FFIEC Update: Ensuring Resiliency of Outsourced Technology Services

Dollar bill in binary code
Earlier this month the Federal Financial Institutions Examination Council (FFIEC) released a new appendix to its Information Technology Examination Handbook: "Strengthening the Resilience of Outsourced Technology Services."

Outsourcing technology services often makes good business sense for financial services institutions. It allows them to benefit from outside expertise and alleviate internal workloads, increasing their professionalism and efficiency.

The FFIEC acknowledges this fact with one caveat: Your organization's management and board are still responsible for making sure "outsourced activities are conducted in a safe and sound manner." This responsibility entails making sure the third-party provider provides an adequate level of resiliency so as not to disrupt key processes in the financial services organization.

Below are a few key guidelines from the FFIEC document.

Address Risk

Because your firm is ultimately still responsible for outsourcing business practices, be aware of the risk factors you face when working with a third-party technology services provider and establish controls to mitigate those risks. To assess the level of risk, perform due diligence into the provider’s business continuity program (BCP), establish clear guidelines in your contract with the provider and continually monitor the vendor’s services.

Be Aware of the Provider's Scalability

Organizations rely on technology for critical processes more than ever before. Any outage of critical technology can be detrimental to your business. For this reason, you need to be familiar with a service provider’s ability to respond to a few types of scenarios:

  • A widespread physical disaster or cyber threat in which multiple organizations are affected and need continued service.
  • An isolated incident affecting a single service provider location, which in turn affects several firms.
  • Other continuity scenarios, such as financial distress.

In each of these scenarios, assess the service provider’s ability to meet your recovery time objectives (RTOs) and recovery point objectives (RPOs.). Prepare contingency plans to ensure the continuity of key applications.

Make Sure the Service Provider Has a Business Continuity Plan

A service provider needs to have identified single points of failure and created a comprehensive business continuity plan that addresses restoration of key services. Being familiar with the provisions of a service provider’s BCP will allow you to make adequate preparations in your own BCP.

Involve the Provider in Testing

Services provided by third parties should be included in regular business continuity testing, especially if the services provided are critical business functions.

The FFIEC recommends testing in conjunction with the service provider. These tests have a two-fold benefit in that they demonstrate both parties’ ability to recover within the designated time frames and to meet contractual obligations. However, some third parties service hundreds of organizations and as such might not be able to participate in one-on-one tests. In these cases, you should still ensure that you’re familiar with the provider’s testing scope, frequency and remediation activities.

Prepare for Cyber Threats

With the predominance of virtualized infrastructures, you need to adequately prepare for cyber threats. The FFIEC recommends preparing incident response strategies for the following types of threats:

  • Malware
  • Insider threats  
  • Data systems destruction and corruption
  • Communications system disruption
  • Simultaneous attacks on the firm and service provider
  • Cyber attacks

You should review incident response strategies to keep pace with the evolving threat landscape.

To read the full appendix, visit ithandbook.ffiec.gov.

[Webinar Recap] I Need A Compliant Business Continuity Strategy. Now What?

Intro slide for webinar presentation
Today organizations in regulated industries know that to remain compliant with industry and federal regulations, they need a well-rounded business continuity strategy. Unfortunately, developing a strategy can be a challenge, which is why during our webinar with DRJ earlier this week, Rentsys Senior Manager Brandon Tanner offered tips for getting started with compliance.

After the show, participants had several great questions for Brandon, so we’ve featured a few highlights below.

Q: How do I know which recovery time objectives (RTOs) and recovery point objectives (RPOs) are applicable to my organization?
A: I would start with asking, “What does our business impact analysis say today? What are our established RTOs and RPOs?”

Then I’d go and I take a look at the regulatory bodies that are tied to your particular organization and industry and look to identify any areas where you’re told how to classify your data (for instance, critical or urgent) and given timelines associated with those. Also consult with some of your peers that may have information on that piece.

Finally you’ll want to look at service level agreements (SLAs) that your organization has tied to service delivery.

Those three things allow you to come to a reasoned framework for determining the appropriate RTOs and RPOs. If there’s a gap, you have a tool for discussing how to prioritize each of those requirements. You’ll want to meet the most aggressive requirement.

Q: Who needs to have a SOC 2 and how is it different from a business associate agreement (BAA)?
A: Any critical vendor you’re dependent on and that is tied to your compliance requirements and service level agreements should have that SOC 2 report because you need to have visibility into what they’re doing.

A BAA is an agreement between the organizations. It does tie into HIPAA and how the data you deal with is protected, but what’s to validate that what’s in the BAA is actually happening? Now, obviously if the agreement has been signed and something does happen, there’s liability associated with it, but in a SOC 2 there’s actually validation from third parties. If you’re a healthcare organization, I’d require a SOC 2 and a BAA.

Q: What is the best approach to getting critical third-party providers to embrace BC compliance?
A: If you’ve got critical third-party vendors that are resistant to BC compliance, I would look for alternative vendors. But I would also say if you’re struggling there, it’s an executive-level decision.

If your business arrangements or compliance requirements are tied to that vendor embracing business continuity, whoever manages the business relationship should have those requirements written into the documentation. There should be a service level agreement tied to it and expectations that they will comply to those standards. The SLA needs to be tested, so the vendor needs to be able to prove to your organization that they have validated the requirements. Once you get that far, now you’re most likely talking again about the SOC 2.

To see the complete webinar, get it on demand here.

Where in the World Is Your Data?

World map
Recently The Internet Archive resurrected several nostalgic computer games, including the 1980s-era “Where in the World Is Carmen Sandiego?” In the game, players join the ACME Detective Agency to track down a troupe of thieving villains led by the elusive Carmen Sandiego.

The only way players can stop Carmen and her thieves is to use their geography knowledge to gather clues and pinpoint the crooks’ locations. If players get a location wrong, they have to retrace their steps and try again, all the while losing precious time.

In this respect, disaster recovery (DR) has something in common with “Where in the World Is Carmen Sandiego?” If backups are vaulted in the wrong geographic location, you limit your ability to rebound from an incident within the necessary recovery time objectives (RTOs). 

Why Is Location Important?

The goal of strategically selecting where your data will be vaulted is to minimize organizational risk as much as possible. To achieve this goal, you need to solve for two separate RTOs:
  • Operational issues that are specific to your individual environment (e.g., a server outage)
  • Regional disasters

An operational issue would most likely have a lower RTO and would allow for local data vaulting. A regional disaster would either have an equal or less aggressive RTO, because events affecting several providers in a given area are viewed differently than an event affecting a single entity only. Unfortunately, many organizations focus solely on addressing operational RTOs in the DR planning process, which is catastrophic in a widespread event.

Where Should Data Be Stored?

The important thing is to have your data as close as possible, but far enough away to ensure there’s not a common risk between geographies. During Hurricane Sandy, for example, organizations with production operations in New York and DR in New Jersey went down.

That doesn't mean they should put their production in New York and move DR to Washington State, though. The further apart locations are, the more challenges exist from an availability and recovery perspective — not to mention cost and latency (affecting communications, user experience, etc.). 

What About Data Stored in the Cloud?

When working with cloud providers, it’s important to be aware of where their back-end data centers are located — some providers have locations all over the world, whereas others have strategically placed facilities in the U.S. only. (If your business is subject to industry or federal regulations that require data to remain stateside, you’ll want to avoid your data being sent overseas.)

However, one of the benefits of the cloud is that it allows you to achieve a solution that addresses both operational and DR RTOs. Cloud providers have service level agreements that both IT and executive management can understand, as well as industry-specific compliance documentation (depending on the cloud), allowing the business to dictate risk aversion or assumption.

While pinpointing the best geographic locations for your data might not be as fun as tracking a world-class villain, it’s a key part of the DR planning process that can save you time when you need it most.  

[INFOGRAPHIC] Insider Threats: The Hidden Risks Within Your Organization

Did you know that 89 percent of organizations are vulnerable to insider threats? To see where vulnerabilities lie and what organizations are doing to protect their data, check out this infographic by Vormetrics.

How will your data security practices change this year?

Why the Desktop-as-a-Service Market Is Growing

VDI concept: various devices linked to cloud
XaaS cloud solutions are infiltrating the tech world: infrastructure-as-a-service, software-as-a-service, platform-as-a-service, desktop-as-a-service (DaaS) and so on. Of these, DaaS probably spends less time in the spotlight than its counterparts, but it's nevertheless gaining in popularity. 

Last year, according to 451 Research, the market for virtual desktop infrastructure (VDI), which is the foundation for DaaS, grew 30 percent in the span of a year. It's expected to repeat that growth pattern through 2017.

So what is it about DaaS that adopters find appealing? Let's look at a few key benefits.

Ability to Manage More Users and Devices

Computerworld cited DaaS as a "BYOD assist." With employees using multiple devices — some personal and some company owned — it can be challenging to restrict access to corporate data and make sure devices are running up-to-date operating systems and software patches. Because DaaS consists of virtual desktops, users are able to access their same desktop configuration from any device, giving them the flexibility and mobility they're accustomed to. At the same time, IT gets to maintain control over data and applications.

Flexible Backup Options

In addition to better user management capabilities, DaaS provides enhanced backup capabilities. IT personnel can administer the desktop remotely, backing up data and critical applications as needed. Plus, as TechTarget points out, they have the option of recovering a whole image or just a file. (For more on why this ability is a huge plus for a backup solution, read this post on backing up your files versus backing up your environment.)

Greater Disaster Recovery Capabilities for SMBs

Enterprise backup and recovery solutions can be expensive, making it difficult for SMBs to implement adequate disaster recovery (DR) measures. DaaS puts greater DR capabilities within their reach. DaaS providers will typically host the solution and utilize a pay-as-you-go fee structure, allowing users to scale utilization during peak periods (e.g., a DR test or event) and avoid paying for services they don't use. Even enterprise organizations can benefit from DaaS by using it to extend their available workforce during a business interruption without in turn overextending their DR budgets.

With greater, more affordable control over devices and data, it's not hard to see why the DaaS market is growing. To learn more about data management in the cloud era, check out this infographic.

Three Noteworthy Regulatory Run-ins During 2014

Rules and regulations stamps next to stack of papers
Companies in regulated industries like healthcare or financial services are facing increased pressure to remain compliant — a challenge when organizations face volatile factors such as new security vulnerabilities, staff’s failure to follow company policy or a third party’s negligence. The result is an increasing number of regulatory run-ins. Here are a few noteworthy incidents that made headlines in 2014.

Health Insurance and Portability and Accountability Act

During the Heartbleed epidemic, Franklin, TN-based Community Health Systems had 4.5 million of its patients’ personal information stolen. Not only was this the largest Health Insurance and Portability and Accountability Act (HIPAA) breach of 2014 but also the second largest HIPAA breach ever.

Sarbanes-Oxley Act

The CEO and former CFO of a computer equipment company, which went bankrupt in 2009, were charged with violating the Sarbanes-Oxley (SOX) Act. The CFO hid the fact that the company didn’t have adequate inventory controls and manipulated accounting records in order to increase the amount of money the company could borrow.

National Credit Union Administration

During a National Credit Union Administration (NCUA) examination of Palm Springs Federal Credit Union, an unencrypted flash drive containing credit union members’ personal data went missing. The NCUA later announced that the drive was lost due to the investigator himself failing to follow NCUA’s policies for protecting sensitive data.

To read more about how to cope with regulatory pressures, read our post “Compliance Concerns Are Rising — Here's What You Can Do About It.”

Wall of Shame: The Top Cause of Breaches Since Omnibus

Stethoscope on laptop keyboard
The year 2013 was a pivotal time for the healthcare industry. Bioengineering developments reached new heights with emerging technologies such as electronic aspirin and a transcatheter aortic heart valve that provides an alternative to open-heart surgery.

And then there was HIPAA's omnibus rule. The rule extended HIPAA requirements to healthcare organizations' service providers, strengthened requirements for data protection and privacy practices, gave individuals more rights for obtaining access to healthcare records and increased maximum penalties for noncompliance.

Data Breaches Since Omnibus

Since omnibus went into effect, the number of organizations that have made the Department of Health and Human Service’s (HHS’s) "wall of shame" — the moniker given to the public, legally required listing of breaches affecting 500 or more individuals — has skyrocketed.

According to data we exported from HHS, 1,186 organizations have found themselves in HIPAA's bad graces during the time span of January 2013 to December 2014. Of the top 10 largest breaches, 70 percent were due to the loss or theft of information stored on backup tapes, servers, drives, desktop computers, laptops and other media.

Staying Compliant

Omnibus doesn't always offer prescriptive recommendations for avoiding breaches. However, healthcare providers can learn from the mistakes of others and take precautions to remain compliant, avoid fines, and most importantly, protect their patients' information.

Below are a few examples of solutions we recommend for healthcare providers looking to combat common breach causes:

We also encourage healthcare organizations to make sure any business continuity and disaster recovery vendors they consider working with have completed a third-party audit that meets regulatory standards, such as the
Service Organization Controls 2 audit.

Ultimately, by taking proactive measures against security breaches, you can lessen your odds of landing a spot on the wall of shame.