Randall Frietzsche
Download PDF version
Related Links

Managing IT and data risk is a challenging job. When we outsource our IT, applications and data processing to third-parties more and more every day, managing that risk becomes almost impossible. No longer are our data and systems contained within an infrastructure that we have full control over. We now give vendors our data, and allow them to conduct operations on our behalf. 

The problem is, we don’t control their infrastructure, and we can never fully look under the hood to understand and vet their ability to protect our data and operations. We have to fully understand how important this issue is, and ensure we have the right governance, processes and teams to identify and mitigate any risks found in our vendors. No longer are our data and systems contained within an infrastructure that we have full control over

Today, everything is connected. Our own networks have Internet of Things (IoT) devices.  We have VPN connections coming in, and we aren’t always sure who is on the other end of that connection. It is a full-time job just to get a handle on our own risk. How much harder, and how much larger should our teams and budgets be, to truly know and trust that our vendors can secure those devices and external connections? 

For every device and application we have internally, it is very difficult to even keep an accurate inventory. Do all of our vendors have some special sauce that allows them to overcome the traditional challenges of securing internal and vendor-connected networks? They are doing the same thing we are – doing our best with the limited human and financial resources allocated by our organisation.

Risk stratification and control objectives 

The benefits of outsourcing operations or using a vendor web application are clear. So how can we properly vet those vendors from an IT risk perspective? 

The very first thing we need to put in place is Risk Stratification. Risk Stratification presents a few targeted questions in the purchasing process. These questions include – what type of data will be shared? How much of this data? Will the data be hosted by a vendor? Will this hosting be in the US or offshored? Has the vendor ever had a data breach? These questions allow you to quickly discern if a risk assessment is needed and if so, what depth and breadth.  Risk stratification allows you to make decisions that not only improve your team’s efficiency, but also ensure that you are not being a roadblock to the business

Risk stratification allows you to make decisions that not only improve your team’s efficiency, but also ensure that you are not being a roadblock to the business. With risk stratification, you can justify the extra time needed to properly assess a vendor’s security. 

And in the assessment of a vendor’s security, we have to consider what control objectives we will use. Control objectives are access controls, policies, encryption, etc. In healthcare, we often use the HITRUST set of control objectives. In assessing against those control objectives, we usually use a spreadsheet. 

Today, there are many vendors who will sell us more automated ways to get that risk assessment completed, without passing spreadsheets back and forth. These solutions are great if you can get the additional budget approved. 

Multi-factor authentication 

Even if we are using old-fashioned spreadsheets, we can ensure that the questions asked of the vendor include a data flow and network/security architecture document.  We want to see the SOC2 report if they are hosting their solution in Amazon, etc. If they are hosting it within their own datacentre, we absolutely want to see a SOC2 Type II report. If they haven’t done that due diligence, should that be a risk for you? 

Today, we really need to be requiring our vendors to have multi-factor authentication on both their Internet-facing access, as well as their privileged internal access to our sensitive data. I rate those vendors who do not have this control in place as a high risk. We’ve recently seen breaches that were able to happen because the company did not require administrators or DBAs to use a 2-factor authentication into sensitive customer data sources. 

data risk hospital security HITRUST
In the assessment of a vendor’s security, one has to consider what control objectives to use

This situation brings up the issue of risk acceptance. Who in your organisation can accept a high risk? Are you simply doing qualitative risk assessment – high, medium and low risks? Or are you doing true quantitative risk analysis? The latter involves actually quantifying those risks in terms of likelihood and impact of a risk manifesting, and the dollar amount that could impact your organisation.  

So is it a million dollars of risk? Who can accept that level of risk? Just the CEO? These are questions we need to entertain in our risk management programs, and socialised within your organisation. 

This issue is so important – once we institute risk acceptance, our organisation suddenly starts caring about the vendors and applications we’re looking to engage.  If they are asked to accept a risk without some sort of mitigation, they suddenly care and think about that when they are vetting future outsourced solutions. Quantitative risk analysis involves quantifying risks in terms of likelihood and impact of a risk manifesting

Risk management process 

In this discussion, it is important to understand how we think of, and present, the gaps we identify in our risk management processes. A gap is not a risk. If I leave my front door unlocked, is that a control gap or a risk? It is a gap – an unlocked door. What is the risk? 

The risk is the loss of property due to a burglary or the loss of life due to a violent criminal who got in because the door was unlocked. When we present risks, we can’t say the vendor doesn’t encrypt data. The risk of the lack of encryption is fines, loss of reputation, etc. due to the breach of data. A gap is not a risk. 

Once we’ve conducted our risk analysis, we must then ensure that our contracts protect our organisation? If we’re in healthcare, we must determine if the vendor is, in fact, a true HIPAA Business Associate, and if so we get a Business Associate Agreement (BAA) in place. I also require my organisation to attach an IT Security Amendment to these contracts. The IT Security Amendment spells out those control objectives, and requires each vendor to sign off on those critical controls. We are responsible for protecting our organisation’s IT and data infrastructure – today that often means assessing a 3rd-party’s security controls

One final note on risk assessments – we need to tier our vendors. We tier them in different ways – in healthcare a Tier 1 vendor is a vendor who will have our patient information on the Internet. Tiering allows us to subject our vendors to re-assessment. A tier 1 vendor should be re-assessed annually, and may require an actual onsite assessment vs. a desk audit. A tier 2 vendor is re-assessed every 2 years, etc.

We are responsible for protecting our organisation’s IT and data infrastructure – today that often means assessing a 3rd-party’s security controls. We must be able to fully assess our vendors while not getting in the way of the business, which needs to ensure proper operations, financial productivity and customer satisfaction. If we truly understand our challenge of vendor risk management, we can tailor our operations to assess at the level needed, identify and report on risks, and follow-up on any risks that needed mitigated.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

Author profile

Randall Frietzsche
Randall Frietzsche Distinguished Fellow, Information Systems Security Association (ISSA)

Randall Frietzsche is the Enterprise CISO for Denver Health.  Randall has been a leader in IT Security for ten years, with 15 years in IT Security and over 20 years in Information Technology.  He is a Distinguished Fellow with the Information Systems Security Association (ISSA.)  Randall holds a Master’s Degree in Information Security, the CISSP and 25 other Security, IT and other technical certifications.  He teaches cybersecurity both for Harvard University and Ivy Tech State College.  He is a former law enforcement officer, and a recent graduate of the FBI Citizen’s Academy.  Randall is a frequent speaker, writer, teacher and mentor.

Related videos

ADT takes commercial security to the next level

ADT takes commercial security to the next level
March Networks Corporations' Insight monitoring and resolution service

March Networks Corporations' Insight monitoring and resolution service
IDIS announces to share happy moments to create a better world

IDIS announces to share happy moments to create a better world

In case you missed it

Honeywell embracing AI, reinvesting in video portfolio
Honeywell embracing AI, reinvesting in video portfolio

Coming off a successful ISC West show, Honeywell is sharply focussed on product development, with an emphasis on advanced software. “We have a strong new product pipeline this year – more than two times the number of products than we’ve released in the past several years,” says Luis Rodriguez, Director of Product Marketing, Honeywell Commercial Security. “At ISC West, we received a lot of interest in how AI and new security systems are changing the market.” Although uses for AI are still emerging in security, Honeywell sees an important role for AI in building a connected system to ensure the safety and security of a building, and more importantly, its occupants. AI allows end users to go beyond monitoring activity on a surface level to really understand the scene – from who exactly is in the area to what they might be doing. As more data is processed over time, AI will continue to build on its learnings to help deliver a more accurate assessment of potential threats each time. Machine learning-based analytics End users should explore the use of machine learning-based analytics as machine learning is more advanced than AI-based systems, says Rodriguez. “When speaking to dealers and integrators, end users should also inquire about the detection accuracy of systems that use AI or machine learning technology, particularly around false positives and negatives.” Honeywell seeks to develop integrated security systems that provide the earliest detection “Additionally, end users should always ask to conduct site testing so to understand how well-suited the machine learning-based system is to the particular user’s native environment,” adds Rodriguez. “The testing will help identify the exact needs of their site.” Honeywell is reinvesting in its video portfolio, both in hardware and software innovation, as well as partnering with the top experts in the IT and education industries to stay ahead of customer demand. Honeywell seeks to develop integrated security systems that provide the earliest detection, enable the fastest response, centralise decision making, and allow customers to manage it all from anywhere. Solutions for vertical markets Honeywell Commercial Security is focussed on supporting vertical markets that have specific security needs such as education, banking and finance, and pharma. Each has unique nuances that call for tailored security approaches. “As Honeywell continues to develop its suite of security solutions for the future and identify personalised systems for each vertical, AI such as analytics, deep learning and facial recognition will play an integral role during research and testing,” says Rodriguez. Honeywell is developing video and audio analytics technology capable of studying crowd behaviour as well as detecting guns, gunshots An example is the education market, where eliminating human delay in reporting potential threats to law enforcement and creating faster systems that help omit single-point failures are key to protecting schools and ensuring students’ safety. To address those challenges, Honeywell is developing video and audio analytics technology capable of studying crowd behaviour as well as detecting guns, gunshots and fights, says Bruce Montgomery, Business Development Manager, Honeywell Commercial Security. Testing technology for sports security The software is able to visualise, automate planning, design and efficiency analysis of a video surveillance system"A partnership with University of Southern Mississippi’s National Center for Spectator Sports Safety and Security (NCS4) is testing technology such as MaxPro Video, Pro-Watch Access Control and UNP Mass Notification in the National Sport Security Laboratory and in connected real-world environments. “The analytics data gathered from these environments will help inform future security innovations,” says Montgomery. Another Honeywell partnership is with JVSG, whose CCTV Design Software offers a new way to design more affordable and higher quality video surveillance systems. Integrators and distributors are now able to add a range of models from Honeywell’s portfolio of Performance Series IP Cameras into their system design from the software’s database. “The software is able to visualise, automate planning, design and efficiency analysis of a video surveillance system,” says Jeremy Kimber, Director of Enterprise Global Product Management, Honeywell Security and Fire. The program is used by more than 7,000 CCTV designers in more than 130 countries around the world and is downloaded more than 60,000 times every year.

How does terrorism impact the security market?
How does terrorism impact the security market?

Statistically speaking, incidents of terrorism are unlikely to impact most businesses and institutions. However, the mere possibility of worst-case-scenario attacks is enough to keep security professionals awake at night. Compounding the collective anxiety is the minute-by-minute media coverage when an attack does occur. The immediacy of the shared experience of global tragedy impacts us all – including security system decision-makers. We asked this week’s Expert Panel Roundtable: How is the rise in terrorism impacting the physical security market?

Looking to the future with edge computing
Looking to the future with edge computing

Edge devices (and edge computing) are the future. Although, this does seem a little cliché, it is the truth. The edge computing industry is growing as quickly as technology can support it and it looks like we will need it to. IoT global market The IoT (Internet of Things) industry alone will have put 15 billion new IoT devices into operation by the year 2020 according to a recent Forbes article titled, “10 Charts That Will Challenge Your Perspective of IoT’s growth”. IoT devices are not the only edge devices we have to deal with as the total number of connected edge devices includes the likes of devices like security devices, phones, sensors, retail sales devices, and industrial and home automation devices. The IoT (Internet of Things) industry alone will have put 15 billion new IoT devices into operation by the year 2020 The sheer number of devices begins to bring thoughts of possible security and bandwidth implications into perspective. The amount of data that will need to be passed and processed with all of these devices will be massive. There needs to be consideration taken by all business owners and automation engineers into how this amount of data and processing will be conducted. Ever-expanding edge devices market As the number of edge devices in the marketplace and their use among consumers and businesses rises, the need to be able to handle the data from all of these devices is no longer going to be suitable for central server architectures. We are talking about hundreds of billions and even trillions of devices. According to IHS Markit researchers’ study, there were 245 million CCTV cameras worldwide. One has to imagine there are at least 25% of that many access control devices (61.25 million devices) based on a $344 million market cap also calculated by IHS Markit’s researchers. If all the other edge devices mentioned earlier are considered then one can see that trying to route them all through servers for processing is going to start to become difficult if it hasn’t already, -which arguably it already has, as is evidenced by the popularity of cloud-based solutions amongst those businesses that already use a lot of edge devices or are processing a lot of information on a constant basis. Cloud computing The question is whether cloud computing the most effective and efficient solution as the IoT industry grows The question is this; is cloud computing the most effective and efficient solution as the IoT industry grows and the amount of edge devices becomes so numerous? My belief is that it is not. Taking the example of a $399 USD device that is just larger than the size of a pack of cards and runs a CPU benchmarked at the same level as a mid-size desktop. This device has 8GB RAM and 64GB EMMC built-in and a GPU that can comfortably support a 4K signal at 60Hz with support for NVMe SSDs for add-on storage. This would have been unbelievable five years ago. As the price of edge computing goes down, which it has done in a dramatic way over the last 10 years (as can be seen with my recent purchase), the price to maintain a central server that can perform the processing required for all of the new devices being introduced to the world (due to the low cost of entry for edge device manufacturers) becomes more expensive. This introduces the guarantee that there will be a point where it will be less expensive for businesses, and consumers alike, to do the bulk of their processing at the edge as opposed to in central server architectures. Cloud computing is now being overtaken by edge computing, the method of processing data at the edge of the network in the devices themselves Edge computing There are a plethora of articles discussing and detailing the opposition between the two sides of the computing technology coin, cloud computing and edge computing. The gist of it is that “cloud computing” was the hot new buzzword three years ago and is now being overtaken by “edge computing.” The truth is that cloud computing is a central server architecture hosted at someone else’s location. Edge computing is going to be a necessary development in the technology industry Edge computing is the method of processing data at the edge of the network (in the devices themselves) and allowing for less resources required at a central location. There is certainly a use case for both, however the shift to edge computing amongst the general public and small to mid-sized businesses will not be a surprise to those players, who have been paying attention.  One article titled, “Next Big Thing In Cloud Computing Puts Amazon And Its Peers On The Edge” by Investor’s Business Daily takes the stance that edge computing is going to completely displace centralised cloud computing and even coins the phrase, “Cloud computing, decentralised” to explain edge computing. It speaks for the stance that most experts in technology seem to be taking, including Amazon Web Services’ VP of Technology, Marco Argenti according to the same article. We know that edge computing is going to be a necessary development in the technology industry, and it is happening as I write this, and quickly at that. Cost efficiency of edge processing As time goes on, the intersection between the prices of network bandwidth, edge processing and maintaining super powerful central servers will cause edge processing to be the most efficient and cost-effective way to maintain a scalable network in any environment, including datacenters. Owning a central server or utilising edge computing become the better options As it currently stands, most residential users can only achieve a 1Gbps WAN (internet) connection, and small to medium-sized business can’t get much more but seem to get much less, based on my personal experience. When more than 1Gbps needs to be processed, cloud computing becomes very expensive at which point, owning a central server or utilising edge computing become the better options. Then you look a total cost of ownership and when the cost of edge computing is less expensive than the cost of maintaining central server architectures, edge computing becomes the single best option. So, I’ll say it again, edge devices (and edge computing) are the future.

Featured white papers
Why outdated access control systems are a big problem

Why outdated access control systems are a big problem

Download
Five things to consider for AI with video technology

Five things to consider for AI with video technology

Download
OSDP is the strongest access control for your business

OSDP is the strongest access control for your business

Download
More expert commentary
Advanced VMS security solutions take investigations to new heights

Advanced VMS security solutions take investigations to new heights
Changing regulations promote better care of consumer digital privacy

Changing regulations promote better care of consumer digital privacy
Smart home access control growth and the future of door security

Smart home access control growth and the future of door security
Featured products
Dahua Technology 4MP WDR IR Bullet Camera

Dahua Technology 4MP WDR IR Bullet Camera
MEET IP system by FERMAX

MEET IP system by FERMAX
Delta Scientific DSC1500 Beam Barricade

Delta Scientific DSC1500 Beam Barricade
Updated Privacy and Cookie Policy
We have updated our Privacy Policy for GDPR.
We also use cookies to improve your online experience, Cookie Policy