Columbus Third Party Risk Management 2011

CISO EXECUTIVE NETWORK

Third Party Risk Management Breakfast Series

Wednesday, March 23, 2011

8:00 am - 12:00 noon

Vorys, Sater, Seymour & Pease

Speakers

Benita Kahn  Vorys

Ken Olivolo  Courion

Michael Euripides  Cyveillance

Member Discussion Leaders

S. Jason Fraley, Elliott Glazer  Huntington Bank

Members Elliott Glazer and Jason Fraley Discuss Third Party Risk Management

Right now, Huntington National Bank has relationships with over 1,700 vendors.  The bank engages vendors for many reasons, including software development and data processing, staff augmentation, and business process support, explain Elliott Glazer, Chief Information Security Officer and S. Jason Fraley, Compliance Section Manager and Privacy Officer.  Vendors may also be engaged to provide legal, audit, or specialized business segment services.   

To evaluate the security of those third parties, Elliott and Jason use an industry best practice. From an Information Security perspective, they start with a security risk assessment to identify the vendor’s Inherent risk.  Based on this, they determine what controls, tests, or review elements are required.  The security questions we require should not be a surprise to a new vendor as we try to inform vendors as early as possible about our requirements, sometimes even as part of the RFP process, Elliott says.

Privacy reviews are conducted using a similar approach, Jason adds.  “After determining the Inherent risk posed by a vendor, questionnaires are provided to the vendor to gauge the policies and controls in place to protect sensitive data.  Privacy questions are drawn from BITS FISAP and are also customized to suit Huntington’s needs.  Privacy controls can be difficult to assess, so it’s important to gauge if the vendor has instilled a culture of privacy and/or compliance.  An essential element of successful Privacy reviews, especially for high risk vendors, is substantiation documents, such as audit reports or internal policies and procedures, that can help demonstrate a vendor’s commitment to privacy and data security.”   

The biggest challenge Jason and Elliott face in risk management of third parties?  Staff and resource issues. “The process is more intense than previous methods and requires some more security expertise/labor,” Elliott says.  Another challenge is ensuring vendors provide required documentation and substantiation with their initial vendor scorecard submission so evaluation can begin immediately.  If information needs to be re-requested, there will be delays in the vendor review process.

Overall, Elliott and Jason believe that their assessment process has reduced the overall risk posed by using third parties. “Some vendors understand security and do a good job of securing their environment and building security into their products.  Others do not.  Where the vendor does a poor job of this, we have clearly made a difference,” Elliott says. 

“This review process also allows business segments, risk management, and compliance to proactively build testing and monitoring for a vendor into their processes at the outset of the relationship,” says Jason.
 

Elliott Glazer is Chief Information Security Officer and S. Jason Fraley is Compliance Section Manager and Privacy Officer with Huntington National Bank based in Columbus, Ohio.