Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare
|
|
- Laurence Johnston
- 8 years ago
- Views:
Transcription
1
2 Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Strengthening Cybersecurity Defenders #ISC2Congress
3 Healthcare and Security "Information Security is simply a personal commitment to take very seriously the responsibility to uphold the trust that patients placed on us when sharing their most intimate information during the most vulnerable moments of their lives." - Fernando Pedroza, Information Security Officer, University of Colorado Health 3 #ISC2Congress
4 The Unlocked Backdoor to Healthcare Data» Majority of healthcare vendors lack minimum security practices, well short of HIPAA standards» Healthcare organizations are often unaware of how many of their vendors have access to protected health information» There are an overwhelming number of small and niche healthcare vendors for organizations to manage» Healthcare organizations do little to gain assurances or enforce security requirements for vendors Target CEO, CIO resign after massive breach caused by vendor 4 #ISC2Congress
5 Vendor Risk Management versus Vendor Security Risk Management» Vendor Risk Management (VRM) typically focuses on elements such as financial risk, legal risk, supply chain risk, etc.» Vendor Security Risk Management (VSRM) services fill this gap with an objective security analysis of existing and prospective vendors.» VRM is not focused on information security risk and does little to tell you about a vendor s ability to protect your confidential information.» VSRM services can provide organizations with a level of confidence in the ability of a vendor to protect their confidential information. 5 #ISC2Congress
6 Why a Strong VSRM Program is Important Ponemon Institute Report March 2014 Third-party snafus are attributed for 41 percent of breaches PwC 2013 Global State of Information Security Survey Over the past three years, the number of security incidents at companies attributed to partners and vendors has risen increasing from 20% in 2010 to 28% in 2012 Trustwave 2012 Global Security Report 76% of data breaches analyzed by TrustWave resulted from a third-party which introduced the security deficiencies that were ultimately exploited 6 #ISC2Congress
7 What is the exposure? 50% or more of your vendors have inadequate controls Covered entity on the hook for HHS & Patient notification Vendors are inconsistently and infrequently assessed Compliance exposure and willful neglect of vendor risk 50% or more of vendors do not have financial capability to handle breach notification Covered entity incurs brunt of financial and reputational impact 7 #ISC2Congress
8 Current State All data references from Corl Technologies Healthcare Vendor Security Report Strengthening Cybersecurity Defenders #ISC2Congress
9 An average hospital s data is accessible by hundreds to thousands of vendors providing a wide range of services Business Services (e.g., legal, accounting, data destruction) Business Services - Revenue Cycle (e.g., billing, collections) Business Services - Business Process Outsourcing (e.g., marketing, coding, transcription) Claims Processing Consulting Healthcare Processes Consulting IT & Security Educational Healthcare Technologies Industry Trade Groups Medical Devices Medical Supplies Clinical support services Network Development & Management Security Software Hosting services 9 #ISC2Congress
10 Existing vendor security programs have significant blind spots Most healthcare organizations focus due diligence on their largest vendors BUT Healthcare Organization s Vendor Breakdown by Size VL 21% L 21% Breach data shows that over half of breaches are attributed to smaller companies S M L VL S 34% M 24% Smaller firms are also often attacked in attempt to get to bigger firms. The Washington Post 10 #ISC2Congress
11 Vendors are not protecting healthcare data Vendor Score Definitions Vendor Score Breakdown A - High confidence that vendor demonstrates a strong culture of security B - Moderate confidence that vendor demonstrates a culture of security C - Indeterminate confidence that vendor demonstrates a culture of security D - Lack of confidence based on demonstrated weaknesses with vendor s culture of security F - No confidence in vendor s ability to protect information D- 24% D+ 8% F 8% A 1% A+ 3% B 7% D 26% B- 3% B+ 6% C+ 5% C 8% C- 1% 11 #ISC2Congress
12 Understanding Risk F Different types of vendor organizations require different strategies VSRM programs adapt risk strategies to the size and capabilities of the vendor s organization 30 F F F 20 D D D D C 10 C C B B 0 C A B B A S M L VL S , M , L , VL #ISC2Congress
13 Healthcare organizations are not holding vendors accountable for meeting minimum acceptable security standards» Security certifications provide third party validation of security practices» Examples for the industry include: HITRUST AICPA SOC 2 and 3 reports ISO FedRAMP» Important for organizations to understand the scope and baseline criteria used for certifications Security Certifications Yes 32% No 68% 13 #ISC2Congress
14 Fundamentals Strengthening Cybersecurity Defenders #ISC2Congress
15 Common Vendor Security Program Weaknesses» Leadership communication Difficultly to accurately communicate risk exposure to leadership Communication is inconsistent» Vendor communication Communication is sporadic, inconsistent and unclear 15 #ISC2Congress
16 Why are there weaknesses?» Seeing the forest for the trees Too busy gathering data leaves limited time for risk management. Unclear objectives for vendor security risk management check the box compliance or true reduction of risk? Lack of executive level reporting. 16 #ISC2Congress
17 Why are there weaknesses (cont.)?» Data gathering is not aligned with objectives Data does not support risk management decision making. Data transfers risk from the vendor to your organization! Data is gathered at a point-in-time. Data is not adequately verified, and could be unreliable or untrue.» Overwhelming volume Resource capacity cannot meet existing requirements. Vendors in healthcare, on average, score poorly on security risk measures. More due diligence is often required. Lack of cooperation from vendors Time consuming and unproductive to continually follow up with non-responsive vendors. 17 #ISC2Congress
18 Breach Risk versus Security Program Maturity HIGH Mature security program = security controls that will reliably protect data over the long term Breach Risk MED LOW Ad-hoc / informal Security Policies, Procedures, Tech Controls Policies, Procedures, Tech Controls for Key Controls Security Leadership & Capable Resources Security Program Executive led information protection programs Security Program Maturity 18 #ISC2Congress
19 Understanding Risk versus Assurance Options High level of understanding Understanding Risk Limited level of understanding Contractual Obligations Vendor attestation of Controls 3rd Party Verification of Key Controls Customer Verification of Key Controls Periodic 3rd Party Certification of Vendor s Security Program Periodic Customer Verification of Security Program Continuous Monitoring of Vendor's Security Program Vendor Security Assurance 19 #ISC2Congress
20 Assurance Costs versus Assurance Options Assurance Cost HIGH MED Requiring certifications is the most efficient approach to validating effective vendor security programs over time LOW Contractual Obligations Vendor attestation of Controls 3rd Party Verification of Key Controls Customer Verification of Key Controls Periodic 3rd Party Certification of Vendor s Security Program Vendor Security Assurance Periodic Customer verification of Security Program Continuous Monitoring of Vendor's Security Program 20 #ISC2Congress
21 Assurance Value versus Assurance Cost 21 HIGH Level of Assurance Assurance Value & Assurance Cost MED Lowest Cost LOW Contractual Obligations Vendor attestation of Controls 3rd Party Verification of Key Controls Customer Verification of Key Controls Periodic 3rd Party Verification of Vendor s Security Program Periodic Customer Verification of Security Program Continuous Monitoring of Vendor's Security Program Vendor Security Assurance 21 #ISC2Congress
22 Complete VSRM Program Strengthening Cybersecurity Defenders #ISC2Congress
23 Life-cycle capabilities 1. Profile 4. Monitoring 2. Due Diligence 3. Apply Risk Strategy 23 #ISC2Congress
24 Life-cycle capabilities 1.1 Identify Vendors 4.1 Define Vendor Monitoring Strategy Low level monitoring Med level monitoring High level monitoring Yes New Vendor? No 4.2 Select Vendor Monitoring Strategy 4.3 Review Vendor Monitoring Strategy Does monitoring strategy need to be updated? No Yes 1. Profile PHI Last 12 Months Spend Bus Description Name Company Size Company Age Risk of Fin l Failure Existence Absence Offshore Operations 1.2 Request Vendor List 1.3 Analyze Vendor Exposure Likelihood 1.4 Analyze Potential Breach Impact 1.5 Generate Vendor Risk Profile 1.6 PHI Only Request Vendor Spend RFP List Bus. Description Name 1.7 Run Corl Score Yes No Contract with End Vendor(s)? 4.5 Enforce Vendor Monitoring Strategy 1.8 Select Vendors for Due Diligence 1.0 Profile Vendors based on updated information 2.0 Due Diligence 4. Monitoring 2. Due Diligence Age Size Identify Generalized Fin l risk Risk Parameter Off-shore OPS Identify Spend Potential Breach Sector Impact Create Initial Vendor Risk Profile 2.1 Evaluate Vendor Risk Understand Risk? Yes 3.0 Apply Risk Strategy No Calculate Generalized Vendor Risk Generate Initial Vendor Risk Map Known Vendor Security Concerns? No Update Potential Impact Score Yes Document Known Security Concerns Review Vendor Risk Profile Are there refinements to make? No Generate Initial Vendor Risk Map Yes Update Vendor Data 3. Apply Risk Strategy Internal resources External resources Internal resources External resources 2.2 Request Corl Report 2.3 Issue Vendor Security Questionnaire 2.4 Conduct Desk Audit 2.5 Conduct On-site Audit Yes Yes Yes Is more information required to satisfy due diligence? Is more information required to satisfy due diligence? Is more information required to satisfy due diligence? No No No 24 #ISC2Congress
25 1. Vendor Profiling OBJECTIVE» To quickly and efficiently identify high risk vendors Pre-emptively avoid any potential risk Focus resources on those vendors that present the least confidence IMPLEMENTATION Risk = Impact x Likelihood» Likelihood Factors that increase the probability the vendor will experience or cause a breach» Impact If the vendor experiences a breach, the loss (dollars, downtime) that Client can expect to incur 25 #ISC2Congress
26 Initial Vendor Risk Profile» Method for profiling and prioritizing vendor security risk» Relative risk ranking» Establishes a priority and a methodology for moving forward 26 #ISC2Congress
27 2. Vendor Due Diligence OBJECTIVE» Gather data to support risk strategy IMPLEMENTATION» Leverage Intelligence» No need to perform diligence if you understand the follow-up risk strategy» Level of risk should drive level of due diligence / or assurance 27 #ISC2Congress
28 Leverage intelligence to determine appropriate assurance for vendor population Traditional Approach Vendors with no reasonable assurance Intelligence Based Approach Initial Risk Profile Intelligence Validated Response Audits Validated Response Audits Total Vendors Reasonable Assurance 28 #ISC2Congress
29 Using Intelligence to Determine Assurance Strategy Report A B C D F Example - risk strategies may vary depending on nature of vendor offering to organization Monitor vendor Perform audit to confirm accuracy of certification Perform additional due diligence: Interview CISO Review SSAE- 16 Require additional certification Perform additional due diligence: Interview CISO Require key control attestation Require certification Require key control attestation Require certification Limit access to data Increase insurance requirements Immediately contact vendor Limit access to data Increase insurance requirements 29 #ISC2Congress
30 3. Risk Strategy OBJECTIVE» To take the appropriate action to manage and reduce the risk to Client presented by the vendor. RISK TREATMENT OPTIONS» Avoidance (cancel contract, eliminate access to PHI)» Reduction (ensure Vendor has reliable security program)» Sharing (transfer cyber-risk insurance)» Retention (accept and budget) 30 #ISC2Congress
31 Residual Risk Profile Program Management Reports» Clear vision of vendor security risk management objectives» Executive level communication» Program effectiveness 31 #ISC2Congress
32 Risk Strategy by Organization Type Large / Medium Score A B C D F Large / Medium 1. Monitor status of certification 2. Monitor for breach 3. Annual reevaluation 4. Minimum Large Company Cyber Risk Insurance Level 1. Require certification within 12 months or remediation of issue 2. Monitor for progress 3. Monitor for breach 4. Annual reevaluation 5. Minimum Cyber Risk Insurance Level + 10% 1. Require remediation of key controls within 6 months 2. Require certification within months 3. Monitor for progress 4. Monitor for breach 5. Annual reevaluation 6. Minimum Cyber Risk Insurance Level +10 % to 50% 1. Require remediation of key controls within 6 months 2. Require certification and remediation of issue within months 3. Monitor for progress 4. Monitor for breach 5. Annual reevaluation 6. Double of minimum Cyber Risk Insurance Level 7. Start investigating solution options 1. Activate incident handling procedures 32 #ISC2Congress
33 Risk Strategy by Organization Type Medium/ Low Score A B C D F Medium / Low 1. Monitor status of certification 2. Monitor for breach 3. Annual reevaluation 4. Minimum Small Company Cyber Risk Insurance Level 1. Require remediation of key controls within 6 months 2. Option 1: Require certification within months 3. Option 2: Require 3 rd party confirmation of key controls 4. Monitor for progress 5. Monitor for breach 6. Annual reevaluation 7. Minimum Small Company Cyber Risk Insurance Level + 10% 1. Require remediation of key controls within 6 months 2. Option 1: Require certification within months 3. Option 2: Require 3 rd party confirmation of key controls 4. Monitor for progress 5. Monitor for breach 6. Annual reevaluation 7. Minimum Cyber Risk Insurance Level +10 % to 50% 1. Require remediation of key controls within 6 months 2. Require certification and remediation of issue within months 3. Monitor for progress 4. Monitor for breach 5. Annual re-evaluation 6. Double of minimum Cyber Risk Insurance Level 7. Start investigating solution options 1. Activate incident handling procedures 33 #ISC2Congress
34 4. Monitoring OBJECTIVE» To periodically re-evaluate the vendor to ensure risks do not increase and milestones, if any, are being met. IMPLEMENTATION» Based on the vendor s risk classification, determine if changes in risk have occurred since the last review Vendor Classification Monitoring Activities Monitoring Frequency Moderate to Low risk Vendors Re-profile vendor for basic changes in inherent risk including: Recent breaches Financial performance Mergers and Acquisitions Once per year or on notice of a major event. Moderate-High to Critical Vendors Re-profile vendor for basic changes in inherent risk. Review the status of corrective actions to ensure deadlines and milestones are met. Once per quarter to once per year depending on corrective actions or on notice of a major event. 34 #ISC2Congress
35 On-going Monitoring» Many organizations rarely revisit their initial vendor assessments to determine if the risk profile has improved or deteriorated» Implement a mechanism for on-going monitoring and updates of vendor risk profiles» Implement a notification process of events, such as breaches or expiration of a security certification Community Input Report Updates Alerts 35 #ISC2Congress
36 Better Risk Management Today s solutions: VSRM services: Quality of data Time and investment Procurement and Contracting Risk Assessment Risk Management Monitoring 36 #ISC2Congress
37 Next Steps» Identify stakeholders» Outline Client governance structure» Select Vendors» Begin VSRM process 37 #ISC2Congress
38 Thank You» Cliff Baker Brian Selfridge 38 #ISC2Congress
CORL Dodging Breaches from Dodgy Vendors
CORL Dodging Breaches from Dodgy Vendors Tackling Vendor Security Risk Management in Healthcare Introductions Cliff Baker 20 Years of Healthcare Security experience PricewaterhouseCoopers, HITRUST, Meditology
More informationIntelligent Vendor Risk Management
Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach
More informationThird-Party Cybersecurity and Data Loss Prevention
Third-Party Cybersecurity and Data Loss Prevention SESSION ID: DSP-W04A Brad Keller Sr. Vice President Santa Fe Group Jonathan Dambrot, CISSP CEO, Co-Founder Prevalent Networks 3rd Party Risk Management
More informationKLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT
1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT About Kyle Lai 2 Kyle Lai, CIPP/G/US, CISSP, CISA, CSSLP, BSI Cert. ISO 27001 LA President of KLC Consulting, Inc. Over 20 years in IT and Security Security
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationPast vs. Present: Third Party Risk
Past vs. Present: Third Party Risk Kevin O Sullivan and Hicham Chahine 3 rd Party Risk, Crowe Horwath LLP April 30th, 2015 Agenda Drivers pushing Third Party Risk Past vs. Present Events and Trends Vendor
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationLeveraging Regulatory Compliance to Improve Cyber Security
Leveraging Regulatory Compliance to Improve Cyber Security Leveraging Regulatory Compliance to Improve Cyber Security Brian Irish, Cyber Security Assurance Manager Salt River Project LEVERAGING REGULATORY
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationIdentifying and Managing Third Party Data Security Risk
Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More information3 rd Party Vendor Risk Management
3 rd Party Vendor Risk Management Session 402 Tuesday, June 9, 2015 (11 to 12pm) Session Objectives The need for enhanced reporting on vendor risk management Current outsourcing environment Key risks faced
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationWestern Australian Auditor General s Report. Information Systems Audit Report
Western Australian Auditor General s Report Information Systems Audit Report Report 10 June 2012 Auditor General s Overview The Information Systems Audit Report is tabled each year by my Office. It summarises
More information2014 Vendor Risk Management Benchmark Study
2014 Vendor Risk Management Benchmark Study Introduction/Executive Summary You can have all the security in the world inside your company s four walls, but all it takes is a compromise at one third-party
More information10 Smart Ideas for. Keeping Data Safe. From Hackers
0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More informationContinuous Third-Party Security Monitoring Powers Business Objectives And Vendor Accountability
A Custom Technology Adoption Profile Commissioned By BitSight Technologies Continuous Third-Party Security Monitoring Powers Business Objectives And Vendor Accountability Introduction As concerns around
More informationAddress C-level Cybersecurity issues to enable and secure Digital transformation
Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,
More informationFEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05. Cyber Risk Management Guidance. Purpose
FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05 Cyber Risk Management Guidance Purpose This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance on cyber risk management.
More informationObtaining CSF Certification Lessons Learned and Why Do It
Obtaining CSF Certification Lessons Learned and Why Do It Aaron Miri, Chief Technology Officer, Children s medical Center of Dallas Ryan Sawyer, Director, Technology Risk and Identity Governance, WellPoint
More informationCYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES
CYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES How can you better prepare and respond to cyber risks? ACE developed Loss Mitigation Services to help policyholders understand and gauge various areas
More information3 rd -party Security Risk Assessment
3 rd -party Security Risk Assessment Understanding Supplier Chain Risks. Presented by: Nasser Fattah CISSP, CISM, CISA, CGEIT Email: nasser.fattah@gmail.com Linkedin: www.linkedin.com/in/nasserfattah April
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More informationFrequently Asked Questions about the HITRUST Risk Management Framework
Frequently Asked Questions about the HITRUST Risk Management Framework Addressing common questions and misconceptions about the HITRUST CSF, CSF Assurance Program and supporting methods and tools, and
More informationIT Governance. What is it and how to audit it. 21 April 2009
What is it and how to audit it 21 April 2009 Agenda Can you define What are the key objectives of How should be structured Roles and responsibilities Key challenges and barriers Auditing Scope Test procedures
More informationInformation Security Program CHARTER
State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information
More informationIT audit updates. Current hot topics and key considerations. IT risk assessment leading practices
IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations
More informationHCCA Compliance Institute 2013 Privacy & Security
HCCA Compliance Institute 2013 Privacy & Security 704 Conducting a Privacy Risk Assessment A Practical Guide to the Performance, Evaluation and Response April 23, 2013 Presented By Eric Dieterich Session
More informationIT Insights. Managing Third Party Technology Risk
IT Insights Managing Third Party Technology Risk According to a recent study by the Institute of Internal Auditors, more than 65 percent of organizations rely heavily on third parties, yet most allocate
More informationIT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014
IT Vendor Due Diligence Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014 Carolinas HealthCare System (CHS) Second largest not-for-profit healthcare system
More informationDeveloping National Frameworks & Engaging the Private Sector
www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012
More informationIs Your Company Ready for a Big Data Breach?
Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationLaw Firm Cyber Security & Compliance Risks
ALA WEBINAR Law Firm Cyber Security & Compliance Risks James Harrison CEO, INVISUS Breach Risks & Trends 27.5% increase in breaches in 2014 (ITRC) Over 500 million personal records lost or stolen in 2014
More informationEffectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased
More informationData Breach and Senior Living Communities May 29, 2015
Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs
More informationDefining the Gap: The Cybersecurity Governance Study
Defining the Gap: The Cybersecurity Governance Study Sponsored by Fidelis Cybersecurity Independently conducted by Ponemon Institute LLC Publication Date: June 2015 Ponemon Institute Research Report Defining
More informationThe CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).
Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of
More information8 Key Requirements of an IT Governance, Risk and Compliance Solution
8 Key Requirements of an IT Governance, Risk and Compliance Solution White Paper: IT Compliance 8 Key Requirements of an IT Governance, Risk and Compliance Solution Contents Introduction............................................................................................
More informationCybersecurity Strategic Consulting
Home Overview Challenges Global Resource Growth Impacting Industries Why Capgemini Capgemini & Sogeti Cybersecurity Strategic Consulting Enabling business ambitions, resilience and cost efficiency with
More informationSytorus Information Security Assessment Overview
Sytorus Information Assessment Overview Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM)
More informationHealthcare Information Security Today
Healthcare Information Security Today 2015 Survey Analysis: Evolving Threats and Health Info Security Efforts WHITE PAPER SURVEY BACKGROUND The Information Security Media Group conducts an annual Healthcare
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationHow Boards of Directors Really Feel About Cyber Security Reports. Based on an Osterman Research survey
How Boards of Directors Really Feel About Cyber Security Reports Based on an Osterman Research survey Executive Summary 89% of board members said they are very involved in making cyber risk decisions Bay
More informationConsolidated Audit Program (CAP) A multi-compliance approach
Consolidated Audit Program (CAP) A multi-compliance approach ISSA CONFERENCE Carlos Pelaez, Director, Coalfire May 14, 2015 About Coalfire We help our clients recognize and control cybersecurity risk,
More informationCybersecurity in the States 2012: Priorities, Issues and Trends
Cybersecurity in the States 2012: Priorities, Issues and Trends Commission on Maryland Cyber Security and Innovation June 8, 2012 Pam Walker, Director of Government Affairs National Association of State
More informationfs viewpoint www.pwc.com/fsi
fs viewpoint www.pwc.com/fsi June 2013 02 11 16 21 24 Point of view Competitive intelligence A framework for response How PwC can help Appendix It takes two to tango: Managing technology risk is now a
More informationVendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire
Vendor Management Challenges and Solutions for HIPAA Compliance Jim Sandford Vice President, Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control
More informationPII Compliance Guidelines
Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last
More informationTHE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS
THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Collaboration and communication between technical
More informationThe HIPAA Omnibus Final Rule
WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia
More informationThird-Party Risk Management for Life Sciences Companies
April 2016 Third-Party Risk Management for Life Sciences Companies Five Leading Practices for Data Protection By Mindy Herman, PMP, and Michael Lucas, CISSP Audit Tax Advisory Risk Performance Crowe Horwath
More informationWhat can HITRUST do for me?
What can HITRUST do for me? Dr. Bryan Cline CISO & VP, CSF Development & Implementation Bryan.Cline@HITRUSTalliance.net Jason Taule Chief Security & Privacy Officer Jason.Taule@FEIsystems.com Introduction
More informationCorporate Incident Response. Why You Can t Afford to Ignore It
Corporate Incident Response Why You Can t Afford to Ignore It Whether your company needs to comply with new legislation, defend against financial loss, protect its corporate reputation or a combination
More informationTOP 10 Security Questions Introduction Breaches and other privacy and security incidents in healthcare are on the rise due to the vast size of the industry and the oneoffs of protected health information
More informationSecurity and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients
Security and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients Executive Overview Within the legal sector, IT system security and compliance have changed dramatically
More informationLeveraging a Maturity Model to Achieve Proactive Compliance
Leveraging a Maturity Model to Achieve Proactive Compliance White Paper: Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance Contents Introduction............................................................................................
More informationHITECH & The Cloud: Control and Accessibility of Data Downstream
HITECH & The Cloud: Control and Accessibility of Data Downstream David Holtzman, OCR (Moderator) James Koenig, Privacy Leader; Health Information Privacy & Security Practice Co-Leader, PricewaterhouseCoopers
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationDUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two)
DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two) By Amy Terry Sheehan Vendors and other third parties are vital to
More informationBest Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper
Best Practices in ICS Security for Device Manufacturers A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security
More informationCFPB Readiness Series: Compliant Vendor Management Overview
CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the
More informationwww.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14
www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the
More informationInsulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact. February 10, 2015
Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact February 10, 2015 Overview 1 The Legal Risks And Issues/The Role Of Legal Counsel: The Breach Coach The Slippery
More informationBusiness Associate Management Methodology
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
More informationAUDIT REPORT. The Energy Information Administration s Information Technology Program
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT The Energy Information Administration s Information Technology Program DOE-OIG-16-04 November 2015 Department
More informationSOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships
Building Trust and Confidence in Third-Party Relationships Today s businesses rely heavily on outsourcing certain business tasks or functions to service organizations, even those that are core to their
More informationVendor Management Challenge Doing More with Less
Vendor Management Challenge Doing More with Less Megan Hertzler Assistant General Counsel Director of Data Privacy Xcel Energy Boris Segalis Partner InfoLawGroup LLP Session ID: GRC-402 Insert presenter
More informationManaging cyber risks with insurance
www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive
More informationWHITE PAPER Third-Party Risk Management Lifecycle Guide
WHITE PAPER Third-Party Risk Management Lifecycle Guide Develop and maintain compliant third-party relationships by following these foundational components of a best-practice assessment program. Third
More informationManaging Cyber Security as a Business Risk: Cyber Insurance in the Digital Age
Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: August 2013
More informationVendor Management. Outsourcing Technology Services
Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring
More information9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania
Evaluating and Managing Third Party IT Service Providers Are You Really Getting The Assurance You Need To Mitigate Information Security and Privacy Risks? Kevin Secrest IT Audit Manager, University of
More informationOur Commitment to Information Security
Our Commitment to Information Security What is HIPPA? Health Insurance Portability and Accountability Act 1996 The HIPAA Privacy regulations require health care providers and organizations, as well as
More informationSecuring Today s Healthcare Enterprise Systems Time to Rethink Your Cybersecurity Strategy
As seen in Securing Today s Healthcare Enterprise Systems Time to Rethink Your Cybersecurity Strategy Adam Hesse, Inc. Published June 26, 2015 Anyone following today s headlines is aware that cyberattacks
More informationManaging data security and privacy risk of third-party vendors
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
More informationCYBERSECURITY: Is Your Business Ready?
CYBERSECURITY: Is Your Business Ready? Cybersecurity: Is your business ready? Cyber risk is just like any other corporate risk and it must be managed from the top. An organization will spend time monitoring
More informationPerforming Vendor Risk Assessments
Performing Vendor Risk Assessments You can outsource the work, but you can t outsource the risk! Presented by Jennifer F Alfafara Consultant, Resources Global Professionals Introduction 2 There is significant
More informationCyber Security. Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP
Cyber Security Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP Speakers: Keith Overly, Executive Director, Ohio Deferred Compensation Program Raj Patel, Partner, Plante & Moran, PLLC
More informationGold study sponsor: Is cyber security now too hard for enterprises? Cyber security trends in the UK. Executive Summary
Gold study sponsor: Is cyber security now too hard for enterprises? Cyber security trends in the UK Executive Summary Core statements I. Cyber security is now too hard for enterprises The threat is increasing
More informationOC Chapter. Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes.
OC Chapter Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes. 2 Why Assess a Vendor? You don t want to be a Target for hackers via your vendors
More informationExposing the hidden cost of Payroll and HR Administration A total cost of ownership study
www.pwc.com/ca Exposing the hidden cost of Payroll and HR Administration A total cost of ownership study A PwC/ADP study March 2012 Executive overview Do you know how much your organization is really
More informationCybersecurity..Is your PE Firm Ready? October 30, 2014
Cybersecurity..Is your PE Firm Ready? October 30, 2014 The Panel Melinda Scott, Founding Partner, Scott Goldring Eric Feldman, Chief Information Officer, The Riverside Company Joe Campbell, CTO, PEF Services
More informationClient Update SEC Releases Updated Cybersecurity Examination Guidelines
Client Update September 18, 2015 1 Client Update SEC Releases Updated Cybersecurity Examination Guidelines NEW YORK Jeremy Feigelson jfeigelson@debevoise.com Jim Pastore jjpastore@debevoise.com David Sarratt
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the Meaningful Use Privacy and Security Risk Assessment September 2010 Table of Contents Regulatory Background CSF Assurance Program Simplifying the Risk Assessment
More informationHIPAA Compliance Review Analysis and Summary of Results
HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk
More informationthe evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group
the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group 54 Banking PersPective Quarter 2, 2014 Responsibility for the oversight of information security and
More informationCompliance. Group Standard
Group Standard Compliance Serco is committed to good governance practices and the management of risks supported by a robust business compliance process SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
More informationIT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014
IT Cloud / Data Security Vendor Risk Management Associated with Data Security September 9, 2014 Speakers Brian Thomas, CISA, CISSP In charge of Weaver s IT Advisory Services, broad focus on IT risk, security
More informationCloud Security Benchmark Webinar. January 7, 2015 11:00 AM ET
Cloud Security Benchmark Webinar Top 10 Cloud Service Providers: Q4 2014 January 7, 2015 11:00 AM ET Disclaimer NO WARRANTY. CloudeAssurance makes this presentahon available AS- IS, and makes no warranty
More informationInformation Technology
Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level
More informationVulnerability management lifecycle: defining vulnerability management
Framework for building a vulnerability management lifecycle program http://searchsecurity.techtarget.com/magazinecontent/framework-for-building-avulnerability-management-lifecycle-program August 2011 By
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationData Security in Development & Testing
Data Security in Development & Testing Sponsored by Micro Focus Independently conducted by Ponemon Institute LLC Publication Date: July 31, 2009 Ponemon Institute Research Report Data Security in Development
More information