Pittsburgh Third Party Risk Management 2011

CISO EXECUTIVE NETWORK

Third Party Risk Management Breakfast Roundtable

Wednesday, March 9, 2011

8:00 am - 12:00 noon

Offices of Reed Smith

Speakers

Gene Tabachnick, Kirsten Rydstrom  Reed Smith

Michael Mettenheimer  Oracle

Barak Feldman  Cyber-Ark

Holly Shea  Rapid7

Member Discussion Leader

Susan Koski  BYN Mellon

Pittsburgh Member Susan Koski Discusses Third Party Risk Management

No matter what you do with third parties, your company still owns the risk. That’s the way Susan Koski, manager of the Risk Assessments Department within Technology Risk Management at BNY Mellon, looks at the situation.

“Based on the type of service we’re outsourcing, we have to be sure we have the right controls and risk treatment commensurate with the risk of the outsourced function,” she explains. “Some of the control requirements, for instance with an application service provider, may include: does that company have controls for managing the protection of information, do they have a good recovery and continuity program, procurement functions software and licensing for the goods they are delivering, and controls on information access.”

Susan says other issues to consider include how these third parties perform background checks on their employees and the composition of the physical security of its location(s). “In addition, the risk treatment for the type of service must also be considered –you may look at things differently with a cafeteria service versus an application service provider.”

When employing the risk management for each potential service, Susan tries to understand what level of risk should be assigned to that service in relation to the risk that service would present to her organization. This is accomplished with the vendor attesting to their control environment via a self-assessment questionnaire.  In addition, the company utilizes site visits to validate the self-assessment questionnaires.

All of BNY Mellon’s business units and business partners are part of the service provider risk process through appointed personnel. “We ask each area to appoint liaisons to the program within their groups, and those liaisons are responsible for understanding the program and adhering to it.” As well as business involvement, technical subject matter experts in vendor management, IT and business continuity are also part of the program for managing the risk of vendors.

One of the biggest challenges Susan faced resulted when the Bank of New York and Mellon Financial merged. “During that time, we prioritized the integration activities based on risk,” she says. “Now that the integration period is complete, our next major phase is the ongoing monitoring of the providers.  The decision is how often do we perform additional questionnaires, site visits and other types of monitoring to enact a complete risk management-based approach.”

Her advice to other CISO Executive Network members?  “If you don’t have a security program for third parties, you should immediately begin developing one,” she says. Susan also recommends risk management in a phased approach. “Since you certainly will not have every question answered and every vendor assessed overnight, and you need to develop a program that’s reasonable and rational for the risk tolerance of your organization.”

Susan Koski is the manager of the Risk Assessments Department within BNY Mellon’s Technology Risk Management group.  She has over 12 years of experience in information risk management and over seven years of experience in technical support for 3-tier architectures across multiple platforms and technology sets, software development for nuclear control systems, and quality assurance testing.