WesternBanker - July/August 2018

www.westernbankers.com | WesternBanker 16 I n 2013, malicious actors gained access to retail giant Target’s point of sales systems through an unlikely third- party: heating and cooling contractor, Fazio Mechanical. Fazio and Target shared a data connection for electronic billing and project management, and criminals first breached Fazio through phishing emails and then exploited the shared connection to breach Target and push malware to point of sale systems, ultimately collecting credit and debit card data from more than 40 million customers. In 2013, Target reported the cost to them in settlements and representation topped $292 million—not including the massive losses stemming from the reputational hit with shoppers who are still talking about it almost five years later. Most organizations have multiple partners with physical or logical access to their information and information systems, and few institutions have done assessments on the full scope of risk introduced. Access can range from cleaning contracts to vendors operating their entire IT infrastructure as a Managed Service Provider. We have found that organizations do not effectively account for these third parties; below is a process for gathering cybersecurity vendor management requirements and building a program that fosters protection of sensitive data. Step 1: Develop a Data Classification Guide Organizations must conduct a thorough analysis of the different types of data that are processed and promulgate a concise guide for employees and auditors that delineates the protection and handling of each type of information. An example of data classification might be: • Publicly Releasable Information • Confidential Information (including personal identifiable information, personal health information, contract sensitive information, and other information that should be guarded carefully) • Proprietary/Trade Secret Sensitive Information There are no set parameters for data classification, other than the fact that the level at which each is prescribed to be protected should commensurate with the level of risk that exists with their disclosure. Step 2: Establish a Risk Management Program for Third Parties When a third-party is provided with physical or logical access to an organization’s information systems, risk is introduced. Risk is comprised of two elements: likelihood and impact. It sounds simple, but the analysis of risk from the scope of a third-party’s access is frequently ignored. The decision to outsource and the nature of the outsourcing must be fully understood, captured, and reviewed regularly. In addition, it is important to build a program that is standardized, repeatable, effective, and efficient. This can be done by categorizing vendors into several categories and having standard mandated controls for each category. Consider the following as an example: 1. High-Risk Vendors: Vendors who handle or have access to data that, if exposed, would pose great risk to the long-term survival of the organization Vendor Management in Today’s Interconnected World By Cliff Neve, Managing Partner, MAD Security