If it seems like your team spends more time every week answering client questions about your information security policies, you’re not alone. Vendor management has become an increasing point of emphasis for companies of all sizes. That means you’re probably allocating more and more resources to filling out forms explaining how you handle data. This trend will only grow, so it’s time to review a few best practices that can streamline your responses so that you can efficiently address your clients’ vendor management concerns and get back to your day job.
Driven by both legal concerns and worries about data breaches putting them out of business, companies are holding their vendors accountable with SIG questionnaires, SOC 2® certificates, proprietary security questionnaires and more. Companies recognize that their vendors’ risks are their risks, so they’re pushing stringent vendor management requirements all the way down their supply chain. When that initiative comes from a Fortune 500 company or government entity, the ripple effect means that even small companies now face the kind of security reviews that were once common only in larger firms.
Managing all the responses has become a major workflow issue. With every client putting their own slant on a set of core questions, you could easily tie up hours of employee time chasing down answers to the latest question about your security posture.
Vendor management was already a growing point of emphasis before two recent major breaches convinced even late-adopters that their supply chain needed a closer look. The headline-grabbing breaches of SolarWinds in December 2020 and Microsoft Exchange Server in March 2021 proved that even if your vendor is a global tech titan that dwarfs your company, you’re putting your operations into potentially uncertain hands. The Exchange breach alone resulted in compromises of an estimated 60,000 networks in early 2021.
The CMMC standard currently rolling out in every Department of Defense contract will require an estimated 300,000 companies to earn a third-party certification. Some major healthcare companies are now working only with vendors who earn a HITRUST CSF certification.
Many companies establish these requirements to avoid issuing data breach notifications, no matter what happens. These notifications can carry high costs both in raw dollars for the notification and potential fines and in damage to the company’s reputation. As a result, we’re seeing some companies require HIPAA compliance <The companies higher in the supply chain want to ensure that if they inadvertently share data with a partner, the partner has controls in place to prevent the need for a costly breach notification.
Many contracts now mandate security controls related to vendor management. “Right to audit” clauses are also gaining momentum, which means that a company can audit a vendor’s process if they suspect data is not protected. A failed information security audit could put the vendor in breach of contract.
In Pratum’s experience, only about 10% of these “right to audit” clauses are ever exercised. But large companies sometimes use the right to audit as a negotiating tactic. When a contract is up for renewal, the client company may call for an audit, reveal security gaps and seek pricing concessions if the vendor wants to retain the contract.
And keep in mind that if 10% of your, say, 80 clients exercised a right to audit in a given year, you would face eight audits. Some companies are successfully pushing back by getting a third-party certification such as those mentioned below and renegotiating contracts to include the right to audit only if a data breach actually occurs.
Pratum offers several recommendations to help you streamline this process:
Companies that can efficiently report on their security position often separate themselves from competitors. We’ve seen many clients get their big break when a major new customer calls with a rush job. The vendor that can submit their security reports at the same time as their bid typically wins the job, opening a new relationship with a potentially key client.
If you can produce a validated third-party certification (such as SOC 2®, HITRUST CFS or ISO 27001), you’ll instantly stand out from competitors who can present no more than their own statements about how they’re doing things.
Keep in mind that most companies aren’t looking to drop the contractual hammer on their vendors and cancel contracts. Most companies would prefer to keep working with proven vendors. So simply getting your information security house in order can probably secure your relationship and keep clients from considering other vendors.
For more insights on the current landscape in vendor management, watch Pratum’s recent Cybersecurity in 60 webinar.
If you could use help reducing the workload of responding to clients’ security requests, contact us today.
If it seems like you’re devoting more hours every month to reassuring partners that they can trust you, you’re not alone. In modern supply chains, companies regularly entrust their data to other organizations. HITRUST CSF is one of many compliance frameworks that aim to make everyone feel better about that data sharing. HITRUST CSF and other frameworks create objective industry standards for measuring another organization’s information security maturity. HITRUST CSF originated in the healthcare industry, but it’s a powerful framework that’s gaining traction in more fields, so it’s worth understanding how it may work for you.
The framework began in healthcare in 2007, when the HITRUST Alliance released its CSF (Common Security Framework). Like other frameworks and compliance protocols (such as SOC 2, PCI, HIPAA, GDPR and many others), HITRUST CSF provides objective criteria for measuring how an organization secures data. It also carries the added weight of third-party validation at its higher levels. That reassures your partners that you’re not just saying you have the right controls and policies in place; a third-party assessor has confirmed it. With a third-party certification like HITRUST CSF in hand, you can streamline many vendor security checks down to sending them a copy of your certificate rather than answering a long list of questions. A popular phrase describes this advantage as “assess once; report many.”
Because of HITRUST CSF’s healthcare roots, it naturally draws comparisons to HIPAA. One key difference is that HIPAA is a federal law, while HITRUST CSF is an industry-created standard. Also note that HIPAA is a self-attestation, meaning a company’s partners have no validation that an organization is actually doing what they say. HIPAA also contains a lot of subjectivity, leaving organizations to ask each partner exactly what they mean when they say “we comply with HIPAA.” Because HITRUST CSF is a detailed, objective standard focused on risk management, you know what it means when you see that certification. If you earn HITRUST CSF certification, you will definitely have covered your HIPAA requirements.
When organizations have a choice about which framework to use to satisfy client requests, they frequently compare HITRUST CSF to SOC 2. For most organizations, Pratum recommends starting with SOC 2 unless your partners are specifically requiring HITRUST. SOC 2 certification requires less time and expense, and SOC 2 allows more flexibility in defining your own control activities.
HITRUST CSF is gradually gaining traction outside the healthcare industry, and when version 10 arrives in the spring of 2021, it will include some new language targeted at making it applicable to more industries.
CSF contains 19 domains and 135 controls and offers three Implementation Phases that all build on each other. (In other words, if you reach Phase 3, you’ve covered everything in Phase 1 and 2.) The three phases of HITRUST are:
HITRUST CSF Readiness Assessment – Using the MyCSF online portal, you’ll walk through the framework yourself and receive a CSF Self-Assessment Report. Many companies hire an Authorized CSF Assessor to help with this process, which typically takes about six months.
HITRUST CSF Validated Assessment – This phase requires you to hire a third-party Authorized External Assessor organization, whose work normally includes an onsite visit. The assessor submits their report to HITRUST within the MyCSF tool and HITRUST then issues a Validated Report. This process normally takes another six months.
HITRUST CSF Certification – At this phase, HITRUST actually reviews and certifies the organization’s entries and the assessor’s validation. This process can take 3-4 months.
The most common driver for choosing any information security framework is that your customers demand it. In the healthcare space, some major companies such as Humana, CVS Caremark, United Healthcare Group and others refuse to work with any vendors until they complete a HITRUST CSF certification. In those cases, using HITRUST CSF is an easy decision, even if it’s not an easy process.
But many companies that have a choice in the matter are embracing HITRUST CSF, too. One of this framework’s advantages is the fact that if you’re working with partners across industries, you can use HITRUST for many of them. That can save you from trying to figure out the Venn diagram of multiple industry-specific frameworks. It also saves time and money because a single HITRUST certification may save you from complying with several other standards at the same time.
You should know at the outset that earning HITRUST CSF certification is a big undertaking. It requires about a year of work and a significant investment—$100,000 and up for most organizations. So the decision to pursue it obviously requires analysis of the business opportunities it will create for you (or preserve, if key clients are demanding you get it).
The process looks like this:
1. Scoping – You’ll start by using the framework’s system and organizational factors to scope your engagement. You’ll buy a license to HITRUST’s MyCSF online portal and fill out a detailed scoping questionnaire that leverages factors such as how much data you handle, how many active users you have, etc., to produce a list of the controls that will apply to you.
2. HITRUST CSF Readiness Assessment – Using MyCSF, you’ll do a thorough self-attested assessment of your current controls and policies. At this stage, you’ll be gathering documents, researching how you handle data and uploading documents and information to MyCSF. HITRUST reviews your submission to confirm that all the correct information is present and then issues a HITRUST CSF Readiness Assessment Report.
3. HITRUST CSF Validated Assessment – Now you’re ready to engage an Authorized External Assessor organization for a third-party validated assessment to affirm that the work you’ve done during the readiness assessment phase is still accurate and legitimate.
4. HITRUST Review – Through MyCSF, the External Assessor will submit their report to HITRUST for quality assurance review and the issuance of a HITRUST CSF Validated Assessment Report, which is valid for two years. To ensure you’re staying on track, your External Assessor will do a HITRUST CSF Interim Assessment after one year by testing some sample control requirements from across the 19 CSF domains.
HITRUST allows you to write corrective action plans (CAPs) for any areas where you fall short in your assessment. Typically, you’ll be expected to provide evidence in a year at the Interim Assessment that you’re taking meaningful action on your corrective action plan(s). And keep in mind that if you earn your certification with dozens of corrective action plans listed, your partners may decide that you have a long way to go and debate whether they can trust you with their data.
Pratum’s consultants specialize in a wide range of compliance frameworks and have assisted multiple clients with their HITRUST CSF journeys. Our consultants can assist IT teams with readiness assessments, identifying gaps and CAPs to implement new controls. HITRUST CSF puts a premium on seeing specific language in your policies, and our consultants can help ensure that you write them correctly.
Pratum also supports organizations during the validation stage. We’ll help interpret questions from the assessors and serve as your liaison to ensure that you can answer questions accurately and make your case when you feel an assessor may be viewing something incorrectly.
We’re eager to answer your questions as you consider whether HITRUST CSF is a smart investment for your organization. Please contact us today.
How do you protect data when it leaves your building?
A few years ago, hardly anyone asked that question because data stayed home. But with the rise of cloud services, mobile computing and a pandemic, the trend of data following users became the norm in a matter of weeks. Suddenly, your data’s security had far less to do with your physical facility’s security. As a result, there is fresh interest in zero-trust architecture, where the mindset switches from a device-centric security model to a data-centric model.
In a zero-trust world, IT leaders assume that devices, networks and individual user accounts have already been breached. So they attach security factors to the data itself. This not only boosts security but expands the organizations’ business opportunities. With a zero-trust approach, you can continue doing business with a valuable partner even if you’re not confident in their security systems. Thanks to a data-centric model, your data protects itself.
Not long ago, organizations could almost literally keep an eye on their data. Employees mostly worked in offices on company-owned devices plugged into company networks (or at least linked to company wireless networks). Data lived on a centralized server. For the most part, protecting your data meant controlling who entered your building.
Today, data roams the globe without its traditional bodyguards. The boundaries between work and personal life have blurred as employees access data around the clock and on a variety of desktop and mobile devices and networks. “We’re never fully at work and never fully at home,” says Pratum Founder and CEO Dave Nelson. “We’re always just kind of everywhere.”
The pandemic obviously accelerated adoption of remote work by years. And with 90% of HR leaders saying they intend to maintain some form of work-from-home policies after the pandemic, the call for a data-centric model has unprecedented momentum.
Many organizations are still basing their security model on something that doesn’t exist anymore. You no longer control the devices or networks. And that’s scary for data managers and business leaders. Many of the risks that leaders were willing to take were based on a security model that was basically invalidated overnight.”David Nelson President and CEO, Pratum
From an identity perspective, we now have complete strangers touching organizational data every day. When an employee logs in from a remote location, how much do we know about the security of their network? Are they working on a home computer with outdated antivirus protection? When a vendor logs into your distribution and inventory platform, how do we even know it’s them and not someone who stole their credentials? Are your industry partners protecting the login credentials you give them or handing them out to multiple employees?
Those questions, Nelson says, overturned many long-held best practices. “We saw a lot of IT leaders freaking out when business leaders came to them and said, ‘I know you’ve done all this work over the last 15 years to make our network and data secure, but we’re going to send everybody home, and we need those people to get access to all that data from devices you don’t know.’”
Zero-trust architecture ensures your data is safe, even if, for example, someone intercepts it while your employee is working on a coffee shop network. IT leaders can quit worrying about the specific device or network in use because their security has now become data-centric.
Moving to zero-trust architecture represents a major IT project, but many information security consultants are telling their clients that it should become a top priority. Though widespread adoption is starting only now, the concept has been around for years. All the major information security players support the use of zero-trust architecture, including Microsoft, Fortinet, Cisco and Amazon Web Services.
That’s essential, because in a zero-trust environment, each use of data must be vetted through multiple security layers. For example, you might grant read-only access to a file as long as the user is on a computer with antivirus software installed. Before users can modify the file, their devices must clear a much higher security bar. For example, the system might run a basic “health screen” of the computer for proof that it has run an antivirus check in the last 12 hours, has an acceptable firewall, is part of an approved domain, etc. The system may also grant provisional access by requiring, for example, that the computer run another antivirus scan before it is allowed to modify files.
While the number of zero-trust components varies by the platform you’re using, these are the six core principles:
1. Identities – Strong authentication tools should validate every user’s identity. It starts with strong passwords/PINs and extends into digital signatures and multifactor authentication tools such as tokens, certificates and biometrics. In all situations, organizations should follow a policy of least-privileged access, in which users receive access only to the data they need to do their job.
2. Devices – Any device seeking to access company data must comply with policies such as having a firewall turned on and rules validated; anti-malware software turned on and set to scan daily; and auto-update enabled to ensure software is adequately patched.
3. Applications – The system should inventory all applications and data locations, including client-server (ERP, core platforms, accounting, etc.); desktop (Adobe, Microsoft Access, My Documents/Desktop); and cloud solutions (Salesforce, AWS, etc.). Administrators should determine ownership and management responsibilities and enforce and audit security compliance.
4. Telemetry & Monitoring – We’re overwhelmed with system activity reports, so you need a robust system to make sense of all the noise and spot potential threats. (Pratum’s Security Operations Center ingests about 6 billion events each day across all of our managed XDR/SIEM clients. Organizations should track detailed usage statistics such as date/time of access; location of the access; sizes of files accessed; bandwidth utilization and more.
User & Entity Behavior Analytics (UEBA) solutions model typical user behavior and flag anomalous activity. This system might, for example, note that a user who typically works 9-5 is logging in at midnight from a new device. That might indicate an attempted breach in progress.
In a similar vein, Extended Detection and Response (XDR) solutions with Security Information and Event Management (SIEM) track activity in all corners of your technology stack and proactively stop potential threats before they can do any damage.
5. Networks – Networks still play a key role as security boundaries since they can be explicitly trusted and can encrypt all communications.
6. Information Rights Management (IRM) – In a platform using IRM, data carries its own rules for use. For example, e-mail may be set to restrict forwarding of messages marked as confidential. In Word or Excel, users may be prohibited from opening or printing files unless they are using a company-owned device. Note that these rules often can be circumvented if they aren’t used in conjunction with file encryption.
A key step in the zero-trust system is assigning conditional access to different types of files, recognizing that there isn’t a one-size-fits-all solution here. Locking every file down in the same way will surely make daily work harder than it needs to be for many users. Setting file access levels should not fall solely on the IT team. IT needs input from other leaders to explain the sensitivity of data in any given file type and who should be able to use it.
This chart provides examples of how an organization may set access for various types of files.
As you consider how your environment needs to adapt to new working styles and whether zero-trust architecture may be right for your organization, Pratum can help. Contact us today for a free consultation on the best way to protect your critical data.