IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014"

Transcription

1 IT Vendor Due Diligence Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

2 Carolinas HealthCare System (CHS) Second largest not-for-profit healthcare system in the nation Largest healthcare system in the Southeast 40 hospitals, 11 nursing homes and over 900 outpatient service locations Over 2,300 employed physicians and nearly 400 residents; More than 40,000 FTEs Net operating revenue: $7.8 billion AA-rated since 1983

3 CHS Audit Services Chief Audit Executive Reports to Chief Legal Counsel IT Audit Financial & Operational Audit Enterprise-wide 14 Computing Environments Charlotte-area Hospitals Corporate Operations Regional NC, SC, GA Hospitals and Health Systems Physician Practices Joint Ventures 1 Director 4 Auditors 1 Director 1 Manager 6 Auditors 1 Director 1 Manager 5 Auditors 2 Construction Auditors 1 Director 5 Auditors

4 Agenda Learning Objectives Background on Healthcare Technology Regulation Vendor Management Lifecycle Due Diligence as a Focus Area Risks and Control Objectives Audit and Assessment Techniques Connections to IT Investment Management & Cloud Computing Questions

5 Learning Objectives Understand the key control objectives in the vendor due diligence process and how they fit into the larger vendor management lifecycle. Discuss initial questions that will help determine audit strategy. Explore the connection between vendor management and IT investment management. Touch on the importance of vendor due diligence related to cloud computing strategy.

6 Electronic Medical Record systems have been in existence for 30 years 2003 Late 1990 s HIPAA Legislation Drafted Healthcare Technology Regulation 2005 HIPAA Security Rule compliance deadline Healthcare begins to be plagued by breaches 2008 HIPAA Privacy Rule compliance deadline In 2001, only 18% of providers have adopted EMRs OIG begins auditing CMS enforcement of Security Rule 2009 HITECH Act requires adoption of EMRs and includes Breach Notification Requirements 2014 Office for Civil Rights slow to start next phase of HIPAA Security compliance audits Concern over credit card breaches increases awareness of PCI requirements In 2013, 78% of providers have adopted EMRs 6

7 Vendor Management Definitions Vendor Management: The strategic process that is dedicated to management of vendor relationships so that value creation is maximized and risk to the enterprise is minimized. ~ISACA Vendor Management Due Diligence: Third-party vendor due diligence is a process used to make an informed business decision concerning the selection of the appropriate vendor. Due diligence is the gathering and analysis of detailed information about possible vendors. As with all business decisions, there are some risks that cannot be eliminated but can be managed. The purpose of due diligence is to help choose the best third-party vendor relationship given the risks and abilities or services available, and then to negotiate, contract, implement, and monitor to mitigate any residual risks. ~ CUNA Due Diligence Task Force

8 Vendor Management Lifecycle

9 Strategy Questions Do business line leaders know how to engage with IT to ask for what they need? Is IT strategy and business strategy aligned? Does your organization maintain a record of the vendors with which it does business? Are all IT services and solutions procured through a centralized process? Does your organization have an established Project Management Office? Are processes for engaging with vendors documented? Is there a separate process for evaluating IT vendor companies prior to evaluating the solutions or services offered?

10 Scope Selection

11 Risks and Control Objectives Risks Purchase IT services or solutions that do not meet the needs of the organization Pay too much for services or solutions; Process does not comply with policies related to vendor diversity, value analysis, etc. Select vendors with reputation, financial, security, design, capacity or service problems Enter a contractual relationship with a vendor without having reasonable assurance that requirements will be met Due Diligence Step Needs Assessment Request for Proposals Vendor Analysis Review and Approval Control Objectives Need for a solution is identified Business requirements are defined Regulatory & Info Security requirements are defined Approvals to move ahead with identifying a solution are obtained Opportunity to bid is presented to multiple vendors Information is gathered from vendors and analyzed Best vendors are accepted to move to the next step on the due diligence process Risk assessment (strategic, reputational, operational, financial, compliance ) is performed Financial analysis is performed Capability to meet business requirements is evaluated Vendor selection is made by authorized participants Selection is reviewed and approved by authorized leaders or committees Participants Business Unit Information Services IT Security IT Committees (approvals) Business Unit Information Services IT Security IT Committees (establish expectations for RFP) Business Unit Information Services IT Security IT Committees (verification) Business Unit Information Services IT Security IT Committees (approval) Selected Vendor Solution Moves to Implementation Phase

12 Testing Approach Needs Assessment Obtain access to the minutes from the prior 12 months of IT Steering Committee meetings Select a sample of Business Line Leaders who have presented projects for review Interview the Leaders to understand the process that they followed Review project documentation to determine if needs assessment was conducted Interview IT personnel assigned to the project to understand the process that they followed Determine if regulatory and information security requirements were defined and addressed Look for documented approvals

13 Testing Approach Request for Proposals Review project documentation to determine if the opportunity to bid was presented to multiple vendors Interview IT personnel assigned to the project to determine what information was requested from vendors in the Request for Proposals (RFP) Determine if regulatory and information security requirements were addressed in the RFP document Review project documentation to see which vendors responded to the RFP, examine the responses, and look for a comparative analysis of the responses Look for documented justification for the vendors accepted to move to the next step

14 Testing Approach Vendor Analysis Find out if there is a security committee, architectural review committee, and/or other oversight group(s) with responsibility for reviewing vendor information prior to final selection Review project documentation to determine if vendor risk assessment was conducted Determine if a financial analysis (business case) was completed Interview IT personnel to understand how they were involved in making the determination that the vendor would be able to meet identified needs

15 Testing Approach Review and Approval Interview the Business Line Leaders to understand the process that they followed to make the final vendor selection Review project documentation to determine if the selection was reviewed and approved by authorized leaders or committees

16 Results Identified need for comprehensive, documented process All parties involved followed a process, but it differed from one project team to the next None of the Business Line Leaders were familiar with the process Documentation was inconsistent, project names shifted from start to finish, IT personnel handed projects off from phase to phase IT personnel did not assert subject matter leadership to guide Business Line Leaders to make selections inclusive of IT strategy as well as business strategy Found a loophole in a fundamental organizational policy If responsibility for all IT vendor relationships and IT solution management resides with IT, make sure the policy states it explicitly

17 IT Investment Management Overview IT-enabled investments will: Be managed as a portfolio of investments Include the full scope of activities required to achieve business value Be managed through their full economic life cycle Value delivery practices will: Recognize there are different categories of investments that will be evaluated and managed differently Define and monitor key metrics and respond quickly to any changes or deviations Engage all stakeholders and assign appropriate accountability for the delivery of capabilities and the realization of business benefits Be continually monitored, evaluated and improved ~ISACA Val IT Guidance

18 Cloud Computing Strategy Cloud computing means that the computer hardware and software we use is provided for us as a service by another company and is accessed over the Internet, rather than sitting on our desktops or somewhere inside our network. The term "moving to the cloud" refers to an organization moving away from a traditional capital expenditure model (buy dedicated hardware and depreciate it over a period of time) to an operating expense model (use a shared cloud infrastructure and pay as we use it). Strong vendor due diligence practices are critical to protecting the organization s interests in this type of arrangement.

19 Questions & Discussion

Strategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA vandeke@gmail.com 11.16.2013

Strategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA vandeke@gmail.com 11.16.2013 Strategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA vandeke@gmail.com 11.16.2013 AGENDA IT s Changing Landscape ISACA s Response Vision and Mission COBIT 5

More information

SECURITY RISK MANAGEMENT

SECURITY RISK MANAGEMENT SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W

More information

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management

More information

Information Security Governance:

Information Security Governance: Information Security Governance: Designing and Implementing Security Effectively 2 nd Athens International Forum on Security 15 16 Jan 2009 Anestis Demopoulos, CISA, CISSP, CIA President of ISACA Athens

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

Obtaining CSF Certification Lessons Learned and Why Do It

Obtaining CSF Certification Lessons Learned and Why Do It Obtaining CSF Certification Lessons Learned and Why Do It Aaron Miri, Chief Technology Officer, Children s medical Center of Dallas Ryan Sawyer, Director, Technology Risk and Identity Governance, WellPoint

More information

Vendor Security Risk Management

Vendor Security Risk Management ISACA San Francisco Fall Conference 2007 Vendor Security Risk Management Dan Morrison September 17, 2007 Topics of Discussion Context-Information, operations &

More information

IT Governance. What is it and how to audit it. 21 April 2009

IT Governance. What is it and how to audit it. 21 April 2009 What is it and how to audit it 21 April 2009 Agenda Can you define What are the key objectives of How should be structured Roles and responsibilities Key challenges and barriers Auditing Scope Test procedures

More information

Adding Cloud Solutions to Customer Contracts Robert J. Scott

Adding Cloud Solutions to Customer Contracts Robert J. Scott Adding Cloud Solutions to Customer Contracts Robert J. Scott MSP vs. Cloud Who owns the hardware? Where does the data reside? Dedicated vs. Multi tenant? Who contracts with 3 rd parties? How are services

More information

HCCA COMPLIANCE INSTITUTE. HCCA - AHIA Auditing & Monitoring Focus Group Progress Report

HCCA COMPLIANCE INSTITUTE. HCCA - AHIA Auditing & Monitoring Focus Group Progress Report HCCA COMPLIANCE INSTITUTE New Orleans, LA Tuesday, April 19, 2005 Workshop from 3:00pm 4:00pm HCCA - AHIA Auditing & Monitoring Focus Group Progress Report Randall Brown, CIA Baylor Healthcare System Corporate

More information

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014 OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2 Linda Sanches, MPH Senior Advisor, Health Information Privacy HCCA Compliance Institute March 31, 2014 Agenda Background Audit Phase

More information

A smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved

A smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved A smarter way to protect your brand Minimizing Compliance Risks of Proactive OCR HIPAA Audits Copyright 2012 Compliance 360 All Rights Reserved Compliance 360 at a Glance Compliance, Risk and Audit Solutions

More information

Emptoris Contract Management Solution for Healthcare Providers

Emptoris Contract Management Solution for Healthcare Providers Emptoris Contract Management Solution for Healthcare Providers An Emptoris White Paper Emptoris, an IBM Company www.emptoris.com CMS-HP-4/12 Emptoris Contract Management Solution for Healthcare Providers

More information

Question: 1 Which of the following should be the FIRST step in developing an information security plan?

Question: 1 Which of the following should be the FIRST step in developing an information security plan? 1 ISACA - CISM Certified Information Security Manager Exam Set: 1, INFORMATION SECURITY GOVERNANCE Question: 1 Which of the following should be the FIRST step in developing an information security plan?

More information

TOP 10 Security Questions Introduction Breaches and other privacy and security incidents in healthcare are on the rise due to the vast size of the industry and the oneoffs of protected health information

More information

Introduction to Vendor Management

Introduction to Vendor Management Introduction to Vendor Management BOI October 15, 2013 Speaker Brad Smith President, Abound Resources More than 20 years experience helping community bank achieve their business goals with technology 500+

More information

Anatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault

Anatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault Anatomy of an IT Outsourcing Deal Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault 3656867 Agenda Key Considerations for IT Outsourcing Decision Anatomy of an Outsourcing

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

Implementing Practical Information Security Programs

Implementing Practical Information Security Programs Implementing Practical Information Security Programs CISO Summit March 17-19, 2013 Presented by: David Cass, SVP & Chief Information Security Officer, Elsevier Information Security & Data Protection Office

More information

Establishing A Multi-Factor Authentication Solution. Report to the Joint Legislative Oversight Committee on Information Technology

Establishing A Multi-Factor Authentication Solution. Report to the Joint Legislative Oversight Committee on Information Technology Establishing A Multi-Factor Authentication Solution Report to the Joint Legislative Oversight Committee on Information Technology Keith Werner State Chief Information Officer Department of Information

More information

3/17/2015. Healthcare Technology Audit Basics. Session Objectives. Jennifer McGill, CIA, CISA, CGEIT April 20, 2015

3/17/2015. Healthcare Technology Audit Basics. Session Objectives. Jennifer McGill, CIA, CISA, CGEIT April 20, 2015 Healthcare Technology Audit Basics Jennifer McGill, CIA, CISA, CGEIT April 20, 2015 Session Objectives Review information technology basic concepts. Use real world examples to identify and understand healthcare

More information

Healthcare Technology Audit Basics. Session Objectives

Healthcare Technology Audit Basics. Session Objectives Healthcare Technology Audit Basics Jennifer McGill, CIA, CISA, CGEIT April 20, 2015 Session Objectives Review information technology basic concepts. Use real world examples to identify and understand healthcare

More information

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Strengthening Cybersecurity Defenders #ISC2Congress Healthcare and Security "Information Security is simply a personal

More information

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA STATE OF NORTH CAROLINA PERFORMANCE AUDIT DEPARTMENT OF ADMINISTRATION, DIVISION OF PURCHASE AND CONTRACT STATE TERM CONTRACTING PROCESS OCTOBER 2010 OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE

More information

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Audit Manager: Lynne Prizzia, CISA, CRISC Senior Auditor:

More information

COMMUNIQUE. Information Technology (IT) Governance Guidance

COMMUNIQUE. Information Technology (IT) Governance Guidance COMMUNIQUE 14-COM-002 July 14, 2014 Information Technology (IT) Governance Guidance The Credit Union Prudential Supervisors Association (CUPSA) has established an IT Risk Working Group to focus on IT governance

More information

The HIPAA Omnibus Final Rule

The HIPAA Omnibus Final Rule WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia

More information

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com Cloud Computing Risks & Reality Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com What is Cloud Security The quality or state of being secure to be free from danger & minimize risk To be protected from

More information

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES The implications for privacy and security in the emergence of HIEs The emergence of health information exchanges (HIE) is widely

More information

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...

More information

Whitepaper: 7 Steps to Developing a Cloud Security Plan

Whitepaper: 7 Steps to Developing a Cloud Security Plan Whitepaper: 7 Steps to Developing a Cloud Security Plan Executive Summary: 7 Steps to Developing a Cloud Security Plan Designing and implementing an enterprise security plan can be a daunting task for

More information

CORL Dodging Breaches from Dodgy Vendors

CORL Dodging Breaches from Dodgy Vendors CORL Dodging Breaches from Dodgy Vendors Tackling Vendor Security Risk Management in Healthcare Introductions Cliff Baker 20 Years of Healthcare Security experience PricewaterhouseCoopers, HITRUST, Meditology

More information

Facing Information Security Challenges

Facing Information Security Challenges AKTINA Event Information Security & Cloud Challenges March 17, 2016 Facing Information Security Challenges ISACA Cyprus Chapter Paschalis Pissarides CRISC, CISM, CISA Immediate Past President (2010-2014)

More information

San Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP

San Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP Presented by Mike O. Villegas, CISA, CISSP Agenda Information Security (IS) Vision at Newegg.com Typical Issues at Most Organizations Information Security Governance Four Inter-related CoBIT Domains ISO

More information

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents 2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)

More information

Feature. Vendor Due Diligence

Feature. Vendor Due Diligence Feature Vendor Due Diligence Jennifer Bayuk, CISA, CISM, CGEIT, is an independent consultant on topics including information security policy, process, management and metrics. For 10 years she managed information

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

HIPAA Privacy Rule Policies

HIPAA Privacy Rule Policies DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment

More information

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and

More information

Data Recovery Service Providers: The Low Profile, High Impact Risk to Enterprise Security

Data Recovery Service Providers: The Low Profile, High Impact Risk to Enterprise Security Data Recovery Service Providers: The Low Profile, High Impact Risk to Enterprise Security Lynda C. Martel Executive Director, Government & Enterprise Business Relations DriveSavers Data Recovery, Inc.

More information

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13 Cyber Security Consultancy Standard Version 0.2 Crown Copyright 2015 All Rights Reserved Page 1 of 13 Contents 1. Overview... 3 2. Assessment approach... 4 3. Requirements... 5 3.1 Service description...

More information

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit 2020. Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit 2020. Abstract from Nordic ISACA Conference 2014, Oslo, Norway. Aalborg Universitet Vision for IT Audit 2020 Berthing, Hans Henrik Aabenhus Publication date: 2014 Document Version Early version, also known as pre-print Link to publication from Aalborg University Citation

More information

www.pwc.com Third Party Risk Management 12 April 2012

www.pwc.com Third Party Risk Management 12 April 2012 www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.

More information

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors Importance of Effective Internal Controls and COSO COSO

More information

CLOUD SERVICE PROVIDER MANAGEMENT PROGRAM EVALUATION AND AUDIT

CLOUD SERVICE PROVIDER MANAGEMENT PROGRAM EVALUATION AND AUDIT CLOUD SERVICE PROVIDER MANAGEMENT PROGRAM EVALUATION AND AUDIT November 2015 INTRODUCTION Background Cloud computing is defined by the National Institute of Standards and Technology as a model for enabling

More information

2012 HIPAA Privacy and Security Audits

2012 HIPAA Privacy and Security Audits Office of the Secretary Office for Civil Rights (OCR) 2012 HIPAA Privacy and Security Audits Linda Sanches OCR Senior Advisor, Health Information Privacy Lead, HIPAA Compliance Audits OCR 1 Agenda Background

More information

CFPB Readiness Series: Compliant Vendor Management Overview

CFPB Readiness Series: Compliant Vendor Management Overview CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the

More information

September 2005 Report No. 06-009

September 2005 Report No. 06-009 An Audit Report on The Health and Human Services Commission s Consolidation of Administrative Support Functions Report No. 06-009 John Keel, CPA State Auditor An Audit Report on The Health and Human Services

More information

FIRST COAST HEALTH ALLIANCE, LLC CHARTER AUDIT, FINANCE, AND NETWORK CONTRACTS COMMITTEE

FIRST COAST HEALTH ALLIANCE, LLC CHARTER AUDIT, FINANCE, AND NETWORK CONTRACTS COMMITTEE AUDIT, FINANCE, AND NETWORK CONTRACTS COMMITTEE 1. Establishment and Purpose. The Audit, Finance, and Networks Contracts Committee is established by the Board for the purpose of overseeing the integrity

More information

Duration: One year with the option of an additional year based on performance.

Duration: One year with the option of an additional year based on performance. Position: Adviser to the Internal Audit Unit Objectives: A person to support the newly established Internal audit unit to transform it from its infancy stage to a unit that is a trusted adviser, and more

More information

Vendor Management Best Practices

Vendor Management Best Practices 23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion

More information

Third-Party Vendor Compliance Programs: The Value, the Need, the Risk

Third-Party Vendor Compliance Programs: The Value, the Need, the Risk Third-Party Vendor Compliance Programs: The Value, the Need, the Risk HCCA Compliance Institute Session 602 Tuesday, April 19, 2016 1:00-2:00 PM HCCA CI - 2016 1 Presenters Corey M. Perman, JD Vice President,

More information

Internal Audit RFP 2013 Questions and Answers

Internal Audit RFP 2013 Questions and Answers Question set 1: 1. What do you like about your current outsource IA arrangement and what has prompted your consideration of alternative providers? IIT policy requires periodic placement of IA business

More information

2014 Vendor Risk Management Benchmark Study

2014 Vendor Risk Management Benchmark Study 2014 Vendor Risk Management Benchmark Study Introduction/Executive Summary You can have all the security in the world inside your company s four walls, but all it takes is a compromise at one third-party

More information

Healthcare Payment Processing: Managing Data Security and Privacy Risks

Healthcare Payment Processing: Managing Data Security and Privacy Risks Moderator: Linda A. Malek Chair, Healthcare Moses & Singer LLP Healthcare Payment Processing: Managing Data Security and Privacy Risks Thursday, September 13, 2012 Panelists: Beth L. Rubin Senior Counsel

More information

CISM (Certified Information Security Manager) Document version: 6.28.11

CISM (Certified Information Security Manager) Document version: 6.28.11 CISM (Certified Information Security Manager) Document version: 6.28.11 Important Note About CISM PDF techexams CISM PDF is a comprehensive compilation of questions and answers that have been developed

More information

ENTERPRISE PROJECT MANAGEMENT OFFICE

ENTERPRISE PROJECT MANAGEMENT OFFICE ENTERPRISE PROJECT MANAGEMENT OFFICE QUALITY MANAGEMENT SYSTEM ISO 9001:2008 STATE CHIEF INFORMATION OFFICER CHRIS ESTES DEPUTY STATE CHIEF INFORMATION OFFICER AARON WIENSHIENK DEPARTMENT MANAGER JAMES

More information

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

Chayuth Singtongthumrongkul

Chayuth Singtongthumrongkul IT is complicated. IT Governance doesn t have to be. Chayuth Singtongthumrongkul CISSP, CISA, ITIL Intermediate, PMP, IRCA ISMS (ISO/IEC 27001) Director of International Academic Alliance, ACIS Professional

More information

Template K Implementation Requirements Instructions for RFP Response RFP #

Template K Implementation Requirements Instructions for RFP Response RFP # Template K Implementation Requirements Instructions for RFP Response Table of Contents 1.0 Project Management Approach... 3 1.1 Program and Project Management... 3 1.2 Change Management Plan... 3 1.3 Relationship

More information

Arizona State University. HIPAA Compliance. Audit Report Number 15-08. May 7, 2015

Arizona State University. HIPAA Compliance. Audit Report Number 15-08. May 7, 2015 This page left blank intentionally. Summary The Health Insurance Portability and Accountability Act of 1996 (HIPAA) audit was included on the Arizona State University (ASU) FY 2015 annual audit plan approved

More information

AUDIT REPORT. The Department of Energy's Management of Cloud Computing Activities

AUDIT REPORT. The Department of Energy's Management of Cloud Computing Activities U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT The Department of Energy's Management of Cloud Computing Activities DOE/IG-0918 September 2014 Department

More information

Cybersecurity in the States 2012: Priorities, Issues and Trends

Cybersecurity in the States 2012: Priorities, Issues and Trends Cybersecurity in the States 2012: Priorities, Issues and Trends Commission on Maryland Cyber Security and Innovation June 8, 2012 Pam Walker, Director of Government Affairs National Association of State

More information

A s a covered entity or business associate, you have

A s a covered entity or business associate, you have Health IT Law & Industry Report VOL. 7, NO. 19 MAY 11, 2015 Reproduced with permission from Health IT Law & Industry Report, 07 HITR, 5/11/15. Copyright 2015 by The Bureau of National Affairs, Inc. (800-372-1033)

More information

Maximizing Your IT Value with Well-Aligned Governance August 3, 2012

Maximizing Your IT Value with Well-Aligned Governance August 3, 2012 Maximizing Your IT Value with Well-Aligned Governance August 3, 2012 6 th Annual SoCal Excellence in Service Management Conference Your Presenter: Jason Brucker Associate Director within Protiviti's IT

More information

Third-Party Cybersecurity and Data Loss Prevention

Third-Party Cybersecurity and Data Loss Prevention Third-Party Cybersecurity and Data Loss Prevention SESSION ID: DSP-W04A Brad Keller Sr. Vice President Santa Fe Group Jonathan Dambrot, CISSP CEO, Co-Founder Prevalent Networks 3rd Party Risk Management

More information

WebEx guide. > Everyone is muted to avoid background noise. Please use the chat box if you need to communicate with the host.

WebEx guide. > Everyone is muted to avoid background noise. Please use the chat box if you need to communicate with the host. WebEx guide > Everyone is muted to avoid background noise. Please use the chat box if you need to communicate with the host. > Asking questions: In the chat screen, ask questions by choosing All Panelists

More information

SUMMARY OF POSITION ROLE/RESPONSIBILITIES:

SUMMARY OF POSITION ROLE/RESPONSIBILITIES: SUMMARY OF POSITION ROLE/RESPONSIBILITIES: Reporting to the Senior Vice President for Administration, this position is responsible for ensuring that the University of Florida, in its entirety, is compliant

More information

Information Security Program CHARTER

Information Security Program CHARTER State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information

More information

HIT System Procurement Issues and Pitfalls Session 2.03

HIT System Procurement Issues and Pitfalls Session 2.03 HIT System Procurement Issues and Pitfalls Session 2.03 Presented by: Gerry Hinkley Davis Wright Tremaine LLP and Joseph M. DeLuca IT Optimizers Session Goals Provide you with A best practices approach

More information

ClOP CHAPTER 1351.39. Departmental Information Technology Governance Policy TABLE OF CONTENTS. Section 39.1

ClOP CHAPTER 1351.39. Departmental Information Technology Governance Policy TABLE OF CONTENTS. Section 39.1 ClOP CHAPTER 1351.39 Departmental Information Technology Governance Policy TABLE OF CONTENTS Section 39.1 Purpose... 1 Section 39.2 Section 39.3 Section 39.4 Section 39.5 Section 39.6 Section 39.7 Section

More information

Software Licenses Managing the Asset and Related Risks

Software Licenses Managing the Asset and Related Risks AUDITOR GENERAL S REPORT ACTION REQUIRED Software Licenses Managing the Asset and Related Risks Date: February 4, 2015 To: From: Wards: Audit Committee Auditor General All Reference Number: SUMMARY The

More information

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire Vendor Management Challenges and Solutions for HIPAA Compliance Jim Sandford Vice President, Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control

More information

STATE OF NORTH CAROLINA

STATE OF NORTH CAROLINA STATE OF NORTH CAROLINA PERFORMANCE AUDIT INFORMATION TECHNOLOGY CONSOLIDATION JANUARY 2013 OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE AUDITOR PERFORMANCE AUDIT INFORMATION TECHNOLOGY CONSOLIDATION

More information

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use Securing Patient Portals What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use September 2013 Table of Contents Abstract... 3 The Carrot and the Stick: Incentives and Penalties for Securing

More information

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers How to Effectively Collaborate with Cloud Providers Speaker Bio Chad Kissinger Chad Kissinger Founder OnRamp Chad Kissinger is the Founder of OnRamp, an industry leading high security and hybrid hosting

More information

Chapter 5. Planning the Audit Engagement

Chapter 5. Planning the Audit Engagement Chapter 5 Planning the Audit Engagement A. Purpose for Planning the Engagement Engagement planning is performed to provide a means for developing an understanding of the business objectives of the auditee,

More information

Enabling Information PREVIEW VERSION

Enabling Information PREVIEW VERSION Enabling Information These following pages provide a preview of the information contained in COBIT 5: Enabling Information. The main benefit of this publication is that it provides COBIT 5 users with a

More information

A Privacy Officer s Guide to Providing Enterprise De-Identification Services. Phase I

A Privacy Officer s Guide to Providing Enterprise De-Identification Services. Phase I IT Management Advisory A Privacy Officer s Guide to Providing Enterprise De-Identification Services Ki Consulting has helped several large healthcare organizations to establish de-identification services

More information

December 2014 Report No. 15-017. An Audit Report on The Telecommunications Managed Services Contract at the Health and Human Services Commission

December 2014 Report No. 15-017. An Audit Report on The Telecommunications Managed Services Contract at the Health and Human Services Commission John Keel, CPA State Auditor An Audit Report on The Telecommunications Managed Services Contract at the Health and Human Services Commission Report No. 15-017 An Audit Report on The Telecommunications

More information

THIRD-PARTY RISK: HOW TO BETTER UTILIZE ENERGY VENDOR AUDITS 8/25/2015. August 27, 2015

THIRD-PARTY RISK: HOW TO BETTER UTILIZE ENERGY VENDOR AUDITS 8/25/2015. August 27, 2015 8/25/2015 THIRD-PARTY RISK: HOW TO BETTER UTILIZE ENERGY VENDOR AUDITS August 27, 2015 Shane Torkelson, CPE, CISA, CIA Director Enterprise Risk Solutions storkelson@bkd.com 1 TO RECEIVE CPE CREDIT Participate

More information

ISE Northeast Executive Forum and Awards

ISE Northeast Executive Forum and Awards ISE Northeast Executive Forum and Awards October 3, 2013 Company Name: Project Name: Presenter: Presenter Title: University of Massachusetts Embracing a Security First Approach Larry Wilson Chief Information

More information

Bridging the HIPAA/HITECH Compliance Gap

Bridging the HIPAA/HITECH Compliance Gap CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According

More information

And The Question Is: What are the Key AMC Compliance Focus Areas in the Current Regulatory Environment?

And The Question Is: What are the Key AMC Compliance Focus Areas in the Current Regulatory Environment? And The Question Is: What are the Key AMC Compliance Focus Areas in the Current Regulatory Environment? Panel Members: Joan Podleski, Duke University Luanna Putney, University of California Kristen West,

More information

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization Outside View of Increased Regulatory Requirements Regulatory compliance is often seen as sand in the gears requirements

More information

Medical Care Advisory Committee. Andy Vasquez, Deputy Director, Medicaid/CHIP Vendor Drug Program Health and Human Services Commission

Medical Care Advisory Committee. Andy Vasquez, Deputy Director, Medicaid/CHIP Vendor Drug Program Health and Human Services Commission TO: Medical Care Advisory Committee DATE: November 8, 2013 FROM: Andy Vasquez, Deputy Director, Medicaid/CHIP Vendor Drug Program Health and Human Services Commission Agenda Item No.: 7 SUBJECT: Fee-for-Service

More information

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013 Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices April 10, 2013 Today's Agenda: Key Topics Defining IT Governance IT Governance Elements & Responsibilities

More information

HIPAA in the Cloud How to Effectively Collaborate with Cloud Providers

HIPAA in the Cloud How to Effectively Collaborate with Cloud Providers How to Effectively Collaborate with Cloud Providers Agenda Overview of Topics Covered Agenda Evolution of the Cloud Comparison of Private vs. Public Clouds Other Regulatory Frameworks Similar to HIPAA

More information

Profit from the experience of best-in-class companies.

Profit from the experience of best-in-class companies. VISA COMMERCIAL SOLUTIONS Global Procure-to-Pay and Commercial Card Best Practices Executive Summary Profit from the experience of best-in-class companies. Today s most successful companies have shifted

More information

HIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1

HIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1 HIPAA/HITECH Privacy and Security for Long Term Care 1 John DiMaggio Chief Executive Officer, Blue Orange Compliance Cliff Mull Partner, Benesch, Healthcare Practice Group About the Presenters John DiMaggio,

More information

The Hi-Tech Balancing Act: Securely Walking the Tightrope of Patient Care

The Hi-Tech Balancing Act: Securely Walking the Tightrope of Patient Care WHITE PAPER: THE HITECH BALANCING ACT The Hi-Tech Balancing Act: Securely Walking the Tightrope of Patient Care October 2009 By John McNeely President and CEO Sword & Shield Enterprise Security, Inc. [

More information

Oversight of Information Technology Projects. Information Technology Audit

Oversight of Information Technology Projects. Information Technology Audit O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Oversight of Information Technology Projects Information Technology Audit May 29, 2009 Report 09-19 FINANCIAL

More information

Audit Plan Update. Percentage of Total Budgeted Hours. Adjusted Budgeted Hours. Actual YTD. Audit & MAS 8,066 8,366 38% 7,085.0 46% 2012 Carry Over

Audit Plan Update. Percentage of Total Budgeted Hours. Adjusted Budgeted Hours. Actual YTD. Audit & MAS 8,066 8,366 38% 7,085.0 46% 2012 Carry Over AUDIT COMMITTEE UPDATE DECEMBER 13, 2013 EXECUTIVE SUMMARY Office of the Internal Auditor Update Since the last Audit Committee meeting, the OIA has focused on finalizing the execution of the 2013 Audit

More information

Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014

Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014 Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014 Agenda Introduction / Session Overview HIT Budgeting 101 Security and Compliance EHR budgeting HIT Where Are We Going Q & A 2 Copyright

More information

Performing a Compliance Risk Assessment for Compliance Auditing & Monitoring in Healthcare Organizations

Performing a Compliance Risk Assessment for Compliance Auditing & Monitoring in Healthcare Organizations Performing a Compliance Risk Assessment for Compliance Auditing & Monitoring in Healthcare Organizations Author: Glen C. Mueller, Chief Audit & Compliance Officer, Scripps Health, San Diego, CA Introduction

More information

2014 HIMSS Analytics Cloud Survey

2014 HIMSS Analytics Cloud Survey 2014 HIMSS Analytics Cloud Survey June 2014 2 Introduction Cloud services have been touted as a viable approach to reduce operating expenses for healthcare organizations. Yet, engage in any conversation

More information

HIPAA Privacy, Security and Breach Notification Audits

HIPAA Privacy, Security and Breach Notification Audits HIPAA Privacy, Security and Breach Notification Audits Program Overview & Initial Analysis Verne Rinker JD, MPH 2013 NIST / OCR Security Rule Conference May 21-22, 2013 Program Mandate HITECH Act, Section

More information

Overview of Topics Covered

Overview of Topics Covered How to Effectively Collaborate with Cloud Providers Agenda Overview of Topics Covered Agenda Evolution of the Cloud Comparison of Private vs. Public Clouds Other Regulatory Frameworks Similar to HIPAA

More information

Office of Compliance and Ethics Introductory Report. Lynette Fons, Chief Compliance Officer

Office of Compliance and Ethics Introductory Report. Lynette Fons, Chief Compliance Officer Office of Compliance and Ethics Introductory Report Lynette Fons, Chief Compliance Officer Why the Office of Compliance and Ethics was Created The City operates in a highly complex regulatory environment

More information