When an organization outsources services or operations to a third-party vendor, the vendor may now have access to sensitive organizational information. Once the information is shared with the vendor, the organization is no longer in control of their data, so organizations must rely on contractual language to ensure vendors/service providers are adequately protecting and securing your information that they are accessing, processing, or managing.
An organization’s vendor management program is how third-party vendors are vetted, selected, onboarded, managed, and monitored. Prior to a department or unit making the decision to purchase a product or service from a third-party vendor that will access, process, or maintain sensitive organizational information, your organization should have a defined policy and process that requires the vendor is compliant with all applicable information security and privacy laws, regulations, and organizational policies. All third-party vendors and systems should undergo a thorough security review before approval.
Vetting the Vendor
Many higher education institutions utilize the Higher Education Community Vendor Assessment Tool (HECVAT) to verify the controls vendors have in place for protecting sensitive information. Depending on what type of information will be shared with the vendor, an organization may require the complete HECVAT, or different organizations may have a customized set of controls that need to be met. As part of the security review, the vendor may be asked to provide supplementary documentation. The team performing the assessment may need additional details or evidence of implemented security controls to determine if the vendor’s responses are plausible.
In order to know what security controls are required, you must first define exactly what types of information will be shared. For example, if payment card data is involved, the vendor will need to demonstrate and provide documentation of compliance with the PCI DSS. Different compliance standards require various certification requirements as described below:
The Family Educational Rights and Privacy Act (FERPA) provides specific protections for student education records. In situations where confidential student data is hosted or accessed by a third-party service provider, a written contract with the service provider must acknowledge and address FERPA protections and obligations for student records handling with certain data protection elements.
If PII from educational records will be shared with contractors or other third parties, the following rules apply:
- Third-party is performing an institutional service or function for which the institution would otherwise use employees
- Third-party has been determined to meet the criteria set forth in the institution’s annual notification of FERPA rights for being an official with a legitimate educational interest in the student records
- Third-party is under the direct control of the institution with respect to the use and maintenance of the education records
- Third-party only uses education records for authorized purposes and may not re-disclose PII to other parties.
It is also important to list what data elements will be shared with the third-party service provider and how that information will be used and for what purpose. The use of the records should be limited to only those purposes specified in the contract and not used for targeted advertising, marketing, etc.
All third-party service providers accessing student records should have a defined security plan and schools may want to conduct periodic security and privacy audits to confirm the policies and procedures to ensure the security and confidentiality of the data are being followed. Procedures for responding to a breach of student records should also be clear and include when and how notification of the breach will be issued and by whom. There should also be a plan for data destruction once a contract expires that outlines a timeline and methodology for destroying all data when the relationship ends.
FERPA regulations state that if a third-party improperly discloses PII from an education record, or fails to provide the notification, the school may not allow that third-party access to PII from education records for at least five years. (FERPA 34 CFR Part 99.33 (e))
Requirement 12.8 states that organizations must maintain and implement policies and procedures to manage third-party service providers. A service provider is defined by the PCI SSC as follows:
“Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data.”
- 12.8.1 requires a list of service providers and a description of the services provided.
- 12.8.2 states that organizations must “maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.”
- 12.8.3 asks for an established process for engaging service providers, including proper due diligence prior to engagement
- 12.8.4 stipulates that organizations must maintain a program to monitor service providers’ PCI DSS compliance status at least annually. Service providers are required to provide organizations with an annual verification of compliance. For more information on third-party service providers as it relates to PCI, click here.
- 12.85. asks if information is maintained about which requirements are managed by each service provider, and which are managed by the organization.
The Gramm-Leach-Bliley Act (GLBA) requires organizations to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data (i.e. any personally identifiable financial information – provided by a consumer to a financial institution; resulting from any transaction with the consumer, or any service performed for the consumer, or otherwise obtained by the institution. This may include names and addresses, bank account numbers, payment card numbers, social security numbers, tax return information, student loan application data, credit history, and credit reports.
A service provider is defined as any party that is permitted access to a financial institution’s customer information through the provision of services directly to the organization. For more information on managing third-parties as part of your GLBA compliance program, click here.
Organizations must ensure compliance with current safeguarding rules when contracting to transmit Health Insurance Portability and Accountability Act (HIPAA) protected health information (PHI) to a third-party service provider. PHI is defined as any personal health information that can potentially be used to identify an individual that was created, used, or disclosed in the course of providing healthcare services, whether it was diagnosis or treatment. This can include information in medical records, conversations between healthcare staff, as well as billing and insurance information.
Covered entities must engage any vendors/service providers in a Business Associate Agreement (BAA) when transferring PHI outside of the organization. The BAA will clarify and limit the permissible uses and disclosures of the PHI, require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, and also makes the business associate directly liable and subject to civil penalties for failing to safeguard electronic PHI in accordance with the HIPAA Security Rule.
Under the European General Data Protection Regulation (GDPR), organizations that collect, use, or store the personal data of EU residents must ensure all vendors acknowledge that they are acting as a “processor” of personal data for the organization, and that all applicable requirements of the GDPR are incorporated through the terms of the contract agreement.
GDPR personal data can include name, identification number, location data, physical address, email address, photographs, videos, voice recordings, biometric data, etc. Under GDPR processors are required to act only on documented instructions from the organization and contracts should include the following:
- Data protection requirements.
- Vendor’s ability to help respond, fulfill, and document all subject requests around the right to data portability, right of access, right to rectification, right to be forgotten, right to restriction of processing, etc.
- Third-party vendor must notify the organization without undue delay after becoming aware of a data breach and required to cooperate in the investigation and remediation of the breach; and assist with any notifications as required.
It is important to analyze how a third-party application is planned to be used specifically at your organization. It can be helpful to create a data flow diagram that documents where the information will be coming in, how it is input, where it will be stored, servers, any additional third-parties involved, etc. Even though another institution or organization may have verified the vendor through their security assessment, that doesn’t necessarily mean they have the same use case or configuration.
One gap that is often overlooked is that a department or unit may initially only be looking to implement one of the many services the vendor or the solution provides. For example, the department may initially only plan to use the application for registering students for free training courses. Because no payments are being taken, the fact that payments CAN be taken within the application is not noted within procurement’s initial review. Six months later, that unit decides to take advantage of the payment card functionality and no one has vetted that application for PCI compliance. When reviewing a potential third-party solution, make sure the assessment process is reviewing all available services and define within the contract what services can or will be used.
Which brings us to the next point. Third-party and vendor risk management must be embedded within procurement processes so no contracts are signed without fully understanding what types of information will be shared and performing a comprehensive review of the vendor’s ability to protect that information. Although the reputational risk will always remain with the organization, the contract/agreement with a third-party vendor is critical. Contract language should outline security controls, processes and procedures, as well as the expectations for the vendor. Specifically, the contract should define the roles and responsibilities that fall to the vendor, and those that remain with the organization. Address this as early as possible in the procurement process so all terms can be clearly defined in the agreement and negotiated during the contract phase (not after an agreement has been signed).
We mentioned some contract specifics under the various regulations and standards above, but all contracts should include:
- Types of data being accessed
- Acceptable methods of data access
- Acceptable use of organizational resources (systems and staff)
- Process for monitoring compliance
- Right to audit or assess the vendor’s security practices
- Required training
- Incident notification requirements
- Monitoring the Vendor
As more and more services are moved to the cloud, security teams are seeing a shift in their responsibilities from managing infrastructure and systems to largely managing vendors and third-party contracts. Although the initial security assessment requires the most work, it is also critical to continuously monitor and assess service provider compliance. Vendors may need to provide documentation or proof of their continued compliance annually. Organizations may also require the vendor to undergo a follow-up assessment every 3-5 years to ensure appropriate security controls are still in place and any new risks are being addressed. Experts also recommend you “assume the breach” and regularly scan systems for any signs of current or past compromises within third-party applications.
As much as possible, your organization should maintain an inventory of all third-party vendors. Document all due diligence efforts that have been performed (i.e. assessments, collected documentation, research, etc.), as well as ongoing monitoring activities. For example, is the current PCI Attestation of Compliance (AoC) about to expire? Is the vendor contract up for renewal next month? Have the business contacts for the vendor relationship changed? It can also be valuable to prioritize vendors as critical/non-critical and as high, medium, and low risk based on the type of information being shared and the criticality of the services they provide. This information should be included in your key performance indicators so senior leadership understands the risks of these third-party relationships, and how the organization has worked to mitigate or limit the potential impact to the organization if a breach were to occur.
Information security is only as strong as your organization’s weakest link, and recent headlines have shown that link is often a third-party that has failed to adequately secure their systems or information. Remember the infamous Target breach? Cyber attackers gained access to Target’s systems through credentials stolen from a third-party vendor. Home Depot? Again, criminals used a third-party vendor’s username and password to enter the perimeter of Home Depot’s network. The Solar Winds hack was a strong reminder that even organizations with strong information security programs can be breached. Most recently, customers of IT Security company Accellion confirmed they were victims of data theft due to a security flaw in the third-party’s legacy file transfer software.
The complexity and sophistication of third-party attacks are growing at an exponential rate as cyber criminals are seeing the value of gaining access to multiple organizations with one hack. Establishing a continuous and comprehensive vendor management program is a key component to protecting your organization’s data.
Some additional guidance from the CampusGuard Security Advisor Team:
[King]: More and more we see third parties the target of data breaches. The payoff for attackers increases when multiple organizations can be compromised in a single attack, which makes these breaches enticing for malicious actors. So how do you know who to trust with your organization’s sensitive data and critical systems? A strong vendor management program protects an organization at acquisition by reviewing the security posture of third parties and ensuring appropriate protections are included in legal agreements governing these relationships. Ongoing management of third parties ensures protections remain effective if the contractual relationship evolves or as the security needs of organization change over time.