Jerry Sto. Tomas, Chief Information Security Officer at Allergan, discussed IT security and steps that organizations can take to bolster their security levels during his presentation at the 2015 Chief Information Officer Leadership Forum in Los Angeles on Feb. 10. In his presentation, Sto. Tomas noted that IT security controls must be aligned with an organization’s goals.
Cloud Securiy: A Vendor Risk Management Perspective
1. Jerry Sto. Tomas, CISM, CISSP
Global Information Security Officer
Allergan, Inc.
2. Allergan currently employs 100 external solutions to
support critical business functions. This number is growing
by 50% in 2011. A consistent solution lifecycle process has
not been used in 60%. An audit finding has confirmed that
significant business risk exists for external solutions. Gaps
and variations in current processes make comprehensive
review impossible without additional resources.
IS Team - Mini Kaizen
January 13, 2011
3. Architecture
Review
Technical Assessment
• assures the solution’s
agility, reliability,
scalability, and alignment
to IT standards
• assures vendor has
contingency measures and
incident management
Vendor
Due Diligence
Vendor Assessment
• assures vendor’s ability to
maintain confidentiality
and integrity of company
data
• assures quality or
availability of service
Vendor
Management
Periodic Audit
• re-assessment for
expanded services
• re-assessment and
audit based vendor’s
risk profile (e.g., High
value data, regulated, or
core business)
• review of provider
certifications and 3rd
party audit reports
Off-boarding
• Transfer of company
data
• Verification of data
destruction by vendor
Financial Viability
• assessment of the
vendor’s financial strength
to remain in business
Contract
Management
• Security and Privacy
amendments
• confirm sufficiency of
confidentiality clause, right
to audit, breach
notification, and liability
limitations
1a
1b
2a
2b
3
4. What How By Whom
Business Owner Preliminary Vendor Risk Assessment survey Business Owner
Architecture Review Architecture Questions for Application & Service Provider, sent to
vendor to complete then a phone call/meeting occurs
EA / Security
Cloud Architecture and Security Evaluation report, sent to project
team providing “final score”
EA / Security
Due Diligence Evaluate business and regulatory risk posed by vendor (VERMA),
subjective but informed decision
Security
Where it fits, rely on industry certifications (ISO Standards, PCI)
provided by vendor.
For example, PCI AOC if vendor relationship involves credit card.
Security
Where no certification is available or can be relied upon, perform
due diligence by completing (in VERMA)
• IT General Controls Review
• SSAE16 Report Review
• Security & Privacy Review
• GxP Regulatory Review
Which review is performed depends on business and regulatory risk
assessed
Security
Feedback to project team (via email, VERMA is printed if requested) Security
5. Collaboration and Partnership
IT Groups, Sourcing, Legal
Socialize the Process
C-suite and Board of Directors
IT Business Relationship Managers (R&D, Commercial, Manufacturing, Corporate)
Policies and Standards
Finance and Accounting Global Policy
Any IT and Cloud Computing transaction must require IT Approval
IT Policy
IT Business Relationship Managers and Site Managers accountability
Executed On-Boarding Process in the US (Retroactively and Proactively)
250+ Vendors in Inventory, 150+ Architecture Review, 140+ Contract Addendum
re-negotiated/signed
6.
7.
8. Forge Partnerships
◦ General Counsel
Enforcement of Security and Privacy Addendum
Education of Contract Management Group (i.e.,
Paralegals)
◦ Sourcing
Sales & Marketing service providers (usual culprits)
◦ Finance and Accounting (and IT)
Enforcement of policy
◦ Internal Audit
Test effectivity of process controls
9. Streamline and Automate Due Diligence Process
◦ Risk-based approach
◦ Onsite due diligence vs. SSAE 16 or 3rd party audit
reports
◦ Internal risk grading vs. 3rd Party risk grading service
Integration of entire workflow into an enterprise
GRC software
Challenges
◦ Mobile Application + 3rd Party Service Provider
Multiple due diligence
◦ How about 4th Party Service Provider?
Contractual obligations
10. Enabling Privacy and Security
◦ Share or well-understood business goals
◦ Platform and Technology
IAM, Encryption, Secure FTP/Web, Disaster Recovery
◦ Security Management and Controls
Security Architecture Standards
Vulnerability scanning of 3rd party hosted website
◦ Contracts and Service Level Agreements
Security Addendum in Contracts
◦ Due Diligence Assessment
Vendor assessment and certification
Each vendor type is NOT the same
◦ ASP, SaaS, PaaS, IaaS will have different sets of process
and technology controls