How to mitigate operational, compliance risk of outsourcing services

Operational and compliance risk

When an organization shares information with another organization, the risk of that information being compromised is increased. In other words, the organization has increased its operational risk. In addition, if the organization sharing the data has not taken the necessary steps to ensure that the information is protected appropriately according to the requirements of applicable regulations and contracts, the organization has increased its compliance risk.

Many regulations, including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and the Massachusetts Identity Theft law (MA 201 CRM 17.00), require organizations to review their service providers' security practices and ensure that the information will be protected adequately. PCI -- a contract rather than a regulation or statute -- also requires merchants and service providers to ensure that service providers are compliant with the Payment Card Industry Data Security Standard in the functions they provide. Given these regulatory requirements, it is imperative that organizations have an organized approach to evaluating the type of risk a particular service represents, the level of risk of both the service and the provider, and the adequacy of the security practices of the provider in mitigating the risk of compromise and meeting compliance requirements.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Vulnerability assessment for compliance New evaluation criteria for Web application security scanners GPS devices, geolocation data create privacy, security risks Security and compliance can go together, when done in the right order Steps toward making information security as important as data security Run encryption the right way to ensure wireless network security Security concerns may mean peer-to-peer file sharing days are over How CISOs can leverage the internal audit process How to build a mature information security program: A crisis helps A compliance officer, secure network aren't enough for real compliance Applying risk assessment to your disaster recovery plan HIPAA and other healthcare compliance requirements HIPAA-covered entities' first step should be a quality assurance plan HITECH moves electronic health records forward; standards to come HITECH FAQ: What is the impact of the HITECH Act on IT operations? Discovery of data breach under HITECH raises big compliance questions Healthcare, cybersecurity policy and privacy on legislative agenda Record locator service a step to health information exchange FTC pursuing HIPAA violations as a matter of consumer protection New HIPAA data breach notification rules put health industry on notice HIPAA-covered entities, business associates confront HITECH rules Mass. officials, compliance officers debate data protection law Regulatory compliance audits FAQ: What is the impact of a compliance audit on IT operations? ISO 27001 certification not enough for verifying SaaS, cloud security HIPAA-covered entities' first step should be a quality assurance plan Healthcare, cybersecurity policy and privacy on legislative agenda FTC pursuing HIPAA violations as a matter of consumer protection New HIPAA data breach notification rules put health industry on notice PCI DSS compliance fails to raise the bar on financial fraud HIPAA-covered entities, business associates confront HITECH rules PCI DSS FAQ: The Payment Card Industry Data Security Standard and IT Architect preventative compliance controls for best risk management

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Dossia  (SearchCompliance.com) personal health record (PHR)  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

What is at risk?

The first step in understanding risk is understanding exactly what information you are sharing. This may seem like a nonissue, but in many cases organizations share information in bulk without considering the individual data elements. Lack of data analysis can lead to unnecessary risk of exposure, increasing both the risk of compromise and the risk of being found noncompliant with contracts and regulations. Assuming you have analyzed the information to be shared, you can ask the following questions:

If we look at a hypothetical example, we can see how understanding the information can help you measure the risks and understand requirements:

St. Fictitious Hospital shares patient records including names, Social Security numbers, addresses and treatment data with HealthService Inc., a service provider that allows doctors to view and approve treatment records for submission of claims to insurance companies. The hospital recognizes that as a covered entity under HIPAA it is required to protect the confidentiality, integrity and availability of Electronic Protected Health Information. In the case of insurance claim submission, the confidentiality and integrity of the records are more important than the immediate availability. Consequently, the hospital needs to ensure the effectiveness of the controls that affect those aspects of the information.

The hospital also recognizes that there is a chance that some patient is a resident of Massachusetts, therefore it will assume that its controls and the controls of the service provider must meet the requirements of the Massachusetts Identity Theft Law. Both laws require the hospital to assess the adequacy of security practices of business associates to which they entrust this protected information. In HIPAA parlance, the "covered entity" (the hospital) must ensure that all the administrative and technical controls are implemented by the business associate (HealthService), including appropriate encryption on transmission on unprotected networks, strict access controls on the data and disciplined vulnerability management.

Interestingly, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) has brought additional pressure on business associates. In the past, HIPAA violations and compliance were the responsibility of the covered entity. The HITECH Act expands the responsibility of business associates, making them directly responsible for the safekeeping of the data. This change makes the Massachusetts law and HIPAA consistent in that organizations are responsible for any data they possess, regardless of how they acquired it.

The hospital will then need to go through an organized process of evaluating the business associate's practices and requiring improvements wherever they fall short. If possible, the hospital should also look to anonymize or eliminate any data that is not necessary to be shared. This practice can mitigate risk substantially.

Inherent vs. residual risk

As we have said above, all relationships bring some degree of operational and compliance risk. However, not all relationships are created equal. Two of the most critical elements in managing partner risk are consistently assessing the inherent risk associated with the shared information or relationship and assessing the residual risk of dealing with a particular partner in the context of its implemented controls.

The first element, assessing inherent risk, requires you to look at the data shared and the effect a compromise would have on your business and state of compliance. You assess the relationship assuming no controls. This is a worst-case analysis of the damage you would suffer in the event of a breach.

This analysis allows you to rank, by risk, the service providers you deal with based on the criticality of the information you share and the service they provide. Based on this analysis, you can then determine the depth of assessment you need to conduct to assure that your risk is mitigated appropriately.

The inherent risk analysis allows you to establish tiers: high-risk, medium-risk and low-risk service providers. This ranking will allow you to devise appropriate assessment methods that are commensurate with the risk. Low-risk partners may not require an assessment at all or may be required to only sign agreements accepting responsibility for whatever risk exists.

Medium-risk providers may be required to answer a security practices questionnaire and only be investigated in more detail if their answers raised concerns. High-risk providers might be required to submit a third-party audit report or undergo a detailed assessment by your internal security group.

This tiered system not only allows you to closely inspect your highest-risk partners, but it also helps you mitigate both operational and compliance risk. The initial assessment in a relationship lays the groundwork for future periodic reviews that are required by many contracts and regulations (and simply make sense).

The ongoing partner management program

When you have established a relationship with a partner, your risk management responsibility has only begun. As time goes by, the risk associated with a given service changes substantially as a result of changes to your business, your partner's business, your technology, the threat environment or new regulatory or contractual requirements. Consequently, the risk associated with every service relationship needs to be re-evaluated periodically to both recognize and adapt to these changes.

The risk-based tier system can help maintain your partner risk management program by helping to set the frequency of your periodic risk assessments and partner practice evaluations. The higher the risk associated with a given partner the more frequent your risk and practice assessments should be.

When planning your risk assessments, keep in mind that you need to understand whether changes in your partner's environment have an impact on your risk. For example, has your partner gone through a merger or acquisition? Has your partner's technical environment changed in important ways? Is your partner aware of regulatory requirements and changes that have occurred in the time since the previous review?

These questions can only be answered by communicating with your partners. This is a critical component of any partner management program.

Virtually all companies engage third-party service providers. We know that these relationships bring with them certain types of risk. It is critical that we understand these risks and manage them, not only at the initiation of the relationship, but also throughout its existence. A well-run, consistent and methodical risk-based partner management program should be part of all organizations' security and compliance programs.

Richard E. Mackey, vice president, SystemExperts Corp., ISACA/CISM is a leading authority on enterprise security architecture and compliance.