The ongoing challenge of IT and data risk management

Download PDF version

Managing IT and data risk is a challenging job. When we outsource our IT, applications and data processing to third-parties more and more every day, managing that risk becomes almost impossible. No longer are our data and systems contained within an infrastructure that we have full control over. We now give vendors our data, and allow them to conduct operations on our behalf.

The problem is, we don’t control their infrastructure, and we can never fully look under the hood to understand and vet their ability to protect our data and operations. We have to fully understand how important this issue is, and ensure we have the right governance, processes and teams to identify and mitigate any risks found in our vendors. No longer are our data and systems contained within an infrastructure that we have full control over

Today, everything is connected. Our own networks have Internet of Things (IoT) devices. We have VPN connections coming in, and we aren’t always sure who is on the other end of that connection. It is a full-time job just to get a handle on our own risk. How much harder, and how much larger should our teams and budgets be, to truly know and trust that our vendors can secure those devices and external connections?

For every device and application we have internally, it is very difficult to even keep an accurate inventory. Do all of our vendors have some special sauce that allows them to overcome the traditional challenges of securing internal and vendor-connected networks? They are doing the same thing we are – doing our best with the limited human and financial resources allocated by our organisation.

Risk stratification and control objectives

The benefits of outsourcing operations or using a vendor web application are clear. So how can we properly vet those vendors from an IT risk perspective?

The very first thing we need to put in place is Risk Stratification. Risk Stratification presents a few targeted questions in the purchasing process. These questions include – what type of data will be shared? How much of this data? Will the data be hosted by a vendor? Will this hosting be in the US or offshored? Has the vendor ever had a data breach? These questions allow you to quickly discern if a risk assessment is needed and if so, what depth and breadth. Risk stratification allows you to make decisions that not only improve your team’s efficiency, but also ensure that you are not being a roadblock to the business

Risk stratification allows you to make decisions that not only improve your team’s efficiency, but also ensure that you are not being a roadblock to the business. With risk stratification, you can justify the extra time needed to properly assess a vendor’s security.

And in the assessment of a vendor’s security, we have to consider what control objectives we will use. Control objectives are access controls, policies, encryption, etc. In healthcare, we often use the HITRUST set of control objectives. In assessing against those control objectives, we usually use a spreadsheet.

Today, there are many vendors who will sell us more automated ways to get that risk assessment completed, without passing spreadsheets back and forth. These solutions are great if you can get the additional budget approved.

Multi-factor authentication

Even if we are using old-fashioned spreadsheets, we can ensure that the questions asked of the vendor include a data flow and network/security architecture document. We want to see the SOC2 report if they are hosting their solution in Amazon, etc. If they are hosting it within their own datacentre, we absolutely want to see a SOC2 Type II report. If they haven’t done that due diligence, should that be a risk for you?

Today, we really need to be requiring our vendors to have multi-factor authentication on both their Internet-facing access, as well as their privileged internal access to our sensitive data. I rate those vendors who do not have this control in place as a high risk. We’ve recently seen breaches that were able to happen because the company did not require administrators or DBAs to use a 2-factor authentication into sensitive customer data sources.

In the assessment of a vendor’s security, one has to consider what control objectives to use

This situation brings up the issue of risk acceptance. Who in your organisation can accept a high risk? Are you simply doing qualitative risk assessment – high, medium and low risks? Or are you doing true quantitative risk analysis? The latter involves actually quantifying those risks in terms of likelihood and impact of a risk manifesting, and the dollar amount that could impact your organisation.

So is it a million dollars of risk? Who can accept that level of risk? Just the CEO? These are questions we need to entertain in our risk management programs, and socialised within your organisation.

This issue is so important – once we institute risk acceptance, our organisation suddenly starts caring about the vendors and applications we’re looking to engage. If they are asked to accept a risk without some sort of mitigation, they suddenly care and think about that when they are vetting future outsourced solutions. Quantitative risk analysis involves quantifying risks in terms of likelihood and impact of a risk manifesting

Risk management process

In this discussion, it is important to understand how we think of, and present, the gaps we identify in our risk management processes. A gap is not a risk. If I leave my front door unlocked, is that a control gap or a risk? It is a gap – an unlocked door. What is the risk?

The risk is the loss of property due to a burglary or the loss of life due to a violent criminal who got in because the door was unlocked. When we present risks, we can’t say the vendor doesn’t encrypt data. The risk of the lack of encryption is fines, loss of reputation, etc. due to the breach of data. A gap is not a risk.

Once we’ve conducted our risk analysis, we must then ensure that our contracts protect our organisation? If we’re in healthcare, we must determine if the vendor is, in fact, a true HIPAA Business Associate, and if so we get a Business Associate Agreement (BAA) in place. I also require my organisation to attach an IT Security Amendment to these contracts. The IT Security Amendment spells out those control objectives, and requires each vendor to sign off on those critical controls. We are responsible for protecting our organisation’s IT and data infrastructure – today that often means assessing a 3^rd-party’s security controls

One final note on risk assessments – we need to tier our vendors. We tier them in different ways – in healthcare a Tier 1 vendor is a vendor who will have our patient information on the Internet. Tiering allows us to subject our vendors to re-assessment. A tier 1 vendor should be re-assessed annually, and may require an actual onsite assessment vs. a desk audit. A tier 2 vendor is re-assessed every 2 years, etc.

We are responsible for protecting our organisation’s IT and data infrastructure – today that often means assessing a 3^rd-party’s security controls. We must be able to fully assess our vendors while not getting in the way of the business, which needs to ensure proper operations, financial productivity and customer satisfaction. If we truly understand our challenge of vendor risk management, we can tailor our operations to assess at the level needed, identify and report on risks, and follow-up on any risks that needed mitigated.

Download PDF version

Author profile

Randall Frietzsche Distinguished Fellow, Information Systems Security Association (ISSA)

Randall Frietzsche is the Enterprise CISO for Denver Health. Randall has been a leader in IT Security for ten years, with 15 years in IT Security and over 20 years in Information Technology. He is a Distinguished Fellow with the Information Systems Security Association (ISSA.) Randall holds a Master’s Degree in Information Security, the CISSP and 25 other Security, IT and other technical certifications. He teaches cybersecurity both for Harvard University and Ivy Tech State College. He is a former law enforcement officer, and a recent graduate of the FBI Citizen’s Academy. Randall is a frequent speaker, writer, teacher and mentor.

Related companies
Information Systems Security Association (ISSA)

View all news from
Information Systems Security Association (ISSA)

Related links
Articles by Randall Frietzsche

In case you missed it

Top ten security industry mergers and acquisitions of 2019

Two of the most familiar names in the physical security market – Pelco and Panasonic – underwent ownership changes during 2019. Consolidation continued on multiple other fronts. Security service companies, video companies and access control companies were all among the entities involved in merger and acquisition (M&A) activity during the last 12 months. In short, the industry landscape continues to transform in response to a changing market. Here's a look at the Top 10 M&A stories in 2019: 1. Pelco acquired by private equity firm Transom Capital Pelco Inc. was acquired in May by Transom Capital Group, a private equity firm, from Schneider Electric. Since the acquisition, Transom Capital has been working with Pelco’s management and employees to define and direct the next chapter of the iconic company. Pelco maintains its headquarters in Fresno, Calif., and has a presence in Fort Collins, Colo., near Denver, and a sales office in the New York area, not to mention many global employees who work remotely. 2. Panasonic spins of security business Electronics giant Panasonic sold off 80% of its video surveillance business to a private equity firm but is retaining 20%, and the new company will continue to use the well-known Panasonic brand. The move is aimed at reinvigorating a business challenged by competition from Chinese companies and lower video prices. Polaris Capital Group Co. acquired 80% of the outstanding shares of the new security systems business. 3. Qognify acquires OnSSI and SeeTec 2019 began with the acquisition of IP video management software (VMS) company On-Net Surveillance Systems (OnSSI), including SeeTec in Europe. Backed by the global investment firm Battery Ventures, Qognify completed the acquisition in the final days of 2018. With Qognify, OnSSI and SeeTec operating under one umbrella, the company provides VMS, video analytics, PSIM and critical incident management for mid-market and enterprise organizations. 4. Busy year for acquisitions at Allied Universal Security services company Allied Universal had an active year in acquisitions, beginning in April with the acquisition of integration company Securadyne Systems in Dallas. There was an additional acquisition announced in each of the next four months: Point 2 Point Global Security, Dallas, in May; security services company Cypress Private Security in June, services company Shetler Security Services in July , and Midstate Security in August. Allied Universal announced two more acquisitions in November – low-voltage integrator Advent Systems Inc. in Chicago and Vinson Guard Service in Louisiana. Also in November, Allied announced a transformational merger with SOS Security. In December, Allied Universal acquired APG Security, South Amboy, N.J. 5. Motorola continues video push with VaaS acquisition Following its acquisition of Avigilon in 2018, Motorola Solutions continued to build its presence in the security market in 2019 with the acquisition of VaaS International Holdings, Inc. (VaaS), a data and image analytics company. Motorola Solutions paid $445 million in a combination of cash and equity for the company, which includes fixed and mobile license plate reader cameras driven by machine learning and artificial intelligence. 6. ACRE acquires access control companies Open Options and RS2 Open Options is an open architecture access control company headquartered in Addison, Texas; and RS2 is an open systems access control provider in Munster, Ind. ACRE, global provider of security systems, wrapped up acquisition of both firms in 2019, after announcing the Open Options deal in the waning days of 2018 and following it up with the RS2 announcement in the spring. ACRE’s portfolio now consists of Vanderbilt, Open Options, RS2 and ComNet. 7. Assa Abloy expands capabilities with LifeSafety Power Lock and access control giant ASSA ABLOY acquired LifeSafety Power in September, providing a complement to the access control portfolio. The plan is to incorporate LifeSafety Power’s knowledge of power supply and consumption throughout the ASSA ABLOY access control line. LifeSafety Power was established in 2009 and has some 65 employees. The main office is located in Libertyville, Illinois. 8. Distributor Anixter going private and selling to CD&R Anixter International Inc., a distributor of network and security solutions, electrical and electronic solutions and utility power solutions, entered into a definitive agreement with an affiliate of Clayton, Dubilier & Rice (CD&R) to be acquired in an all cash transaction valued at approximately $3.8 billion. The transaction will result in Anixter becoming a private company and is expected to close by the end of the first quarter of 2020. Under the terms of the merger agreement, CD&R-managed funds will acquire all the outstanding shares of Anixter common stock for $81.00 per share in cash. (It has been reported that a new bidder has also emerged, although Anixter is resisting – stay tuned.) 9. Alarm.com expands commercial offering with OpenEye acquisition Alarm.com has announced a majority-stake acquisition of OpenEye, a provider of cloud-managed video surveillance solutions for the commercial market. OpenEye is optimised for enterprise-level commercial customers requiring expansive video recording capabilities, in addition to remote viewing, administration and diagnostic reporting. Combined with the Alarm.com for Business offering, service providers partnered with Alarm.com now have solutions to accommodate commercial accounts of any size. 10. ADT makes multiple acquisitions, sells Canadian operation Another North American security giant, ADT Inc., also had a busy year in mergers and acquisitions. In February, ADT acquired LifeShield, a pioneer in advanced wireless home security systems. In June ADT continued expanding capabilities and geographic reach via Red Hawk Fire & Security, ADT Commercial with the asset purchase agreement of Security Corporation, a commercial security integrator headquartered in Detroit, Mich. In November, ADT Commercial purchased Critical Systems, which specialises in enterprise-class fire alarm, fire suppression, life safety and integrated building security solutions for high-rise properties, healthcare campuses and data, manufacturing and distribution facilities in Atlanta. In October, ADT announced an agreement to sell its Canadian operations to TELUS Corp.

MOBOTIX M7 platform provides more flexibility and computing power

It is an exciting time at German intelligent video company MOBOTIX, which has launched a next-generation platform that builds on their legacy of video at the edge while opening up the system to third-party partners that can build even more capabilities. MOBOTIX unveiled the new M7 platform and M73 camera at the MOBOTIX Global Partner Conference in Mainz, Germany, in October. MOBOTIX M7 is a powerful, decentralised and secure modular IoT-video system based on deep learning modules. The feedback has been “overwhelming,” says MOBOTIX CEO Thomas Lausten. The new technology will also be featured in the United States at the 2020 MOBOTIX Partner Summit in Hollywood, Fla., in January. A different video surveillance "What you see is a different way of doing video surveillance,” says Lausten. “Our focus on the edge is the difference between us and other companies.” The new MOBOTIX 7 open solution provides an “edge platform” that can be used for a variety of applications, which are provided as “apps” that leverage the platform’s hardware for specific uses, from object detection to face detection to people counting. The new M75 high-end camera incorporates the new platform. The MOBOTIX application programming interface (API) makes it possible for hundreds more apps to be developed over time Currently there are 19 apps available to empower various applications, and availability of the MOBOTIX application programming interface (API) makes it possible for hundreds more apps to be developed over time. If a MOBOTIX partner creates a new app for a specific project, “now he can use it not just for one project but can put it in the app store and sell it all over the world,” says MOBOTIX CTO Hartmut Sprave. Field Programmable Gate Array The new MOBOTIX platform uses Field Programmable Gate Array (FPGA) integrated circuits that provide flexibility and versatility to be adapted to a variety of needs, from deep learning, to higher resolution, or to use with a variety of sensors, such as color, black-and-white or night vision cameras, temperature sensors or microphones. “We can literally include any sensor requested by the market,” says Lausten. The new camera can also be used for age analysis, crowd management or traffic analysis. It can even be used for fire or biohazard detection, incorporating thermal sensors and deep learning. MOBOTIX have added to their legacy of video with a next generation platform Partnerships MOBOTIX developed its new platform in conjunction with Konica Minolta, which owns a majority share of the German manufacturer. The combined knowledge of the two companies created the new platform, with most of the engineering done in Germany. Konica Minolta provided an object detection algorithm, for example, and deep learning capabilities that are being used with the cameras. The two companies are also developing the business together. “They are rolling out our technology on their website throughout the world,” says Lausten. “We are basically part of a global development organisation.” MOBOTIX developed its new platform in conjunction with Konica Minolta The new platform is also completely compatible with legacy MOBOTIX systems: “We have added what we need to what we have,” says Lausten. Cybersecurity is a top priority for MOBOTIX. “With our camera, everything is under our control, every single line of code, and we do all the penetration testing and everything is safe,” says Sprave. In fact, MOBOTIX won the French "Trophée de la Sécurité 2019" Gold Award in the cybersecurity category for the MOBOTIX Cactus Concept, which refers to the fact that all the modules in the MOBOTIX system have “digital thorns” that protect them from unauthorized access. End-to-end encryption is used with no blind spots. Driven by cybersecurity Stronger cybersecurity and a focus on edge devices makes MOBOTIX inherently more cybersecure than a system of networked low-cost cameras, each of which could present a possible cyber-vulnerability. Stronger cybersecurity and a focus on edge devices makes MOBOTIX inherently more cybersecure The flexibility of the MOBOTIX platform expands its utility beyond security to include broader business functions. For example, the same camera that can detect criminals with face recognition can track where people are moving in a retail store, and even analyse age or demographics of customers to track buying patterns. “Cameras are required to think and process at the edge, and that is where we see a lot of focus going, driven by cybersecurity,” Lausten says. Lausten sees opportunity for even faster growth in the U.S. market, where they already have 30 or 40 partners. In the near term, there will be large opportunities provided by the U.S. trend toward “Chinese skepticism,” and cybersecurity concerns that have plagued the lower-cost Chinese imports. MOBOTIX products are proudly “Made in Germany.”

ATMs provide convenience for bank customers, but they have vulnerabilities

Most customers interface with their financial institutions using automated teller machines (ATMs), which have security issues. However, there are solutions available to combat all current security threats, and the cost of protection is coming down. The ATM industry is therefore in a position to minimise losses, while ensuring consumers continue to get the vital cash they need to lead their daily lives. It is important for the ATM industry to constantly innovate to meet new security challenges. So what innovations are we going to see in the next five years? Contactless technology Contactless technology will be a great help against ATM skimming, in which criminals steal personal information at ATM machines. Contactless is already being used in some European countries, and the number is increasing. Not having to insert a card into the ATM removes the opportunity to trap cards and also gets around the problem of “foreign” devices installed to read cards. So contactless technology, which some saw as the end of cash, can help make ATMs and cash more secure. Data capture form to appear here! Not having to insert a card into the ATM removes the opportunity to trap cards Biometrics are certain to be used increasingly to bolster ATM security. Finger, palm, vein, iris and facial recognition all have potential in this respect. Any of these may in the future be used with or without cards, PINs and one-time codes. Speed of operation in relation to biometrics could ultimately govern their use at ATMs. There may also be privacy issues that need to be addressed. The ATM vestibule environment must add security with proper security and surveillance equipment. ATM vestibules, or lobbies, are installed for many good reasons. For one, more convenient, 24/7 locations equals better customer retention for a bank, offering comfort and convenience. 24/7 access to ATMs, night drops, coin counters, online banking kiosks, and other self-service solutions are very much in demand. Second, ATM vestibules protect customers from inclement weather and provide a more comfortable banking environment (however, vagrancy can be an issue; therefore ATM vestibules should require card access). Security and surveillance solutions can’t just be for show. ATMs and crime A new crime wave is hitting automated teller machines (ATMs); the common banking appliances are being rigged to spit out their entire cash supplies into a criminal’s waiting hands. The common banking appliances are being rigged to spit out their entire cash supplies into a criminal’s waiting hands The crime is called “ATM jackpotting” and has targeted banking machines located in grocery shops, pharmacies and other locations in Taiwan, Europe, Latin America and the United States. Rough estimates place the total amount of global losses at up to $60 million. The protection of ATMs ATMs in supermarkets and pharmacies tend to be targeted because they may not be as well-protected, and store personnel likely would not know who is authorised to work on the ATM. In contrast, anyone approaching an ATM at a bank location would be more likely to be challenged. ATM jackpotting originated back in 2010 when Barnaby Jack, a New Zealand hacker and computer expert, demonstrated how he could exploit two ATMs and make them dispense cash on the stage at the Black Hat computer security conference in Las Vegas. Since then, malware has been created and made available on the “Dark Web” that can instruct an ATM to dispense all its cash on demand. ATM jackpotting ATM jackpotting is a combination of a physical crime and a cyberattack ATM jackpotting is a combination of a physical crime and a cyberattack. Typically, a criminal with a fake ID enters a grocery shop or pharmacy posing as an ATM technician, then uses a crowbar to open the top of the ATM – the “top hat” – to gain access to the personal computer that operates the machine. Once he or she has access to the PC, they remove the hard drive, disable any anti-virus software, install a malware program, replace the hard drive and then reboot the computer. The whole operation takes about 30 seconds. The malware then enables the thief to remotely control the ATM and direct it to dispense all its cash on command. If a legitimate customer approaches the machine in the meantime, it can operate as usual until activated otherwise by the malware. Catch up on part one and part two of our banking security mini series.