News & Commentary

09:26 AM
Tom Hinkel, Safe Systems
Tom Hinkel, Safe Systems

Does Your Vendor Management Program Prevent or Promote Cyber Attacks?

With cyber attacks a growing concern for financial institutions, here are some steps banks can take to ensure security against such attacks in their vendor chain.

Because most financial institutions rely on third-party service providers, risk management and vendor management are inextricably linked. In an age where cyber attacks, increased regulatory scrutiny, and reputation risk are high on the list of banker’s concerns, properly managing vendors has become a high priority. Here are a few strategic practices an institution can follow to prevent, detect, and/or mitigate a breach or malicious attack at a service provider.

1. Know what data you share with the vendor, where it is stored and secured, how it gets there, and who has access to it. This is particularly true for cloud-based providers. Both the biggest strength and the biggest weakness of cloud computing is in the redundant and distributed nature of data storage. Having data stored multiple times in multiple locations throughout the country is great for high availability, but makes it almost impossible to ensure compliance with your internal policies for proper retention and destruction of information. Use data-flow diagrams and data classification rules to understand the location and sensitivity of shared data. And if your data is transmitted, stored or processed outside the U.S., you’ll need to understand the rules and regulations of the hosting country as well.

2. Obtain and review any third-party audit reports prior to engagement, and periodically throughout the relationship. Just as with the older SAS 70, third-party audit reports such as the SOC 1 (or SSAE 16) and the SOC 2 (or AT 101) will still be the best way for you to ensure that your vendor’s processes and practices are compliant. And make sure you insist on a Type II report, which adds an all-important testing component to the audit.

3. Make sure all on-line passwords comply with your internal password policy (length, complexity, periodic changes, etc.), and don’t share passwords among sites. Online services may have different authentication capabilities, but if they store or process sensitive or protected information they should still adhere to your policies for accessing internal systems. Use a different set of authentication credentials for online services than you use internally, that way if the vendor experiences a breach it will be contained to that site.

4. Understand the incident response capabilities, as well as the contractual responsibilities, of your vendor. Guidance requires that all financial institutions clearly define the support to be provided by the vendor during and after a cyber-event. Make sure your contract with the vendor requires notification of any cyber-events whether or not they affect you. Ask to be included in any future incident response testing.

Tom Hinkel is the director of compliance for Safe Systems, a compliance-centric IT solutions provider exclusively to the financial industry.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Tom Hinkel
Tom Hinkel,
User Rank: Apprentice
4/5/2013 | 5:55:05 PM
re: Does Your Vendor Management Program Prevent or Promote Cyber Attacks?
I completely agree Jonathan. Consider the most recent guidance updates from the FFIEC...Outsourcing, Supervision of Technology Service Providers, Cloud Computing...all directly related to vendor management. So the guidance is out there now, increased regulator focus is coming!
User Rank: Author
4/5/2013 | 4:54:13 PM
re: Does Your Vendor Management Program Prevent or Promote Cyber Attacks?
I think this is definitely an area of risk that regulators need to consider as they focus in on the cyber attacks hitting the industry. I wouldn't be surprised to see more guidelines and regulations coming out that cover this topic.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.