The ongoing challenge of IT and data risk management

Download PDF version

Managing IT and data risk is a challenging job. When we outsource our IT, applications and data processing to third-parties more and more every day, managing that risk becomes almost impossible. No longer are our data and systems contained within an infrastructure that we have full control over. We now give vendors our data, and allow them to conduct operations on our behalf.

The problem is, we don’t control their infrastructure, and we can never fully look under the hood to understand and vet their ability to protect our data and operations. We have to fully understand how important this issue is, and ensure we have the right governance, processes and teams to identify and mitigate any risks found in our vendors. No longer are our data and systems contained within an infrastructure that we have full control over

Today, everything is connected. Our own networks have Internet of Things (IoT) devices. We have VPN connections coming in, and we aren’t always sure who is on the other end of that connection. It is a full-time job just to get a handle on our own risk. How much harder, and how much larger should our teams and budgets be, to truly know and trust that our vendors can secure those devices and external connections?

For every device and application we have internally, it is very difficult to even keep an accurate inventory. Do all of our vendors have some special sauce that allows them to overcome the traditional challenges of securing internal and vendor-connected networks? They are doing the same thing we are – doing our best with the limited human and financial resources allocated by our organisation.

Risk stratification and control objectives

The benefits of outsourcing operations or using a vendor web application are clear. So how can we properly vet those vendors from an IT risk perspective?

The very first thing we need to put in place is Risk Stratification. Risk Stratification presents a few targeted questions in the purchasing process. These questions include – what type of data will be shared? How much of this data? Will the data be hosted by a vendor? Will this hosting be in the US or offshored? Has the vendor ever had a data breach? These questions allow you to quickly discern if a risk assessment is needed and if so, what depth and breadth. Risk stratification allows you to make decisions that not only improve your team’s efficiency, but also ensure that you are not being a roadblock to the business

Risk stratification allows you to make decisions that not only improve your team’s efficiency, but also ensure that you are not being a roadblock to the business. With risk stratification, you can justify the extra time needed to properly assess a vendor’s security.

And in the assessment of a vendor’s security, we have to consider what control objectives we will use. Control objectives are access controls, policies, encryption, etc. In healthcare, we often use the HITRUST set of control objectives. In assessing against those control objectives, we usually use a spreadsheet.

Today, there are many vendors who will sell us more automated ways to get that risk assessment completed, without passing spreadsheets back and forth. These solutions are great if you can get the additional budget approved.

Multi-factor authentication

Even if we are using old-fashioned spreadsheets, we can ensure that the questions asked of the vendor include a data flow and network/security architecture document. We want to see the SOC2 report if they are hosting their solution in Amazon, etc. If they are hosting it within their own datacentre, we absolutely want to see a SOC2 Type II report. If they haven’t done that due diligence, should that be a risk for you?

Today, we really need to be requiring our vendors to have multi-factor authentication on both their Internet-facing access, as well as their privileged internal access to our sensitive data. I rate those vendors who do not have this control in place as a high risk. We’ve recently seen breaches that were able to happen because the company did not require administrators or DBAs to use a 2-factor authentication into sensitive customer data sources.

In the assessment of a vendor’s security, one has to consider what control objectives to use

This situation brings up the issue of risk acceptance. Who in your organisation can accept a high risk? Are you simply doing qualitative risk assessment – high, medium and low risks? Or are you doing true quantitative risk analysis? The latter involves actually quantifying those risks in terms of likelihood and impact of a risk manifesting, and the dollar amount that could impact your organisation.

So is it a million dollars of risk? Who can accept that level of risk? Just the CEO? These are questions we need to entertain in our risk management programs, and socialised within your organisation.

This issue is so important – once we institute risk acceptance, our organisation suddenly starts caring about the vendors and applications we’re looking to engage. If they are asked to accept a risk without some sort of mitigation, they suddenly care and think about that when they are vetting future outsourced solutions. Quantitative risk analysis involves quantifying risks in terms of likelihood and impact of a risk manifesting

Risk management process

In this discussion, it is important to understand how we think of, and present, the gaps we identify in our risk management processes. A gap is not a risk. If I leave my front door unlocked, is that a control gap or a risk? It is a gap – an unlocked door. What is the risk?

The risk is the loss of property due to a burglary or the loss of life due to a violent criminal who got in because the door was unlocked. When we present risks, we can’t say the vendor doesn’t encrypt data. The risk of the lack of encryption is fines, loss of reputation, etc. due to the breach of data. A gap is not a risk.

Once we’ve conducted our risk analysis, we must then ensure that our contracts protect our organisation? If we’re in healthcare, we must determine if the vendor is, in fact, a true HIPAA Business Associate, and if so we get a Business Associate Agreement (BAA) in place. I also require my organisation to attach an IT Security Amendment to these contracts. The IT Security Amendment spells out those control objectives, and requires each vendor to sign off on those critical controls. We are responsible for protecting our organisation’s IT and data infrastructure – today that often means assessing a 3^rd-party’s security controls

One final note on risk assessments – we need to tier our vendors. We tier them in different ways – in healthcare a Tier 1 vendor is a vendor who will have our patient information on the Internet. Tiering allows us to subject our vendors to re-assessment. A tier 1 vendor should be re-assessed annually, and may require an actual onsite assessment vs. a desk audit. A tier 2 vendor is re-assessed every 2 years, etc.

We are responsible for protecting our organisation’s IT and data infrastructure – today that often means assessing a 3^rd-party’s security controls. We must be able to fully assess our vendors while not getting in the way of the business, which needs to ensure proper operations, financial productivity and customer satisfaction. If we truly understand our challenge of vendor risk management, we can tailor our operations to assess at the level needed, identify and report on risks, and follow-up on any risks that needed mitigated.

Download PDF version

Author profile

Randall Frietzsche Distinguished Fellow, Information Systems Security Association (ISSA)

Randall Frietzsche is the Enterprise CISO for Denver Health. Randall has been a leader in IT Security for ten years, with 15 years in IT Security and over 20 years in Information Technology. He is a Distinguished Fellow with the Information Systems Security Association (ISSA.) Randall holds a Master’s Degree in Information Security, the CISSP and 25 other Security, IT and other technical certifications. He teaches cybersecurity both for Harvard University and Ivy Tech State College. He is a former law enforcement officer, and a recent graduate of the FBI Citizen’s Academy. Randall is a frequent speaker, writer, teacher and mentor.

Related companies
Information Systems Security Association (ISSA)

View all news from
Information Systems Security Association (ISSA)

Related links
Articles by Randall Frietzsche

In case you missed it

Artificial Intelligence: A new weapon in the cyber security arms race

The cyber security threat is constant and real. Entire businesses, large enterprises and even whole cities have been vulnerable to these attacks. Growing threat of cyber attacks The threat is not trivial. Recently, two cities in Florida hit by ransom ware attacks – Rivera Beach and Lake City – opted to capitulate and pay ransom totaling more than $1.1 million to hackers. The attacks had disrupted communications for first responders and crippled online payment and traffic-ticketing systems. It was reminiscent of the $4 billion global WannaCry attacks on financial and healthcare companies. A full two years after the WannaCry attack, many of the hundreds of thousands of computers affected remain infected. And hackers are continuously devising new techniques, adapting the latest technology innovations including machine learning and artificial intelligence to devise more destructive forms of attack. Indeed, AI promises to become the next major weapon in the cyber arms race. For enterprises, there is no choice but to recognise the threat and adopt effective countermeasures Enterprise security For enterprises, there is no choice but to recognise the threat and adopt effective countermeasures. Not surprisingly, as the number, scale and sophistication of cyber-attacks has grown, so has the significance of the Chief Information Security Officer, or CISO, who owns the responsibility of sounding the alarm to the C-suite and the board – and recommending the best defense strategies. Consider it a grim irony of the digital economy. As companies have migrated to the cloud to gain scale and efficiency and integrated new channels and touch points to make it easier for their customers and suppliers to do business with them, they have also created more potential points of entry for cyber-attacks. IoT increases threat of cyber-attacks Amplifying that vulnerability is the trend of allowing employees to bring their own laptops, smartphones and other digital devices to the office or use to work remotely. And thanks to the Internet of Things, as more devices connect to enterprise systems – from thermostats to cars – the threat surface or targets of intrusion are multiplying exponentially. According to the McAfee Labs 2019 Threats Predictions Report, hackers will increasingly turn to AI to help them evade detection and automate their target selection. Companies will have no choice but to begin adopting AI defenses to counter these cybercriminals. Importance of cyber security This escalation in the cyber arms race reflects the sheer volume of data and transactions in modern life. In businesses like financial services and healthcare it is not humanly possible to examine every transaction for anomalies that might signal cyber snooping. Even when oddities are glimpsed, simply flagging potential problems can create so-called threat fatigue from endless false alarms. What’s more, attacks like those from Trickbots are specifically designed to go undetected by end users. The fact is, even if throwing more people at the problem were a solution, there aren’t enough skilled cyber security workers in the world. By some estimates, as many as 10 million cyber security jobs now go unfilled. AI is being used to conduct predictive analysis at a scale beyond human means Deploying AI As a result, AI is being deployed on multiple cyber-defense fronts. So far, it is mainly being used to conduct predictive analysis at a scale beyond human means. AI programs can sift through petabytes of data, identifying anomalies and even helping an organisation recognise and diagnose intrusions before they turn into catastrophic attacks. AI can also be used to continually monitor and allocate levels of access to a network’s multitude of legitimate users – whether employees, customers, partners or suppliers – to ensure that all parties have the access they need, but only the access they need. Countering cyber security threats To harden defenses, some AI programs can be configured to perform simulated war games To harden defenses, some AI programs can be configured to perform simulated war games. Because cyber attackers have stealth on their side, organisations might need dozens of experts to counter only a handful of attackers. AI can help even the odds, scoping out the potential permutations of vulnerabilities. As CISOs – and the CIOs they typically report to – advise C-suites and boards on their growing cybersecurity risk, they can also help those leaders recognize an enduring truth: AI programs cannot replace experienced cybersecurity professionals. But the technology can make staff smarter, more vigilant and more nimbly responsive. AI-based cyber security tools Financial and healthcare companies are leading this charge because of the sheer volume and variety of transactions they handle and because of the value and sensitivity of the data. Organisations like the U.S. Department of Defense and the space agency NASA, as well as governments around the world are also implementing AI-based tools to address the cyber threat. For businesses of all types, the threat stretches from the back office to the supply chain to the store front. That is why recognising and countering that threat must involve everyone from the CISO to the CEO to the Chairman of the Board. The AI arms race is underway in security. To delay joining it is to risk letting your enterprise become one of the grim statistics.

Could hackable automobiles result in a large-scale disaster?

Some of the electronic features we all love in our new cars depend on a connection to the Internet. But what are the cybersecurity risks involved in that connection? Could a widespread cyberattack turn our cars into deathtraps and create a traffic catastrophe on the scale of 9/11? That’s the scenario described in a report from the nonprofit group Consumer Watchdog, which warns that a fleet-wide cyberattack at rush hour could result in a 9/11-style catastrophe with approximately 3,000 deaths. The organisation recommends that automobile manufacturers install a ‘kill switch’ that would disconnect a vehicle from the Internet in an emergency to mitigate the threat. Protecting transportation system Automakers are keeping the public in the dark as they market new features based on Internet connections"Consumer Watchdog contends that the vulnerability of automotive computer systems, and the possibility of a cyberattack, has been communicated privately to investors but not widely to consumers. “Automakers are keeping the public in the dark as they market new features based on Internet connections,” says Consumer Watchdog. “Connecting safety-critical systems to the Internet is an inherently dangerous design,” says Jamie Court, President of Consumer Watchdog. “American car makers need to end the practice or Congress must step in to protect our transportation system and national security.” Future designs should completely isolate safety-critical systems from infotainment systems connected to the Internet or other networks, according to Consumer Watchdog. By 2022, at least two-thirds of new cars on American roads will have online connections to the cars’ safety-critical systems, putting them at risk of deadly hacks. Updating vehicle software over-the-air One economic motive of connecting vehicles to the Internet is the ability of car manufacturers to update vehicle software over-the-air rather than having to recall a vehicle. Systems also enable collection of valuable data on how fast a car owner drives or where he/she shops. Security-critical components inside cars are driven by ‘black boxes’ that may contain software of questionable origin Security-critical components inside cars are driven by ‘black boxes’ that may contain software of questionable origin. Software may be written by third parties and/or include contributions from hundreds or thousands of different authors around the world, with little accountability for flaws. The ability to update software ‘over the air’ without touching the vehicles lets automakers cover up safety problems and sloppy testing practices, contends Consumer Watchdog. “Allowing consumers to physically disconnect their cars from the Internet and other wide-area networks should be a national security priority,” says Court. “If a 9/11-like cyber-attack on American cars were to occur, recovery would be difficult because there is currently no way to disconnect our cars quickly and safely. The nation’s transportation infrastructure could be gridlocked for weeks or months. Mandatory ‘kill switches’ would solve the problem.” Understanding the risks of connected cars In addition to more attention to cybersecurity, there also needs to be more transparency to enable consumers to understand what is at risk and the choices they make. For example, a group of more than 20 car industry engineers and insiders helped to prepare the Consumer Watchdog report, but many of them remained anonymous for fear of losing their jobs. Consumers have a right to understand the risks they are taking and how they can minimise them. In the Internet of things, cybersecurity dangers extend to almost every device in the connected world, from cars to smartphones to medical devices. Increasingly, we will be asked to weigh the convenience of cranking our car with a smartphone, for example, against the possible risk in the form of vulnerability to cyberattack.

Products targeting critical infrastructure include video and intelligent solutions

Intelligent solutions, such as those derived from artificial intelligence, help critical infrastructure organisations make sense of vast amounts of data. These integrated applications, such as advanced video analytics and facial recognition, can automatically pinpoint potential breaches and significant events, and send alerts to the appropriate personnel, departments, and agencies. These solutions can be powerful in unifying disparate command centre technologies, fusing critical data input from emergency calls and responder activity to enhance situational awareness. Electrical substations are particularly vulnerable (and in need of extra security) due to their role in power distribution and the nature of their equipment. The challenge power utilities worldwide are facing is finding an affordable solution, which can help detect, deter and facilitate an informed response to a substation security event. Data capture form to appear here! U.S. regulations In the United States, this need is furthered by the physical security mandate CIP-014 issued by the North American Electric Reliability Corporation (NERC), calling for identification of security issues, vulnerability assessments and deployment of appropriate processes and systems to address. CIP-014 identification of security issues, vulnerability assessments and deployment of appropriate processes and systems to address CIP-104 specifically calls for implemented security plans that include measures to deter, detect, delay, assess, communicate, coordinate and respond to potential physical threats and vulnerabilities. Manufacturers of video and other systems are designing products to serve the critical infrastructure market. For example, Dahua Technology offers explosion-proof cameras with a combination of rugged reliability and superior optics that is a fit for surveillance of explosive and corrosive environments, including chemical plants, refineries, and other facilities in the oil and gas industry. This explosion-proof series of cameras are housed in enclosures that are certified to the ATEX and IECEx standards for equipment in explosive atmospheres. Each explosion-proof camera features Dahua’s Starlight technology for ultra low-light sensitivity and high-definition sensors that deliver clear images in real-time. They are IP68-rated to prevent water and dust ingress. Each explosion-proof camera features Dahua’s Starlight technology for ultra low-light sensitivity and high-definition sensors that deliver clear images in real-time Video footage in extreme temperatures Another manufacturer, Videotec, offers a range of cameras and housings that provide video footage regardless of aggressive external factors, such as ice cold, scorching heat, desert sand, the force of sea or wind, total darkness, pollution, corrosion and even explosive agents. SightSensor thermal systems enable a utility to detect and respond to substation security incidents across multiple sitesSightLogix smart thermal camera systems have been deployed to protect substations for electric utilities and other critical infrastructure facilities. SightSensor thermal systems enable a utility to detect and respond to substation security incidents across multiple sites, ranging from copper theft to vandalism while also meeting regulatory compliance. At each substation facility, Thermal SightSensors are positioned along the perimeter, and are paired with a high-resolution pan-tilt-zoom camera for alarm assessment. When a Thermal SightSensor detects an intruder, the target’s location information is sent over the network to a SightTracker PTZ controller, which automatically zooms and steers PTZ cameras to follow the intruder. The target’s location is also displayed on a topology site map to provide real-time situational awareness. Alarms are sent to the utility’s 24-hour security operations centre, which will contact law enforcement in real time when unauthorised intrusions are detected. Integrated intrusion detection and lighting systems The Senstar LM100 hybrid perimeter intrusion detection and intelligent lighting system is simplifying security at one U.S. electrical utility company. For years, the utility company had integrated its perimeter intrusion detection and lighting systems. The company has now installed the Senstar LM100 which provides detection and lighting in one product and saves them over $80,000 per site. The savings are a result of the reduction of electrical requirements, conduit, grounding, and associated labor, as well as the removal of certain equipment from project scope that are required for the two-system integration. The Senstar LM100’s perimeter LED-based lighting acts as an initial deterrent. If an intruder persists and an attempt to cut, climb or otherwise break through the fence is detected, the closest luminaire begins to strobe, and an alert is sent via a security management system. The intruder knows immediately they have been detected and that their exact location is known by security and others in the vicinity.