the ISO should have a history that involves information security. An employee can be trustworthy, respectable, and have knowledge of information security, but be lacking a foundation of experience. Information security is an ever-changing field. Appointing an ISO who does not have experience in the field is a risk to the organization's information security.

5. Training

Each ISO should have continued training to perform their assigned tasks. Since the field is ever-changing, it should not be assumed that the ISO has all the training required to perform their duty. As the threat environment changes, as new controls are implemented, as the industry advances, the board and senior management should expect the ISO or members of the ISO team to further their education through training.

6. Independence

Each ISO should have independence to perform their assigned tasks. It would be best to avoid conflicts of interest when selecting an ISO. For example, while knowledge of information technology (IT) is important, the ISO should not be the person responsible for implementing the organization's IT function. For community financial institutions, this is not always practical. So, if your organization finds independence difficult, it may be beneficial to appoint individuals from various departments to fill the organization's ISO role as a committee.

In Summary…

While the FFIEC may not be very prescriptive when it comes to appointing an ISO, by ensuring your organization's ISO is trustworthy, respectable, knowledgeable, experienced, interested in learning, and independent of other functions in the organization, your organization can lay the foundation for an effective information security program.


 

I have been asked several times what my favorite Windows program is for accessing ISO images of CDs and DVDs.  To just browse an ISO and extract files, I prefer 7-zip.  To mount them as a drive letter I like MagicISO.  I am partial to tools that do not need installation, but of course something like this must install a driver, so it requires an installer.  This software is very lightweight.  The driver is only 250K and you only need to run the client to mount and dismount disc images. Some of these kinds of tools are used by gamers and others to make illegal copies of CDs and that software may be detected as malware, but MagicISO is still passing all antivirus scanners on Virustotal.