3rd Party Risk Pt.

1
Practical Considerations for Privacy & Security Due Diligence

Agenda
Introductions

3rd Party Risk Due Diligence Best Practices Questionnaires On-Site Reviews
Q&A

Page 2

Introductions: Todays Speakers

Ted Julian, Chief Marketing Officer, Co3 Systems Security / compliance entrepreneur Security industry analyst Deb Hampson, AVP & Assistant General Counsel, The Hartford Head of Corporate Privacy Office since 2006 Previously head of The Hartford Life's Corporate Compliance Unit and the Group Benefits Legal Team Specialties: privacy law, insurance law, corporate compliance, social media legal and compliance issues.
Page 3

Co3 Automates Breach Management

PREPARE Improve Organizational Readiness
Assign response team Describe environment Simulate events and incidents Focus on organizational gaps

ASSESS Quantify Potential Impact, Support Privacy Impact Assessments

Track events Scope regulatory requirements See $ exposure Send notice to team Generate Impact Assessments

REPORT Document Results and Track Performance

Document incident results Track historical performance Demonstrate organizational preparedness Generate audit/compliance reports

MANAGE Easily Generate Detailed Incident Response Plans

Escalate to complete IR plan Oversee the complete plan Assign tasks: who/what/when Notify regulators and clients Monitor progress to completion

Page 4

About The Hartford

Personal Lines

Middle Market

Retirement

Mutual Funds

Specialty

Small Commercial

Group Benefits

Individual Life

Annuities

Page 5

Data Breaches and 3rd Party Leaks

Internal/ Employee Actions
Government Agency: Employee sent CD-ROM with personal data on registered advisors 139,000 records

Malicious Cyber-Attacks
Global Consumer Electronics Firm: Hackers stole customer data, including credit card information 100 million records

Lost/Stolen Assets
CommunityBased Healthcare Plan: Laptops with patient data stolen by former employee 208,000 records

3rd Party Leaks

Multi-Channel Marketing Service: Digital marketing agency exposes customer data of dozens of clients Millions of records

The multitude of breach regulations dont care how the data was lost. You are subject to the same requirements.

Page 6

RD 3

PARTY RISK

3rd Party Privacy & Security Due Diligence

Questionnaire

On-Site Visits

Certifications

Annual Audits

Page 8

POLL

Who Receives a Questionnaire?

Every vendor that handles customer data, employee data or company confidential data receives a questionnaire. The questionnaire is developed using:
International standards:
ISO/IEC 27001 Information Management Systems ISO/IEC 27002 Code of Practice for Information Security Management the BITS Financial Institution Shared Asset Program and internal Privacy and Information Protection Policies

Internal Privacy and Information Protection policies based on regulatory requirements.

Page 10

What Areas Does the Questionnaire Address?

Overview of services being provided Privacy and Security Policies Organizational Structure Personnel Security Environmental Security Operations Management Network Management Information Handling

Access Control
Compliance Business Continuity and Disaster Recovery
Page 11

POLL

Who gets an On-Site Visit?

Risk-Based Approach For Vendors Who: Provide incomplete questionnaire responses Provide unsatisfactory questionnaire responses Handle contracts over a specified dollar amount

Handle information that is sensitive or confidential Are located in a foreign country

Page 13

Components Of An On-Site Review Process

Meetings with vendor Senior management Address key privacy and security policies and procedures to ensure senior management buy in Allows assessors to obtain more specific information on vendors controls Verify the existence of key security documents

Interviews with key personnel

Comprehensive document Review

Physical security inspection

Verify key physical security and environmental controls in place Verify that security requirements detailed in the Statement of Work are implemented.

Policy/Statement of work verification

Page 14

Top Questions
1.Do comprehensive information security policies exist that all employees must read and accept?

2.Are all employees and contractors with access to Company data required to take information security awareness training?
3.Are there processes in place that ensure access to Company data is authorized and granted in the most restrictive manner possible and limited to those having a business need for such authorization? 4.Is access to Company data contingent on a thorough criminal background history investigation performed using an accredited personnel investigation agency? 5.Are physical security measures in place to control physical access to systems or output that contain Company data?

Page 15

Top Questions (cont.)

6. Is all access to Company data logged and reviewed on a regular basis? 7. Is there a Security Incident Response Plan in place that contains procedures to be followed in the event of any actual, suspected, or threatened security breach, including unauthorized use, access, disclosure, theft, manipulation, or reproduction of Company data?d 8. Will the vendor submit to an annual Security Risk Assessment review based on ISO 27001, conducted by the Company (or it's agent)? 9. Is there commercially reasonable and effective network intrusion prevention or detection, firewalls and anti-virus protection in place and functioning properly? 10. Are operating systems and applications associated with the Company appropriately patched after knowledge of any security vulnerabilities? 11. Are all sensitive or confidential data sent over public networks encrypted with at least 256-bit encryption?
Page 16

Considerations For Foreign Service Providers

Scope of Services and Sensitivity of Data
Are the services contemplated to be performed temporarily or on an ongoing basis? Do the services involve the handling, storage or transmission of sensitive data? Can the company execute an exit strategy if services disrupted?

Geographic, Cultural, Social and Political Factors

How far away is the vendor? What language barriers? How often does the Company plan to review or audit the vendor? Do on-site reviews need to be done? What social or political factors are reasonably likely to affect the provider? Can the Company monitor these factors?

Business Continuity and Disaster Recovery

Does the vendor have Business Continuity Plan? Does the vendor have experience executing the plan? Local Laws Regulating Privacy and Data Security

Page 17

Considerations For Foreign Service Providers (cont.)

Local Laws Regulating Privacy and Data Security
Are there local laws that impose requirements on vendor with regard to data? How do the local laws apply to the Company?

Legal/Compliance Risk
What contractual provisions required to ensure proper resolution of disputes? If local laws create requirements are they consistent with the provisions the Company applies to its US based service providers? What is the process under local laws for responding to access requests by individuals, subpoenas or other requests for disclosure from governmental agencies?

Security Controls
Can the vendor reasonably be expected to satisfy stricter or rapidly evolving standards for data security? Is the vendor transferring data to other locations or countries?

Page 18

How About When You Receive A Questionnaire?

What do you do when there are too many questions to answer? How do you ensure consistent responses? How do you respond to yes/no questions? How do you manage the volume?

Whose Privacy and Security Policies and Procedures do you follow?

Page 19

QUESTIONS

Next Webinar
Canadian Breach Regulations Next Thursday, 10/25 @ 1 PM Invites with more info and registration information in the next day or two

Page 21

Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors Choice.
PC MAGAZINE, EDITORS CHOICE

One Alewife Center, Suite 450 Cambridge, MA 02140 PHONE 617.206.3900

WWW.CO3SYS.COM

Co3defines what software packages for privacy look like.

GARTNER

Platform is comprehensive, user friendly, and very well designed.

PONEMON INSTITUTE

Deb Hampson Assistant VP & Assistant GC debra.hampson@thehartford.com www.thehartford.com