At InfoSec World 2020 on Tuesday, a pair of risk officers from Party City offered an inside glimpse into how the $2.1 billion specialty retailer pulled off its first-ever top-down enterprise-wide IT risk assessment. Among the chief success factors they cited were: executive buy-in, the collaboration of skilled partners, assuring adequate resources, well-planned project scoping, and collaboration with its business operations.
Co-speaker Rolando Espinoza, director, governance, risk and compliance, security validation, said the company had previously performed a bottom-up risk assessment in the form of a cyber maturity assessment (CMA). But the retailer was looking to focus beyond mere security controls when evaluating risk.
To perform this broader risk assessment, the risk team would have "take into consideration the organization, the business processes, the mission and then how our information systems, and the risk related to those, align," said Espinoza. He also said the assessment program would need to look at the company's strategic goals and objectives, its priorities, and its availability of resources and skill sets, as well as laws and regulations that the retailer must comply with, including Europe's GDPR.
Ultimately, the organization assembled a core team for the project, which consisted of internal experts in information security, auditing, and risk and controls -- plus management, including corporate and local business and IT senior leadership. A third-party vendor was later also brought on to conduct the actual assessment.
The participation of management was especially key, said Espinoza's co-presenter, Angelita Negron-Nieves, director of risk and controls at Party City. "For us it was so critical to have an engaged executive leadership that was willing to set the tone very early on and define why we were executing this review," she said.
"It’s critical as risk professionals that we continue to communicate to management that a risk management program can help them achieve performance targets and prevent losses and, in fact, it does create and preserve company value," Negron-Nieves said at another point in the presentation.
Partnering with business operations throughout the process was also essential to understand IT systems from their point of view. "It wasn’t only an IT assessment," explained Negron-Nieves. "We really needed to make sure that the business was involved as well, because they’re the only ones that could really speak and articulate what the impact could be if the system is down for a day or if it was down for two days. How does that quantify into actual dollars?"
The assessment process kicked off with an organizational exposure survey that was sent out to the various businesses units that fell within the scope of the assessment, along with a Provided by Client (PBC) request for documents supporting the risk audit. The survey was designed to seek out details on businesses processes, data types, business and IT operations characteristics, IT infrastructure and historical incidents that might paint a picture of risk exposure across the organization.
From there the retailer conducted on-site meetings to validate the survey claims, then conducted interviews and analyzed the survey PBC results. Next, IT management reviewed the findings and validated them, which led to a final report and the development of a risk register. (Party City's session did not share any actual findings from the report or reveal any examples of exposed risks.)
With more than 800 locations, Party City is the number-one party goods retailer in North America, but also a manufacturer and wholesaler of party supplies. "So it’s not a stretch for me and for us to say that Party City is fairly complex and that all of those elements needed to be factored in to our IT risk assessment," said Negron-Nieves.
For that reason, well before any actual assessment was conducted, much pre-planning was necessary. For staters, as mentioned earlier, Party City needed to secure executive buy-in and ensure its core assessment team had the sufficient subject matter expertise to proceed, and recruit help where resources were needed. "We needed to inventory our folks internally and see where the gaps really resided," said Negron-Nieves.
Once the core team was assembled, its members worked to set goals, timelines, budgets and scope for the assessment. And they sought to develop both qualitative and quantitative risk assessment framework that would be repeatable over time.
Negron-Nieves said defining the scope was the most challenging aspect of planning the assessment because of the company's complexity of international operations. Ultimately, the assessment covered 41 separate business processes -- from store and manufacturing operations to human resources and payroll to supply chain and logistics -- and 12 global locations spread out across the U.S., Mexico, the UK, Germany and China.
Another key move during the planning stages was to lean on Party City's procurement department for the vetting of potential IT assessment third-party vendors and negotiating contracts with them. Eventually, the organization developed a vendor scorecarding process that Negron-Nieves said "does a great job of outlining what criteria were important to us in terms of experience, competitiveness on cost, and a couple of other areas that we felt were important," including vendors' projected assessment timelines and past work samples.
Later, a subcommittee selected the top three vendor candidates and an executive committee made final choice.