Organizations storing customer credit card information, individuals’ medical records, or other personally identifiable information (PII) are required by certain laws and regulations to protect this data from hackers or other users with malicious intent. The loss of customer data normally results in reputational damage and unplanned legal fees.
Companies that outsource payroll, healthcare processing, and other processes containing PII can obtain a SOC 2 report. Based on the AICPA’s WebTrust principles, a SOC 2 report is an independent certification of an outsourced service providers (OSP) non-financial reporting controls, including security, processing, confidentiality, and privacy controls. The OSP (i.e. third party) engages a firm to perform the attestation (audit), and then provides the detailed audit results to any interested customer.
But PII is not the only type of key data shared with third parties. It’s common for organizations to share other sensitive and important data, such as trade secrets with joint venture partners and subcontracted manufacturers, or future strategic decisions with consulting firms and outside counsel. Besides reputational damage and legal fees, the loss of trade secrets and strategic information can result in significant loss of revenue, market share, and shareholder value.
Unfortunately, it is uncommon that these strategic third parties provide a SOC 2 report or other means of independent data protection control assurance (e.g. an ISO 27001 certification). And worse off, It is interesting to see that while management is spending more and more on internal controls and protection of key data, very little, if anything, is done to verify externally held key data is just as protected.
According to PwC’s 2015 Global State of Information Security Survey, organizations with annual revenues exceeding $1b had $11m budgeted for security spend in 2014. However, when executives are asked how third parties protect key data given to them, initial responses include references to contract clauses indemnifying the company if data is lost, or blind trust in the third party. As one executive states, “If our supplier can’t protect our, and their other customers’ key data, they wouldn’t be in business”.
A proactive and forward-looking Internal Audit department can help bring the needed awareness to the lack of focus on external data protection controls compared against the high level of attention given to internal data protection controls.
Internal Audit can obtain provide assurance to their Board of Directors and executive team whether or not a process is in place to manage risks of third parties maintaining key data, and that third parties have their own data protection controls in place. If the Chief Audit Executive can successfully recommend a third party data protection control audit, Internal Audit should consider including third party governance, contracts, and the third party data controls in the scope of their engagement.
Third Party Data Governance
To first determine if management is adequately protecting key data stored at third parties, an understanding of all of the third parties with key data should be obtained. Vendors are quick to be included and assessed for this type of project, but the Internal Auditor should also give consideration to third parties such as customers, joint venture partners, contractors, and even their board of directors.
Customers and joint venture partners may co-develop proprietary technologies and new products. Some companies may also make investments in start-ups or smaller organizations to develop certain technologies, and should evaluate if the invested company’s data is key. And while an organization’s Board of Directors are normally considered (top) employees of an organization, most are independent and send and receive information that is more often than not strategic, confidential, or both.
Next, does the organization have policies and procedures dictating how to classify, handle, transmit, store, and share key data? Do the policies and procedures dictate the individuals in the organization that have the authority to determine what data can be shared, and what data cannot be? A lack of policies and procedures can sometimes mean a lack of process. And a lack of a process almost always means a lack of control.
If third party data protection policies and procedures do not exist, different departments in the organization may still have a role in protecting data. For example, as part of the vendor due diligence process, Procurement personnel may be asking new third parties about their data protection controls and how they classify data. While Procurement’s process may not cover all third parties with key data, it will include some and the organization should take credit for their work.
While contract clauses such as data confidentiality and “right to audit” are common in most key vendor and distributor contracts, other contract clauses are more suited to protect key data. Internal Audit should look for, or recommend specific clauses highlighting the partner’s data processes. Specifically, does the third party have someone in-charge of classifying key data, document how key data should be handled and transmitted, and how key data is destroyed once the key data is no longer needed?
Another contract clause gaining popularity as a result of all of the recent cyber hacks is the notification of a successful cyber-attack. Internal Audit should verify that their company’s contracts include language that requires the third party to notify them as soon as possible (normally within 24 – 48 hours) if their network has been successfully breached so that the company can cease sharing their own key data, and begin their own disaster recovery plans if data was actually lost.
Finally, if the third party is sharing key data with other subcontractors or third parties, management can require through contract clauses that the third party have a process in place to monitor the subcontractor’s data protection controls. Contract language should include how often the third party audits their own subcontractors, and the level of detail of their review (inquiry only, inspection testing, or independent verification from a qualified auditor).
Third Party Controls
Internal Audit can also have a role evaluating third party data protection controls. In addition to auditing the contract clauses mentioned above, there are many other third party controls that can and should be evaluated. These include the amount of training and awareness provided to third party employees on data protection requirements, whether or not desktops, laptops, and other mobile devices are encrypted, and if organizational key data is segmented from the other third party data.
To determine what should be audited, and how deep a dive Internal Audit perform, key data business owners and the information security department should be asked for insight. Also, cyber security control frameworks such as the SANS Institute’s Critical Security Controls for Effective Cyber Defense, Top Cyber Security Controls, NIST’s Framework for Improving Critical Infrastructure Cybersecurity, or ISO’s 27001 Information Security Management Standard should be leveraged as much as possible.
Chief Information Officers and Chief Compliance Officers spent significant time and resources to protect PII by identifying and tagging PII, and by bolstering the organization’s network and cyber security defenses. But while certain compliance risks were addressed, the risk of unprotected key data stored at third parties may still exist. If this is the case, the well-informed Chief Audit Executive has an opportunity to enable positive change by bringing attention to this enterprise risk.