Boston Third Party Risk Management 2011

CISO EXECUTIVE NETWORK

Third Party Risk Management Breakfast Roundtable

Wednesday, March 16, 2011

8:00 am - 12:00 noon

Bingham McCutchen

Speakers

Beth Boland  Bingham McCutchen

Michael Mettenheimer  Oracle

Kurt Johnson  Courion

Member Discussion Leader

Kevin Hamel  COCC, Inc.

Member Kevin Hamel Discusses Third Party Risk Management

COCC often partners with third-party companies to provide those products and services that may not be part of our standard product offering.  This can range from managed security services, to online banking service, to software development.

“We will engage with a third party to fill a specific need,” says Kevin Hamel, Vice President, Security Officer.

However, the third parties are not all equal when it comes to risk management issues. “For example, the relationship with the company that plows our parking lots does not bear the same degree of risk as the company that provides managed security services,” explains Kevin. “For Gramm-Leach-Bliley Act (GLBA) purposes, we have implemented a framework that allows us to categorize vendors, and therefore, tailor our reviews, based on the type of relationship.” About 40-50 vendors with COCC fall into the review cycle for GLBA.

Kevin says the review process is “home-grown” and driven by one central person, with participation from across the company, including Security. Drawing from available standards wherever possible, we have derived both a Vendor Security Assessment Questionnaire and an Application Security Assessment Questionnaire. Both of these are intended to document basic features and security capabilities and often lead to additional questions.”

Other departments from the company are brought into the risk assessment process. “Our Finance department provides the financial analysis of a vendor,” Kevin says.  “Our product department will provide oversight on the vendor's service aspect.  Lastly, our business continuity expert may weigh in as well from a BCP perspective.  This represents the core of the review, but we will involve other technical infrastructure teams to lend their expertise to the review as needed.  For example, if we are reviewing a vendor offering a solution based on Oracle databases, we may ask our DBA's to weigh in on some aspects of the review.”

Engaging a risk management process is not without its challenges, of course, and Kevin found that in the past, it seemed like his group was brought into the negations and evaluation process too late in the game. “That has changed significantly,” Kevin points out.  “Our Vendor Management Process is engaged very early on now, and the tools have helped tremendously.  Not only are we better able to communicate our expectations to prospective vendors, but we are also able to move through the process more quickly.  Today, our biggest hurdle is usually in just getting timely responses from vendors.  That is changing as vendors get more accustomed to more rigorous review processes.”

Kevin’s advice to other CISO Executive Network members comes in two parts. First, define a framework to use. Second, engage it early on in the process of on-boarding a vendor. “Once the contract is signed, you effectively have no leverage to get things changed.”

Kevin Hamel is Vice President, Security Officer for COCC.  He is responsible for all physical and information security, and corporate risk management.  He works with all regulatory agencies to coordinate compliance with applicable laws and manages all corporate security governance.