Archives for May 2014

Todd Langusch, TECHLOCK

It is hard to imagine an account receivable organization performing the full collections life cycle on its own. The use of third-party vendors for key collection processes or functions is essential for collection agencies. Routine sharing of consumer or client data with letter vendors, cloud service providers, business process outsourcers, data providers, payment gateways, consultants, attorneys, and others is an essential business practice.  And yet, however indispensable the outsourced function or service is, even more imperative is the upfront and ongoing proper due diligence organizations must do on those third-parties.

The risk of sending data to a third-party has never been greater. The Ponemon Institute has published many articles and white papers on the subject. Recently, the Ponemon Institute, LLC, published its Fourth Annual Benchmark Study on Patient Privacy & Data Security (download here) where it noted healthcare organizations don’t trust their third-party or business associates with sensitive patient information. Only 30 percent of those surveyed are very confident or confident that their business associates are appropriately safeguarding patient data as required under the Final Rule. Outside of healthcare, Ponemon Institute published “Aftermath of a Data Breach” white paper (download here) where respondents noted insiders and third-parties are most often the cause of the data breach.

Despite the overwhelming information and facts available outlining the risks of using third-parties, I routinely find that organizations are not doing the proper due diligence on service providers. Not only is it critical for an Organizational Internal Risk Profile, it is required by law and their client contracts. For example, the Gramm-Leach-Bliley Act Safeguards Rule requires an organization to have a risk assessment and service provider oversight. With the recent Final Omnibus Rule we are all well aware of the business associate requirements outlined in HIPAA / HITECH Act. In addition to federal laws, several States have also reiterated the need for reasonable due diligence and risk assessments on service providers. Massachusetts 201 CMR 17.00, Nevada’s NRS 603a, and Texas H.B. 300 are prime examples of this. Lastly, one can find the same service provider due diligence requirements in industry standards like ISO 27001/27002 and PCI DSS.

Despite the well-documented laws and information security best practices, organizations struggle with reasonable or proper due diligence of a service provider. For over a decade now I have assessed organizations in the ARM Industry and have identified three key issues that I would like to share with you regarding service provider risk. First, organizations should have a keen understanding of what service providers might submit to demonstrate their data security competence and what to be skeptical of. Frequently in the Collections Industry, I have seen service providers providing a PCI DSS quarterly scan certificate as proof of their data security and observed collection organization’s accepting this one item as proof of compliance. A PCI DSS external quarterly scan performed by a PCI ASV is outlined in PCI DSS requirement 11.2 but what people may not know this one requirement is by no means full compliance with PCI DSS. It is only one requirement out of 200+ specific requirements to achieve PCI DSS compliance. Organizations should be wary of service providers sending over a quarterly scan certificate as proof of their data security and ask for their PCI DSS Report on Compliance (RoC) performed by a PCI QSA. Sometimes, the reason why a different service provider can undercut their competitors on pricing has a direct correlation to the infrastructure and data security maturity or the lack thereof.

To move on to my second observation and related to the first, you should never take an independent third party audit report from a service provider and pass them solely on that report. How do you know the auditor did a good job? You do not and you should validate some of the report by observing first-hand the controls in place by that service provider. I know that requires time and resources but this is your business and possibly your client’s brand name and reputation at stake. The first thing you should do is a data flow diagram. Validate when your data leaves your company and goes to the service provider what servers and system components does it flow through? What staff have access to your data and how is that access logged? Does the third party audit report show clearly the system components and staff on the report that matches with your own data flow diagram with that service provider or was segmentation used or limited scope with the third party’s audit report provided.

My last observation to share with you and to compound the problem further: organizations themselves may obtain their own independent third party audit report to assess their own controls. As we have already established, service provider oversight and risk assessment are requirements and will be part of the assessment. Unfortunately, I routinely see independent third-party audit reports missing proper data flow diagrams and proper service provider evaluation which may give an owner or the Board of Directors for a company a false sense of security regarding third-party risk when they receive their own passing audit report. This is in part due to the auditor’s lack of collection process knowledge or the audited organization not providing full and accurate information to the auditor.  More often than not, the information technology department gets notified there are auditors coming in and is assigned the task to answer questions for this critical business need. In many cases, the staff running the IT infrastructure are not 100% familiar with all of the service providers the organization shares data with. An even greater problem, as mentioned above, is the quick acceptance of a passing audit report (any standard) with no internal review or validation. I have said before that people will spend more time checking a rental car for damage at the time of rental then they will spend time checking their own “passing” audit report. This can bring quite a bit of risk to an organization and to the clients they service.