NIST & ISO & SOC 2, Oh My! Making Sense of Third-Party Risk Compliance Requirements

Melissa: Hello, welcome, welcome. Happy Thursday or wherever you are, whichever day it is. Melissa: Uh, it’s great to see everyone start joining. I’m currently in Tampa, Florida, so I’m happy to report I have power and an internet connection for now. Melissa: So, I’ll give you a minute while we wait for people to get settled in and connected themselves. Melissa: Um, I’m going to go ahead and launch our first poll. Melissa: And if you’ve attended one of our webinars before, you know what to do. Melissa: But we are curious um as to what brought you to today’s webinar. Melissa: Is it educational? Are you in the beginning stages of your thirdparty risk program? Are you a current prevalent customer? Just let me know. Melissa: And let’s begin by getting some intros started. Melissa: My name is Melissa. I work in business development. Melissa: And today we are joined by our very own solutions expert and content manager, Thomas Humphre, as well as Alistair Parr, our senior vice president of global products and risk. Melissa: Hi guys. Thomas: Hello. Alistair: Hello. Thomas: Thanks for having us. Melissa: Yeah, of course. Melissa: They’re going to be guiding us through today’s topic. Melissa: and SIG and SOCK 2. Melissa: Oh my, making sense of third party risk compliance requirements. Melissa: Um, this webinar is being recorded as you can see. Melissa: So, you’ll get this in your inbox later today or tomorrow. Melissa: Um, lastly, you’re all muted, so just use the chat if you need to communicate something that’s not a question for the Q&A box. Melissa: And without further ado, I will let them jump into it. Melissa: Go ahead guys. Alistair: Thank you very much and good morning, good afternoon, good evening wherever you are in the world. Alistair: So, brief intro before we dive into specifically what we’re going to cover off today. Alistair: I’m joined today by the lovely Thomas Humphre. Alistair: Hello Thomas. Thomas: Hello. Alistair: Thanks. Thomas: Nice to be here. Alistair: Thomas, you are the content manager at Prevalence. Alistair: Tell us why we should be listening to you about acronyms. Thomas: Um, so as as the title suggests, um, I deal heavily in developing content, um, uh, based off of a variety standards, frameworks, legislations and regulations. Thomas: So, um I often find myself kneedeep in all manner of acronyms um on a daily basis. Thomas: So, this is a topic that is is yes close to heart and very familiar. Alistair: Lovely. Alistair: Thank you very much, Thomas. Alistair: And for those who haven’t met me before or seen before, I’m Alistister Parr. Alistair: I have much to my dismay a background myself in um in compliance and governance is 27 01 audits, uh, SOCK 2 reviews, assessments, 90,0001, 22301. Alistair: I have the joy of more numberbased acronyms than Thomas does, but I’m certainly eager to see what Thomas can bring to the table to us today. Alistair: So, what are we going to cover off? Alistair: We’re going to be focusing on ultimately acronyms, as you probably expect. Alistair: So, we’re going to highlight why acronyms are becoming more and more prevalent, mind the pun, uh, in our space, particularly around third party risk and and third party management. Alistair: We’ll touch on some of the more common frameworks that we’re seeing out in the space and the risk domains that contribute to those. Alistair: We’ll touch on how TPRM, third party risk management, let’s go, there’s our first acronym out the way, is gradually migrating over to TPLM, third party life cycle management approach. Alistair: We’ll touch on some of the more common regulations that we’re seeing in emerging uh frameworks. Alistair: We’ll touch on ESG uh ABMS as a broader focus area and how that’s becoming more prominent in the space and then we’ll touch a bit more on FSMA and NIST as well. Alistair: So, we’ve got a lot of content to cover off and go through today. Alistair: I’m rather excited, but why are we actually doing? Alistair: Good. Alistair: Glad to hear it, Thomas. Alistair: So, I appreciate that generally speaking, when we deal with compliance and regulation on a whole and acronyms, historically we spend a lot of time focusing on internally within the organization that’s presented his own challenges, disperate businesses, disperate business units, collecting all together. Alistair: Certainly a headache. Alistair: Capturing information from people and then tracking and managing that throughout the ongoing life cycle. Alistair: That has now transcended of course just internal and we are of course seeing the same challenges and criteria across the broader modern enterprise. Alistair: This is becoming more and more of an issue when we start factoring in things such as the uh the more devolved business structures that we’re seeing. Alistair: So outsourced hosting for example AWS, Azure and so on. Alistair: But then when you actually start breaking out all of the composite elements that actually touch on sensitive information fall in scope where we have some degree of responsibility to customers and to regulators. Alistair: It is multifaceted. Alistair: There’s multiple criteria. Alistair: There’s multiple third parties and as much as they present risk attack vectors in the sense that they exist, there is of course a very strong requirement across the board to track multiple domains and then that feeds into the various acronyms, regulations and criteria that we see before us. Alistair: So with the scene set and before we dive into the scrabble board of lovely acronyms that we tend to see, here are some of the key areas where we’re typically seeing the focus. Alistair: So those regulations, those frameworks are ultimately trying to make some form of improvement. Alistair: They’re trying to address mitigate risk and make sure that we as organizations and our our peers are functioning in a way that makes people happy, makes our customers happy, makes the regulators happy. Alistair: And these are the ones who are most commonly seeing across the board. Alistair: Uh the drivers here there is of course the infosc cyersc driven criteria uh which we obviously are very focused on as an organization but that does of course extend into uh broader business risk financial risk their positioning associated to that uh from a sustainability and a resilience standpoint. Alistair: ESG which we’ll touch on in a bit more detail shortly as being a core driver moving into 2022 and of course into 2023 that is ever looming. Alistair: that we are in the fall. Alistair: Uh broader reputational risks looking at sanctions information, please expose persons. Alistair: Uh so stateowned enterprise screening of course being the driver and then our lovely compliance risks uh GDPR for the keen eyes of you there OC, FCPA, HIPPA, FIC, FCA. Alistair: I’m not going to go through the whole list, but yeah, I think that Scrabble illustration is very much relevant. Alistair: So with the scene set, Thomas, I wondered if you can dive in and give me a bit of insight into what you’re seeing of generally across the board for frameworks. Thomas: Absolutely. Thomas: And um just on a final note actually to that to that previous slide um one thing that is becoming more apparent um is not only as asda has so eloquently alluded to the volume of of acronyms of terminologies across areas such as cyber security It’s where businesses have perhaps traditionally focused on one area such as security or data privacy and they’re now wanting to expand into other areas such as ESG which as we know is becoming ever more prevalent. Thomas: Um, excuse the uh excuse the term. Thomas: Um, and of course this is providing its own challenge because starting to venture into other key aspects that perhaps traditionally as a business we’re not used to seeing or not used to operating within and getting used to a whole new set of acronyms, terms, definitions um can be a bit of a minefield. Thomas: So having said that um if we proceed to looking at assessment frameworks. Thomas: So I think it’s fair to say that uh when you talk about assessments, there’s not just one single one-sizefits-all uh standard or framework. Thomas: There’s a lot of them. Thomas: Um particularly as you can see in the screen, there’s just four examples. Thomas: calls from information and cyber security. Thomas: Um we typically find that there’s an everinccreasing volume of assessments uh whether it’s assessments that are focused on particular aspects particular uh interests. Thomas: So everything from ESG and anti-bribery to internet of things to threat management and threat awareness to standards and frameworks that are focused on particular sectors um such as educational uh uh uh se you know standards and frameworks that target the educational sector or the legal sector um as well as those perhaps more traditional uh highly regulated industries some of which we’ll go on to in a little bit and so I’ve got four key frameworks here to give an example of of of how how wide reaching these are so we have ISO 2701 SIG or the standardized information gathering assessment sock system and organizational controls and NIST 853. Thomas: So four frameworks all covering aspects of information cyber security and as we can see further down a lot of a lot more uh assessments focused on different sectors or topic specific. Thomas: So hevat uh information security in the educational uh sector PCIDSS for companies looking at uh payment card security and merchants providing um payment methods. Thomas: So let’s take a look at the four just briefly. Thomas: So ISO 27,01 it’s an international standard created by the international standards organization. Thomas: It’s probably one of the most if not the most widely used uh framework out there for information security and for anyone who is familiar with ISO as an organization uh know that they like to have a very clearly defined structure when it comes to their frameworks. Thomas: So 27,01 a standard put in place to help companies Define a management system, set out clear requirements in terms of setting and identifying and understanding risk and then having a set of or suite of security controls to help deal, manage, mitigate, and treat those risks. Thomas: It’s also a certifiable standard um which means from an independence perspective and be able to demonstrate compliance to best practice frameworks and best practice solutions. Thomas: It’s a very uh you can see why it’s a very popular framework particularly when you’re engaging with various stakeholders who want to see oversight and some level of of validation that best practices are in place. Thomas: Taking a look on the uh on the right hand side developed by another standards body called shared assessments um opens up the concepts of information security but then also expands to other curb pertinent areas. Thomas: So from information security to privacy, governance to compliance um and a few other core topics. Thomas: It’s a very extensive framework which although not certifiable is used quite heavily globally um obviously more so than than than anywhere in the United States as a way to demonstrate that compliance and the size and the complexity of the framework um gives a lot of option and capability to businesses to select pertinent topics pertinent modules that are necessary for them as a business. Thomas: So two um again in a similar vein to ISO um is assessed independently uh very much with the purpose being to provide an assessment of an organization’s operations and systems um and control effectiveness and the NIST 853 again a US-based uh standard um focusing on security and privacy controls for information systems and organizations initially developed for US federal government agencies But more and more now we’re finding it’s there’s a wider adoption both at a government level and a non-government. Thomas: So independent and private organizations I recognize the benefit of NIST 853. Thomas: And in a similar vein to ISO to SIG and to SOCK NIST also provides a suite of controls that organizations can use to implement to assess third parties on suppress uh assess the supply chain on. Thomas: Um and in the case of NIST We’re looking at close to a thousand different controls. Thomas: It really does go into a lot of depth. Thomas: So obviously this begs the question of well where do we start? Thomas: If we’re just starting on this journey of identifying an appropriate assessment, an appropriate set of standards or individual standard with which to measure and manage our third parties on or to assess them against which one do we go for? Thomas: Now this can be easy and this can be difficult. Thomas: In some cases it could be driven through regulation and certain organizations say we want to impress upon organizations the need to adopt a standard and we recognize 27,0001 as best practice or we recognize 853 as the key practice for the industry and obviously that can make it a bit easier but equally so there are many businesses and industries that haven’t got there yet and so the idea of saying well which one do we choose which model fits our our our business um our business needs and the type of parties we’re dealing with Given we’ve talked about four very different standards each with their own standards body and setting their own nuanced effects on how they represent controls and and and and deliver controls some larger than others. Thomas: It’s important to state that there is also a consistency that applies to these four despite the fact that they are as I said very separate standards bodies who have developed them. Thomas: One of them is that they all have a clearly structured approach and their best practices for securing data and information. Thomas: So whether you look at ISO 27,01 controls in SIG, SOCK or NIST 853, it immediately becomes clear when you do a gap assessment against them and when you compare them um side by side that there’s a standardized uh definitions of key security controls and informationational controls. Thomas: So areas such as access control, business continuity, system and application development, um governance and risk management to name but a few. Thomas: So despite being four very different uh frameworks, there is a level of structure and a level of uh best practice that applies to all all four and many others um down the line as well. Thomas: Interconnected mappings is very interesting and and SIG is a very good example of this where the standards have been around for many many years and as you’d expect um with the reg the regular uh occurrence of updates and and and um changes made uh they’ve matured to a state where there are clear mappings between each framework thinking about SIG that it provides clear uh uh uh data mappings between the likes of ISO sock 853 and many other frameworks both NIST related and and elsewhere and this just shows the level of interconnectiv interconnectivity and interconnection with these frameworks. Thomas: So it’s important to recognize that yes there’s a lot of frameworks that can be very overwhelming um not just for information security but other uh the regulations and other other areas as well. Thomas: But having that awareness of the purpose of each of these frameworks um uh is is is is really key and really will help organizations when taking that step on we’re going through this best practice. Thomas: Um I think Microsoft famously said in 1994 their key slogan was where do you want to go today and when you look at the volume of standards and regulations the answer to that could always be we don’t know we’re not too sure it’s quite difficult but the more awareness we can have the purpose of these standards and these frameworks will only help um answer that question and make it um uh more of an easy first step in that journey of TPRM and engaging with third parties. Alistair: Very interesting. Alistair: I got I’ve got a few questions personally Thomas based on what you’ve just covered off. Alistair: So I appreciate that um picking this domain for example with infosc and cyber security as a focus point there’s multiple choices and appreciate sometimes it might be vertical specific which makes life easier to select, but is there any guidance you’d give people in how to identify the right framework for them? Thomas: Oh, very good question. Thomas: So, yes, there there’s a couple of routes we can go down. Thomas: Um, the first point I’d always suggest is is taking a look at where the industry is going and particularly if you have interaction with industry players, you may be a key uh leading organization in your sector. Thomas: Um, there many sectors now that are taking closer interest not just in security and obviously information uh security and information privacy and data privacy as well. Thomas: We mentioned ESG earlier and it’s a topic we’ll be coming on to later and there’s there’s there’s a lot of industries that becoming more vocal in in their support for standards and support for what they’re trying to get out of uh uh due diligence in security. Thomas: So that’s always a good first step. Thomas: Um secondly I guess it’s it’s under understanding what level of detail and what complexity uh that that you need to go down. Thomas: Organizations have already started to think about what they perceive as their risks, what the industry generally perceives as their key risks. Thomas: Um particularly from a technical perspective, it will make it easier to identify we need to go down the risk NIST route for example because that offers that level of granularity versus 27,000 where because we’ve established is a very structured very well- definfined management system standard. Thomas: Um it offers us that that baseline to assess organizations against because we know that there’s that gives us confidence that organizations are doing the right thing in a structured and and and consistent method. Thomas: So there’s a lot of techniques you can go through but certainly getting more involved in your industry being more mindful of what’s happening in the industry and sector is always a good place to start. Alistair: Fantastic. Alistair: Thank you Thomas. Alistair: Now we are getting a lot of questions coming in which is great to see. Alistair: We’ll do our best everybody on the line to try and weave them in organically into our conversation today. Alistair: Uh but um there are certainly quite a few so we’ll be hardressed to get to all of them but we will of course try and dedicate some Q&A at the very end of today’s session as well. Alistair: But one thing I’ve seen come through not just once but a few times on this is about uh having these standards and these frameworks be seen as um an acceptance mechanism for their customers as in people are or are not having say 27,0001 certification being approved when you’re using it from a vendor management standpoint. Alistair: Uh so there is some insights we’ve got on that. Alistair: Some of the challenges we quite often see and I’ll start with 27,0001 is the fact that there is of course something called an S SOA, a statement of applicability. Alistair: Now the thing is you might be ISO 27,0001 certified but the reality is without the statement of applicability and the insight into how you’re managing those individual controls it outlines that you’ve got a good ISMS information security management system. Alistair: There certainly are happenings here. Alistair: So it show it shows that you’re managing the governance process of risk sufficiently, but it’s not really an indicator on how you’re actually managing risk, whether you are a risky organization. Alistair: It just shows that you’re aware and you’re driving towards a plan of improvement and you’re you’re diligent in that respect. Alistair: So I ask you Thomas, as in how is how can I let’s say I’m assessing you and you provide me with your 27,0001 certificate. Alistair: What should I be asking for from you to get that level of confidence in relation to controls. Thomas: Yes. Thomas: So, and it’s it’s very interesting actually that you you highlight the the statement of applicability because in many cases organizations in some cases actually they’re very unwilling to share that for various various reasons. Thomas: And there’s only so much you can get from a certificate, not least the the scope of of operation. Thomas: Um, which is always a first step anyway to understand does the scope fit the product or service that’s being supplied to us. Thomas: Um, as an organization. Thomas: Um and if it doesn’t then there’s there’s there’s further questions and and and approaches we need to go through in that respect. Thomas: Um certainly upon having received a certificate um now this is where the importance comes down to understanding where an organization or what an organization perceives uh as its greatest threat. Thomas: And I can give you an example there. Thomas: Um organizations that rely heavily on on third parties to manage personal data, private data, uh their clients data, um medical data, anything that’s deemed uh sensitive. Thomas: Um we’ll obviously want to make sure that data security controls around data backup, encryption um and and and those processes are obviously effective and are covered um sufficiently. Thomas: So first checks upon receiving the certificate is to have a look at that deeper dive and to ask those questions around okay, it’s great we have an a 27,000 certificate and on the base level we know that if an independent auditor has provided that certificate we know that there must be some level of structure in place. Thomas: What we can’t see of course is have you got a certificate but also have a lot of observations nonconformities that are raised by an auditor um that’s still not severe enough to to warrant not providing certificate but could still open up a few few gaps and concerns. Thomas: So being asking those type of questions around controls that are important to you as an organization um is is a is a is a key first step I would say. Alistair: Fantastic. Alistair: Great great questions. Alistair: So uh tied to that as well. Alistair: So we obviously had a few people asking about um on that basis do we see them as a replacement for due diligence? Alistair: No, absolutely not. Alistair: Uh if you see say a sock two report, sock two type one and sock two type two,0001 certificate uh I would very much and Thomas I’m sure you would agree with me, I’d very much encourage you to read, dissect that, look at the statement of applicability, look for exclusions, and ultimately look for control failures or control challenges with the various respective documents. Alistair: The same as a completed SIG, a completed SIG doesn’t really indicate anything when you actually start drilling into the detail, you need to factor in the context. Alistair: What is it that they’re providing for you? Alistair: And equally so, if you’re doing it yourself, you need to consider scope as a very, very important factor in this. Thomas: Absolutely. Thomas: And and the sock is a good example of that because sock reports um or more often not a point in time, a single point in time and depending on when that was delivered, when it was assessed may not necessarily mean that the controls and and actions taken by an organization that still remain true. Thomas: If it’s say 6 months later or seven or eight months later. Thomas: So having that mind that set to go in and say that’s great, you’ve seen your results here. Thomas: What do we look like now? Thomas: What changes have you made now? Thomas: Are you likely to change the could affect what an auditor has said six, seven, eight, nine months ago? Thomas: And so, yes, absolutely, I very much agree with that. Thomas: It’s it’s certificates are a great way to demonstrate that best practices is um has been or are being applied. Thomas: Um but there needs to be more um to satisfy a company to say there’s continual improvement, continual due diligence. Alistair: Very much so. Alistair: So, one more point before we start moving on. Alistair: So, we actually interesting question about can you combine two frameworks. Alistair: So the reality is yes. Alistair: Of course, as Thomas rightly covered off, there’s a fair amount of overlap between them from a control standpoint. Alistair: So you’ll see some similarities and convergence in that respect, but there there will always be a degree of nuance between each of them. Alistair: Um, if you’re sending it out as a third party assessment framework, do consider that you might cause some frustration amongst your your audience on the basis they might have aligned themselves to one of these, for example, and you might cause some you frustration if you’ve merged it in a in an uncontrolled manner. Alistair: And what I mean by that is typically you’d build the commonality and then you might have some delta subcontrols you may want to ask. Alistair: That way you’re going to minimize uh the chance of them having to redo everything from scratch and they’ll be able to map the respective framework that they’ve used to your questionnaires to your assessments etc. Alistair: But Thomas I had one last question for you which is um tied to 27,01 in fact which was as the more keen You may notice that 2013 does actually denote a year. Alistair: Uh do you have any insight and thoughts as to when we might see the next iteration of the of the standard itself? Thomas: I I do actually. Thomas: Yes. Thomas: So 27,0001 um for those who are perhaps not aware very very brief background. Thomas: So 27,000 as a family of standards has released a lot of different uh assessments many tied to different aspects of of of information security. Thomas: But obviously 27,0001 is the only certifiable standard and every three to five years ISO as an organization and its members get together to review these these frameworks. Thomas: The last review was done several years ago and it was decided that it was still fit for purpose. Thomas: However, 27,02 a standard built around implementation of 27,0001 controls was updated this year. Thomas: There’s also indication that 27,0001 will get to refresh with a with a uh expectation at the moment in 2023. Thomas: And this actually goes along with aligning the changes that the 27,02 state framework um have made. Thomas: And so at the moment, yes, it’s looking highly likely uh that at the beginning probably the first quarter of next year um we will see a a new standard that reflects some of the changes that I saw as an organization are also going down. Thomas: Thank you. Thomas: And that nuance there between 27,0001 and 27,0002 is certainly important from an iteration standpoint. Thomas: So for those of you on the call, please don’t get confused between the two because they are essentially different in that respect. Alistair: Yes. Thomas: that’s it. Alistair: Absolutely. Thomas: Thank you. Alistair: So um and the last question is the last component there is if people have uh questions on how they can get more information on the 27 series uh PCI, SOCK 2, SIG etc. Alistair: There are various frameworks out there uh and certifying bodies that can essentially help you becoming a lead auditor, lead implement etc. uh depending on your your respective interest level. Alistair: Okay, thank you very much Thomas that’s very useful. Alistair: So moving forwards we’re just going to give you a bit of insight into third party specific centric criteria that we’re seeing evolve. Alistair: So some of you may have seen TPRM as a terminology for third party risk management. Alistair: We are seeing that starting to gravitate as I mentioned to third party life cycle management. Alistair: agement. Alistair: Now for those of you in third party management the distinguishing factor here is the fact that it is a life cycle of course uh we are seeing a convergence of the respective teams of the business that’s procurement legal uh of course infosac as well amongst others risk compliance and we’re seeing people start to realize that they are doing very similar activities they’re collecting information from third parties and they’re looking to try and get some visibility and understanding on how actually going to manage third parties effectively. Alistair: How are they going to address that that sheer volume of third parties and the respective challenges that they present? Alistair: They’re looking at life cycle management. Alistair: So from sourcing and selection, the case of looking at uh procurement methodologies, the intake on boarding process through to categorizing third parties because there’s simply going to be so many and it’s challenging to try and manage the sheer volume of those. Alistair: Uh we understand that that’s becoming more of a life cycle journey so that they can then in turn assess, remediate, drive against the various frameworks and regulations out there and then manage and monitor them over time before they eventually get offboarded. Alistair: And of course um Alistister, what would you say is um thinking about that journey from TPRM to TPLM? Alistair: Um is there any uh key critical issue uh that you foresee um that that that could potentially either stop making this a seamless as possible journey Um, obviously I guess the key thing you mentioned there was was buying from the business and enough enough involvement as a business as possible which is always I guess critical to make sure we get acceptance across the board. Alistair: Absolutely. Alistair: Yes. Alistair: I think you touched on a very key point there. Alistair: So it’s um if a single cog of that wheel happen to or half half wheel in this case uh happen to not be able to contribute it can have a downstream impact on everybody from a procurement standpoint if we don’t have the relevant information. Alistair: on who the third party is, what they’re doing, who our points of contact are even that impacts the ability for the others to actually add context and make a decision or even reach out to the third party. Alistair: Uh from an IT sect standpoint, of course, if we don’t understand the potential control challenges that they face, then that’s going to affect our alignment to the various frameworks that exist out there. Alistair: And then of course downstream legal compliance that affects things like our asset management workflows, itam of course and understanding what they’re exposed to, what the potential risks are, what data flows are existing from a privacy GDPR, data protection act standpoint. Alistair: These are all getting fed by different parts of the business to provide one more cohesive life cycle and journey of third parties which impacts our ability to be effective with all these various acronyms that we see. Alistair: So moving onwards in our journey onto regulations, Thomas, why don’t you give give us a bit more insight into how regulators are reviewing third party risks? Alistair: specifically. Thomas: Yes, absolutely. Thomas: Now, we’ve already spoken quite at length in terms of the view from a standards perspective and how there’s there’s so many standards and they’re increasing in many capacities, increasing from a sector specific or a a a subject specific area and we can see something similar happening from a regulatory uh aspect as well. Thomas: So, there does seem to be an increasing demand from regulators in looking at for gaining oversight of third party risk. Thomas: Um generally across the board more regulators are demanding that level of visibility in terms of how organizations are carrying out um say third party risk management. Thomas: I guess we have to look at more the wider supply chain risk management practice and process. Thomas: Um one such sector where this is maturing and is increasing is in the financial sector. Thomas: This need for saying well how third parties are increasing operational financial or risk to operational financial resilience of institutions. Thomas: And we’ve got a couple of examples here. Thomas: The P in the United Kingdom, the credential regulation authority and OSI um which is the superintendent and financial um regulator in Canada um responsible for all financial instit institutions um um AC across the uh across the country. Thomas: And there’s a lot of similarity between the two. Thomas: Um back end of 2020 2021 uh P um released and updated uh outsourcing arrangement requirements uh for organizations and this is an air that’s been taken um by uh OSI uh OS OS sorry and and used to build their own third party uh risk management guidelines and the concept of these guidelines which are still in draft. Thomas: There’s an expectation that by the beginning of 2023 uh these will go live. Thomas: Um this third party risk management guideline um asks financial institutions doesn’t have to be a bank any asset management firm for example or anyone else in that space who has work and and office space within Canada. Thomas: Um set out a clear life cycle of how it manages suppliers and the supply chain. Thomas: So this third party risk management guideline sets out expectations for example for how you initially engage with third parties, risk assessments you do and profiling of third parties, how you get to the stage where you’ve understood your wider third party landscape even before you’re looking at entering into contracts and and supplier agreements. Thomas: Coming through the agreement stage, looking at how do you build in controls, whether it’s security controls uh privacy controls, continuity controls as part of supply chain um and supplier contracts and contractual agreements and then of course coming further down in terms of the processes to monitor, review, audit suppliers as well. Thomas: So it’s really is looking at the full end-to-end process and it does end with um supplier offboarding as well. Thomas: So this is a new regulation that OSV have have developed and as I say there’s a lot of uh uh close collab preparation and and um and and and use of P um uh uh guidelines and and use cases. Thomas: Um financial sector is an interesting one of course because there’s such a good and close relationship between many uh global regulators um in terms of consistency and standardization and this is another one and a new one from a Canadian aspect um that really focuses and and just calls to attention the seriousness uh that this industry has has has and regards third party management and third party risk management. Thomas: And of course this is not just um uh financial. Thomas: There are many other regulators and regul regulatory bodies um all over the world that are are are focusing on the way organizations deal with and are mindful of the wider supply chain. Thomas: Um EU as well um off the back of of GDPR and other privacy based uh requirements have also uh increased its view of uh outsourcing and outsourcing arrangements as well. Thomas: So this is one area where we can see there is going to be an uh an everinccreasing focus um as say not just on on um uh the financial sector u we can see others around the legal sector around the educational sector around the health care as well. Thomas: Some of these again are are pretty well regulated ated anyway and there’s a lot of strong focus healthcare is a good example of of as you’d expect you know management of patient data management of medical data um which again can then translate to how this interacts with um uh the need to to manage your supply chain effectively um particularly for those suppliers who who have access to such data or information systems question questions. Alistair: Sorry, Thomas. Alistair: A couple of interesting questions there in relation to the fact that so we pick say the P um those fee of course. Alistair: now there’s a fair few non government or non-authority based uh frameworks out there just to hop back to the framework piece supply assurance framework for example um and of course technically you argue shared assessments being much much the same uh how do you see the similarity between private sector sponsored frameworks to align to regulations versus the actual regulations themselves. Alistair: Are you seeing a convergence or do you see them as very disperate and independent? Thomas: Um, good question. Thomas: So, um, largely and I’ve I’ve got a good example of this particularly with um, uh, on on the next slide in terms of, uh, health care uh, sector and the healthcare regulator in the United States. Thomas: Um we’re seeing when many of these regulators start to set up um particularly around information security and and and and privacy or privacy uh uh requirements uh we often find that they do use baselines such as 27,01 NIST um SIG to a degree there is a recognition of that these these standards exist and that they can often be used as the baseline um uh to uh you know to developing the regulations and to developing the requirements. Thomas: Um on occasion you will find the opposite way. Thomas: Um I guess more so those those regulators or or those scenarios where for one of a better word where the industry is less mature where they’re just starting out on the process they’re just recognizing a need for um you know more regulation around cyerspace around third party management um or very niche industries as well. Thomas: Um so I’d say it’s a mixture of both but generally particular when you’re looking at the likes of financial sector when you’re looking at healthcare sector um and and other similar sectors there is a good relationship between uh those recognized standards global national standards international standards and and what the regulators trying to achieve as well. Alistair: Thomas yeah the one other thing I’d add to that and note is the fact that Those standards themselves typically are controlbased in some shape or form and quite often these regulations will dictate and mandate particular processes. Alistair: Now they’re not necessarily associated to risks, they might be a process that’s mandatory because simply put it’s going to achieve compliance or make life easier for end consumers to protect consumers for example. Alistair: So as much as you might see some associations and overlap, it’s not always going to be, you know, a one for one between a a framework and a and a standard or regulation. Thomas: No. Thomas: No. Thomas: That’s a very good point. Thomas: Yes, it’s it’s it’s yeah, it’s not always apples for apples, let’s say. Thomas: Um, this brings me on actually to my uh to the second slide regarding regulations and of course we’ve talked about um um obviously financial um and and and and two regulators here. Thomas: We are seeing increase is in other either countrywide regulations and best practices or or best practices in in sector specific aspects. Thomas: as well. Thomas: Um if we could head on to the to the next slide. Thomas: So regulations are increasing at national level. Thomas: Um for example, the need to protect consumer data to drive best practices across industries. Thomas: Um so some of these names may be familiar um to those to those on the line. Thomas: Uh HIPPA, the Health Insurance Portability and Accountability Act in the United States. Thomas: Purpose of of of this this group or this organization is is is to develop um regulations to protect the privacy and security of of health data or health information in the United States. Thomas: And uh to to your point earlier Alistair and to your question, this is an example where we have a regulation delivered by this this this this US agency, but then another US agency, NIST, um has taken this and has helped supplement it with implementation guidelines. Thomas: Um I believe this SP866. Thomas: Don’t quote me. Thomas: There’s a lot of numbers when it comes to NIST. Thomas: Um, but that’s a good example where NIST have taken and realized the importance of this regulation and provided clear implementation of how do you apply these standards around HIPPA privacy rules and security rules and security practice. Thomas: And so that’s actually a good uh level of interaction between both agencies uh that helps organizations establish what do we need to do if we’re in the healthcare space and we need to adhere to HIPPA uh requirements. Thomas: One of the areas that is interesting from a from a US perspective uh now we’ve seen uh obviously GDPR um I think four or five years old now as as a regulation um CCPA in the US for California um but what’s interesting in the states is there are many state level um privacy laws and regulations or or or requirements and there also many states that don’t have uh privacy laws Well, there’s a new one that’s that’s that’s been going through um um uh the relevant bodies um called the American Data Privacy and Protection Act. Thomas: It’s still some way off, but this is a new proposed uh federal um uh uh privacy bill. Thomas: Uh I believe it’s still at a draft legislation stage, so still early early days, but it gives an insight into what’s happening um with with this the greater need to have a countrywide um uh framework to establish how do we protect consumer information and consumer data. Thomas: So it’s it’s interesting to see both at the level of greater understanding from a third party perspective and the wider supply chain to more specific practices at standardizing frameworks around information security, data privacy, data protection. Thomas: Lastly on the bottom leftand corner we have something called the NCSC, the National Cyber Security Center which is in the United kingdom. Thomas: It’s a part of government and it’s it its purpose has been to promote best practice and use of cyber pro processes good cyber hygiene. Thomas: Um and its main use is is to drive best practice across industries particularly for small and medium enterprises. Thomas: And so in some cases where we’ll have updates through regulators and driving new regulation and new law we also have government bodies and and and and standards bodies who are who are there to drive best practices. Thomas: So less about regulation, more about making sure when attacks occur, when threats occur, such as the volume of ransomware we’ve received over the past two, three, four years to provide clear and timely guidance to organizations and industries. Thomas: And it’s important to to highlight this because again when you’re thinking about your TPM journey, you’re looking at uh using a standard such as SIG or It’s also important to keep up to date with what’s happening in the industry in the sector and new and emerging threats. Thomas: And it’s using regulators and people such as the NCSC or Caesar in the in the United States that can help drive that discussion of do we need to adjust um again to Alistair’s point earlier, do we need to look at multiple frameworks and do we need to combine multiple frameworks? Thomas: They offer the best of all worlds um uh in terms of what we’re trying to get out of uh third party assessments. Alistair: Thank you, Thomas. Alistair: And of course, by means everybody on the call, we will actually spend uh more time in subsequent webinars actually going into a bit more detail about the ADPPA uh HIPPA uh PCI of course as well and some of the NCSC content that was coming out and is emerging as well. Thomas: Yes. Alistair: So I wanted to give a bit of high level overview to the various acronyms that we see today. Alistair: Thank you Thomas. Alistair: So one other thing that we are seeing a fair bit of as well at moment is of course um ESG ESG does seem to be a bit of a buzzword of course anti bribery management systems as well of course but um to start with for those who aren’t aware there is of course the UN global compact uh so the UN global compact is a a voluntary um initiative essentially it’s focused on corporate sustainability and the primary objective it is to try and encourage better collaboration and better drivers and focus on things like human rights labor corruption of course and the envir ments. Alistair: So it’s an interesting initiative from that perspective. Alistair: It’s been around for some time, but we’re really seeing ESG and anti-bribery of course focusing on some core areas. Alistair: So if you look at ESG and you break out its composite bits, environmental, social, and governance from that perspective, you can see some sub areas here. Alistair: So we’re seeing more and more frameworks themselves starting to dive into this looking at criteria such as resource use, emissions, innovations, human rights, workforce, uh and then of course downstream to shareholder management um corporate social responsibility and so on. Alistair: It’s a very interesting topic. Alistair: It’s very broad and for a bit of insight and visibility for everybody. Alistair: There are of course lots of different products and criteria that can support on that. Alistair: Uh but this is typically either by a interacting directly with the organization to get some insights because it’s a very hard criteria to actually ultimately assess um and have a benchmark against or by looking at things like shareholder reports from publicly trading companies who are producing shareholder reports. Alistair: They tend to give a bit of insight into things like uh CSR broader strategy and ESG and anti-private corruption on a whole. Alistair: Um there is CPI as well the corruption perception index which gives you an indication on how corrupt the operating primary operating company is uh sorry country is but these are all really indicators and you can see on the right hand side some of the challenges in this is actually being able to identify uh how how good an organization fundamentally is uh if they’re closed book if they’re a private organization and that in turn creates challenges. Alistair: There are of course vested interest vested parties in the organization. Alistair: People like marketing of course who certainly happy to hear that the supply chain is green. Alistair: Uh doesn’t involve human trafficking, human slavery, modern slavery in that respect. Alistair: But of course there’s the warm fuzzy feeling we should all feel as human beings in knowing that we’re interacting with ethical people and ethical organizations. Alistair: So you have the various vested parties contributing to that. Alistair: But the things to bear in mind is that yes, there are some common criteria and domains that you would see that does extend over to uh the UN global compact as well. Alistair: But when you’re looking at ESG, CSR, ABMS, we are seeing frameworks like even ISO 20 sorry the ISO standards starting to focus a bit more on it. Alistair: Uh so you have criteria such as um ISO 37,000 for example looking at anti-bribery management systems. Alistair: You know we are seeing more and more frameworks evolving to and global frameworks that is evolving to cover things such as ABMS, ESG and CSR on a whole. Thomas: and I guess absolutely yes and and um yes I mean ISO is um that that’s a good one you mentioned there in terms of anti-bribery um um there are are standards around corporate social responsibility covering some of the areas that you’ve touched on around um sort of human trafficking and and some of the ethical issues um and I guess particularly given how relatively new a topic it is, it’s always going to be a challenge, isn’t it, to to get that that that that structure and that standardization in place. Thomas: Um, I know that there are um various bodies out there looking to create standards on the ESG and common accepted standards, but it’s it’s it’s it’s something that can take quite a bit of time. Thomas: So, I guess I guess at the early stage having any visibility around these core topics of of of of environmental use of of social responsibilities and and and and governance is is is very critical at the moment. Thomas: Obviously, very timely, but it’s it’s definitely something that’s not going to go away. Thomas: It’s uh if and there’s going to be an everinccreasing. Alistair: uh discussion discussion topic. Alistair: Definitely. Alistair: Thank you. Alistair: So, we’re just going to spend five minutes covering a little bit on FISMA and this specifically and then we’re going to answer some of the questions. Alistair: and try and reserve a few minutes because we have had a lot of questions. Alistair: We’ve done our best to answer them as we go along but uh we can target some time at the end there. Alistair: So Thomas, I wonder if you give us a bit of insight into uh yes really what FISMAR and NIST is. Thomas: Yes. Thomas: So we’ve talked um reasonable length around NIST particularly around 853. Thomas: This is more touching on NIST as a business and and and FISMA another key uh acronym. Thomas: Um so FSMA federal information security management act 2002 I believe or NIST the national institute of standards and technology there’s a lot of interreation between the two but the other side they are very very different um so standardizing terms definitions and control requirements obviously helps to develop a strong consistent framework and it’s always key to have bodies agencies institutions that help such requirements sometimes there can be a bit of confusion are they the same thing? Thomas: Um well as we can see on the screen so FSMA itself no it is an act acting government um it is specific for US government agencies um their purpose has already always been to set a high level of of of standards in terms of information and cyber security uh assets securing uh operational uh systems and infrastructure um and and and and information as well. Thomas: Uh there there are seven so-called high level requirements um that are covered um uh under FSMA. Thomas: Everything from uh creating security controls to conducting risk assessments to developing governance frameworks and establishing key policies and processes. Thomas: But underneath this sits hundreds um of security controls. Thomas: Um you may think well isn’t this just n Well, the difference is NIST actually isn’t an agency in the US. Thomas: Um, I mentioned 853 was originally divi designed um uh to target government agencies in in promoting uh best practice for information security is of course used by um non-government agencies as well. Thomas: But NIST is a much wider organization and and as the name suggests promotes adoption of of of of standards of of of new and emerging technologies across a range of industries. Thomas: So it sets those standards and frameworks for managing risk across all sorts of domains. Thomas: Um information security and privacy are quite big uh dedicated uh uh standards around using supply chain and risk management. Thomas: Um and then even sector specific standards as well. Thomas: We mentioned obviously the implementation of uh HIPPA frameworks around security and privacy controls. Thomas: So it sets a wide range of of of standards uh with which to work with. Thomas: Um and and there is a link between the two as well. Thomas: So though FISMA is is an act an act of uh of of of government uh that needs to be followed by agencies, it uses a lot of security standards and baseline from NIST as well um to achieve or to demonstrate compliance to the FSMA requirements. Thomas: Um I mentioned at the the start when you’re looking at the likes of uh and SIG for example or ISO and sock there’s commonality between some terminologies they use from access control to continuity and and so forth and it’s similar between the FSMA high level requirements and security controls and some of the security control requirements that N set as well so we’ve got an act of parliament or an act of government in the US and then a wider government agency um that that sets the wider standards and frameworks. Alistair: brilliant Thank you Thomas and I appreciate this is a bit of a light foray into these and to highlight again we will have deep dives into these respective uh frameworks and standards in more detail over the coming weeks and months but I just wanted to hand over uh to Melissa uh to do a a poll question before we move on to the final question sets of whatever we can we can get around to in the time we’ve got. Melissa: Perfect. Melissa: Thank you both. Melissa: Yeah, I’m going to go ahead and launch that last poll. Melissa: Um I know everyone’s brain is uh very full with all these acronyms. Melissa: So, I’ll give you a moment to digest it. Melissa: But um we’re just curious if you are looking to augment or establish a third-party risk program in the coming months. Melissa: So, you know, be honest with us. Melissa: We do follow up with you. Melissa: So, I’m going to go ahead and leave that up there. Melissa: And Alistister Thomas, um if there are any more questions that you want to go ahead and chip away at, you have um five more minutes or so and then I’ll sign us off. Alistair: Fantastic. Alistair: Thank you very much. Thomas: Yeah. Alistair: So, while we get the last questions in, by all means, please feel free to ask a question. Alistair: We’ll do our best to get to it and we’ll certainly weave some of those into this. Alistair: But, you know, ultimately, what have we identified so far today? Alistair: We have seen quite a few questions, interestingly, about really weaving standards and frameworks and regulations and frameworks into similar conversations, which is interesting because we quite do often see private organizations building up their respective frameworks to address a root cause problem, which could be an industry specific or an industry focused framework uh sorry regulation that exists out there. Alistair: But we think it’s quite hard to believe that there’s going to be a point where there is a one-sizefits-all uh framework which covers absolutely everything the gamut of all the localized industry requirements and all the regulations that are aligned to that as well. Alistair: But Thomas, how do weident what well from your perspective how have we found out how we can identify acronyms that matter? Thomas: Uh identify acronyms matter? Thomas: Well, um I guess in part it comes down to I guess from my aspect a the focus of the organization. Thomas: So thinking about uh the purpose and necessity for conducting TPRM um and and and particularly if you’re just starting out on that journey um uh once so that I guess there will always be acronyms that will be common place amongst a lot of standards that that will become commonplace for you regardless of the framework you’re working with. Thomas: Um I mentioned some around from from from the ISO and other other standards. Thomas: Um but I I guess in my aspect it it really comes down to understanding um what you’re trying to a a what what you’re trying to achieve from your TPRM but also um once you know where there are sector specific requirements, where there are industry specific requirements. Thomas: It’s that’s the best starting point to be familiar with what financial sector is saying, what the health care sector is saying, what are the key terms that they’re using that they that you can use to demonstrate implementing best practices and and and key requirements. Alistair: Thank you. Alistair: Appreciate that. Alistair: So, we’ve seen a lot of questions, too many in fact, to answer in relation to TPRM or TPLM, which ties into what’s becoming prominent. Alistair: So, ESG of course is a big focus point for that uh and the emerging regulations the consolidation of things like privacy standards and frameworks in the US is is certainly interesting uh but when it comes to how to incrementally manage the program because there’s been a fair few questions on that there’s a fair few initial steps of course of speaking to the business getting collective responsibility and understanding what the regulations are and what the obligations are uh but then if you’re looking to incrementally manage it things like continuous monitoring gives you insights into understanding uh what that third party is exposed to whether it’s cyber insights, whether it’s data breach information for privacy management, uh or whether it’s just general business information. Alistair: Too often we see the challenge of people looking at these frameworks as a oneanddone approach uh which unfortunately is is not going to to solve the issue. Alistair: We need to have some degree of continuous monitoring and insight into understanding uh what’s happening and that includes offboarding, exit strategies, exit plans with third parties, understanding about destruction of data, notification of relevant personnel et There’s an extensive life cycle that we need to really consider of course when it comes to the third party management piece. Alistair: If people have questions and queries on how to actually apply that feel free to reach out to us. Alistair: Um it’s certainly something that we we live and breathe and we can um answer that in a bit more detail uh separately. Alistair: But have one question here that I wanted to uh ask you Thomas and potentially is one of our closing ones which is privacy specifically. Alistair: So there’s multiple privacy laws, multiple privacy regulations of course they’re quite desperate based on geography. Alistair: Do you foresee consolidation over time beyond just say the US and is there any guidance you give on how people can be mindful of localized privacy regs in each territory that they’re operating in? Thomas: Uh yes, this is this has always been a a particular concern um right from the initial uh US EU privacy shield um before that that was disbanded um to to what GDPR is saying versus say CC PA. Thomas: Um what’s interesting is there already is a lot of commonality again between those frameworks and where a lot of the nuance changes are are for example uh the way data breach is is is addressed uh the methods the notification the timelines. Thomas: Um now there has been some effort to try and standardize an approach to do this. Thomas: Um one of the most perhaps notable at the moment is a standard called 27701 that us to to to create a higher level view of of of of privacy information and it gives the option to to bring in a lot of mapping between different frameworks and state level and and international uh regulations. Thomas: So there is potential there um and it is something that I think is going to improve. Alistair: Thank you Thomas. Melissa: All right well that is pretty much it for now. Melissa: Thank you guys for all your questions and I hope you enjoyed this webinar with Alistister and Thomas. Melissa: They certainly gave us many acronyms to think about and I’m sure we’ll see you very soon. Melissa: Take care everybody. Alistair: Bye. Thomas: Thank you.