Attention: Services Providers - Clients want to know how you protect their data
It would be careless to do business with someone before doing your homework. You need to make sure you understand exactly what you are getting into and that the other party is open, honest and acting with an acceptable standard of care. Conducting due diligence is common practice with today's business interactions. You see investigations into a company's financials, personnel, and business practices. With the cyber security environment we have today, IT and information security reviews during due diligence investigations are being given a higher priority as well.
Everyone is concerned with protecting sensitive information, be it client details (PII), credit cards (PCI), or trade secrets. The rise in cyber threats has put everyone on alert. Companies are focused on reducing risk and protecting their critical assets. The Target breach taught us that third-party service providers can be a weak link in a companies IT security efforts. As a service provider, it is imperative that you do what is necessary to protect the information and access your clients entrust to you.
Due Diligence Required of Service Provider
Service providers should be able to demonstrate to potential clients and partners that you take their security seriously. Over the past year or so, we have seen a rise in the number of due diligence requests our service provider customers have received from their clients. These requests usually come in the form of a due diligence questionnaire, checklist, or phone interview. These inquiries are going beyond a simple request for a compliance report and attestation. They are requesting specific details about the internal operations of the service provider specific to its information security management practices.
The lesson here is if you don't already, now is the time, for service provider organizations to start looking internally, and conduct your own due diligence on yourself. In doing so you will be able to respond quickly and with confidence when a request comes. You can prove to your clients you are doing what's necessary to protect their interests.
The Purpose of Due Diligence
As a service provider looking to establish a due diligence review process, its good to know what your clients will be expecting and what they might be looking for. The World Economic Forum published a report titled "Good Practice Guidelines on Conducting Third-Party Due Diligence"1. This report includes helpful information on how to evaluate companies before engaging with them. The target for the report is international business and mitigating the risk for fraud and corruption, but I think the principles apply generally as well.
The key principle of the report is that due diligence is relevant for all business relationships. There are two basic requirements for an organization as well:
- An organization conducts reasonable due diligence before entering into a business relationship
- An organization undertakes appropriate measures to ensure that the third party does not engage in improper conduct
To meet these requirements, it is highly likely that your clients and potential partners will have a system in place to conduct reviews of third-party service providers and others they do business with. They should have an established due diligence policy and procedure.
When conducting due diligence you are trying to evaluate a number of things, mainly:
- Does the company meet your risk requirement
- Does the company comply with all industry and regulatory standards
- Does the company take appropriate steps to protect yours and its own interests
Due diligence reviews should be conducted regularly, not just when establishing a relationship. You should expect clients to review your security practices at least annually. Many security standards, including PCI, EI3PA, NIST, and many others, require an annual review of service providers.
How to demonstrate proper due diligence
When conducting your internal due diligence reviews, its good to follow a process similar to that of your clients. A standard due diligence review follows a basic three phase process outlined below:
- Data Collection a. Public information (Internet search, public databases, media searches) b. Internal questionnaire - completed by the business looking to engage the service provider c. External questionnaire - completed by the third-party d. Common areas covered during data collection - Organization and affiliations - Necessity and proper data retention - Expertise - Integrity
- Verification and validation of data: Data collected should be verified by an independent business function, someone that doesn't benefit from the selection (e.g. compliance or legal departments)
- Evaluation of results: make determination to move forward. Identify any red flags, and evaluate risk level.
By understanding what your clients due diligence policy and procedure looks like, service providers and third-party organizations can prepare for these inquires and present a confident position in how you respond.
In the due diligence requests we've received, I've noticed that the majority of the questions follow closely with the PCI DSS requirements or similar information security standards. The purpose of the request is to gather more in depth detail on how your information security management program has been implemented and operates.
By establishing your own internal due diligence review you can make sure you are taking the proper steps to protect the assets your clients entrust you with.
Basic Areas to Cover:
- Data breach history, and cyber insurance coverage
- IT security policies and procedures
- Personnel background, experience and expertise, including any training initiatives
- HR policies - new hire practices (background checks, drug screening, etc.)
- Implemented security controls and access management practices
- Data retention and protection (encryption, and key management)
- Data privacy practices
- Physical security controls
- Change control management policies and procedures
- Software development practices
- Vendor management practices
- GRC (governance, risk and compliance) practices
- Incident response, disaster recovery, and business continuity planning
To assist you in getting started and establish your internal due diligence review process, we've put together our own due diligence questionnaire.
Download Aeris Secure's Information Security Due Diligence Questionnaire
Use our questionnaire as the basis for your internal audit and due diligence process. Conducting regular assessment will ensure you are prepared to respond quickly and accurately the next time a client asks for confirmation of your due diligence.
Once you have completed your review, be sure to document your findings. Take the opportunity to share your findings with those that may be asking. We have helped several clients create what we call a "Due Diligence Declaration". This document essentially provides responses to the questions your clients will be asking in a report format. The report will contain sensitive information, so it should only be shared under NDA. Having this information pre-compiled allows you to quickly respond to a client's due diligence request. The declaration report might not address all the specific questions your clients have, but its a great head-start and will minimize the amount of work required to satisfy their request.
Action Items
Now that we've covered the importance of conducting internal due diligence reviews, and the basics of what one entails, its time to get to work on establishing your own review program. As one final helpful tip, here are the first steps to get you off on the right foot:
- Establish a security policy which requires a regular audit or review process
- Implement an internal review process to ensure you are meeting your due diligence obligations
- This should be in addition to any compliance audits (internal or external)
- Use our questionnaire as the basis for your review
- Create and maintain your Due Diligence Declaration
- Based on the findings from the review
- Provided in response to client due diligence requests
- Strictly control distribution due to sensitive nature of information
If you don't know where to start or would like assistance in conducting your due diligence, please contact us. Our auditors are experienced and would be happy to help you elevate your cyber security and internal review processes.
-
http://www3.weforum.org/docs/WEF_PACI_ConductingThirdPartyDueDiligence_Guidelines_2013.pdf ↩