IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014
|
|
- Brett Terry
- 8 years ago
- Views:
Transcription
1 IT Vendor Due Diligence Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014
2 Carolinas HealthCare System (CHS) Second largest not-for-profit healthcare system in the nation Largest healthcare system in the Southeast 40 hospitals, 11 nursing homes and over 900 outpatient service locations Over 2,300 employed physicians and nearly 400 residents; More than 40,000 FTEs Net operating revenue: $7.8 billion AA-rated since 1983
3 CHS Audit Services Chief Audit Executive Reports to Chief Legal Counsel IT Audit Financial & Operational Audit Enterprise-wide 14 Computing Environments Charlotte-area Hospitals Corporate Operations Regional NC, SC, GA Hospitals and Health Systems Physician Practices Joint Ventures 1 Director 4 Auditors 1 Director 1 Manager 6 Auditors 1 Director 1 Manager 5 Auditors 2 Construction Auditors 1 Director 5 Auditors
4 Agenda Learning Objectives Background on Healthcare Technology Regulation Vendor Management Lifecycle Due Diligence as a Focus Area Risks and Control Objectives Audit and Assessment Techniques Connections to IT Investment Management & Cloud Computing Questions
5 Learning Objectives Understand the key control objectives in the vendor due diligence process and how they fit into the larger vendor management lifecycle. Discuss initial questions that will help determine audit strategy. Explore the connection between vendor management and IT investment management. Touch on the importance of vendor due diligence related to cloud computing strategy.
6 Electronic Medical Record systems have been in existence for 30 years 2003 Late 1990 s HIPAA Legislation Drafted Healthcare Technology Regulation 2005 HIPAA Security Rule compliance deadline Healthcare begins to be plagued by breaches 2008 HIPAA Privacy Rule compliance deadline In 2001, only 18% of providers have adopted EMRs OIG begins auditing CMS enforcement of Security Rule 2009 HITECH Act requires adoption of EMRs and includes Breach Notification Requirements 2014 Office for Civil Rights slow to start next phase of HIPAA Security compliance audits Concern over credit card breaches increases awareness of PCI requirements In 2013, 78% of providers have adopted EMRs 6
7 Vendor Management Definitions Vendor Management: The strategic process that is dedicated to management of vendor relationships so that value creation is maximized and risk to the enterprise is minimized. ~ISACA Vendor Management Due Diligence: Third-party vendor due diligence is a process used to make an informed business decision concerning the selection of the appropriate vendor. Due diligence is the gathering and analysis of detailed information about possible vendors. As with all business decisions, there are some risks that cannot be eliminated but can be managed. The purpose of due diligence is to help choose the best third-party vendor relationship given the risks and abilities or services available, and then to negotiate, contract, implement, and monitor to mitigate any residual risks. ~ CUNA Due Diligence Task Force
8 Vendor Management Lifecycle
9 Strategy Questions Do business line leaders know how to engage with IT to ask for what they need? Is IT strategy and business strategy aligned? Does your organization maintain a record of the vendors with which it does business? Are all IT services and solutions procured through a centralized process? Does your organization have an established Project Management Office? Are processes for engaging with vendors documented? Is there a separate process for evaluating IT vendor companies prior to evaluating the solutions or services offered?
10 Scope Selection
11 Risks and Control Objectives Risks Purchase IT services or solutions that do not meet the needs of the organization Pay too much for services or solutions; Process does not comply with policies related to vendor diversity, value analysis, etc. Select vendors with reputation, financial, security, design, capacity or service problems Enter a contractual relationship with a vendor without having reasonable assurance that requirements will be met Due Diligence Step Needs Assessment Request for Proposals Vendor Analysis Review and Approval Control Objectives Need for a solution is identified Business requirements are defined Regulatory & Info Security requirements are defined Approvals to move ahead with identifying a solution are obtained Opportunity to bid is presented to multiple vendors Information is gathered from vendors and analyzed Best vendors are accepted to move to the next step on the due diligence process Risk assessment (strategic, reputational, operational, financial, compliance ) is performed Financial analysis is performed Capability to meet business requirements is evaluated Vendor selection is made by authorized participants Selection is reviewed and approved by authorized leaders or committees Participants Business Unit Information Services IT Security IT Committees (approvals) Business Unit Information Services IT Security IT Committees (establish expectations for RFP) Business Unit Information Services IT Security IT Committees (verification) Business Unit Information Services IT Security IT Committees (approval) Selected Vendor Solution Moves to Implementation Phase
12 Testing Approach Needs Assessment Obtain access to the minutes from the prior 12 months of IT Steering Committee meetings Select a sample of Business Line Leaders who have presented projects for review Interview the Leaders to understand the process that they followed Review project documentation to determine if needs assessment was conducted Interview IT personnel assigned to the project to understand the process that they followed Determine if regulatory and information security requirements were defined and addressed Look for documented approvals
13 Testing Approach Request for Proposals Review project documentation to determine if the opportunity to bid was presented to multiple vendors Interview IT personnel assigned to the project to determine what information was requested from vendors in the Request for Proposals (RFP) Determine if regulatory and information security requirements were addressed in the RFP document Review project documentation to see which vendors responded to the RFP, examine the responses, and look for a comparative analysis of the responses Look for documented justification for the vendors accepted to move to the next step
14 Testing Approach Vendor Analysis Find out if there is a security committee, architectural review committee, and/or other oversight group(s) with responsibility for reviewing vendor information prior to final selection Review project documentation to determine if vendor risk assessment was conducted Determine if a financial analysis (business case) was completed Interview IT personnel to understand how they were involved in making the determination that the vendor would be able to meet identified needs
15 Testing Approach Review and Approval Interview the Business Line Leaders to understand the process that they followed to make the final vendor selection Review project documentation to determine if the selection was reviewed and approved by authorized leaders or committees
16 Results Identified need for comprehensive, documented process All parties involved followed a process, but it differed from one project team to the next None of the Business Line Leaders were familiar with the process Documentation was inconsistent, project names shifted from start to finish, IT personnel handed projects off from phase to phase IT personnel did not assert subject matter leadership to guide Business Line Leaders to make selections inclusive of IT strategy as well as business strategy Found a loophole in a fundamental organizational policy If responsibility for all IT vendor relationships and IT solution management resides with IT, make sure the policy states it explicitly
17 IT Investment Management Overview IT-enabled investments will: Be managed as a portfolio of investments Include the full scope of activities required to achieve business value Be managed through their full economic life cycle Value delivery practices will: Recognize there are different categories of investments that will be evaluated and managed differently Define and monitor key metrics and respond quickly to any changes or deviations Engage all stakeholders and assign appropriate accountability for the delivery of capabilities and the realization of business benefits Be continually monitored, evaluated and improved ~ISACA Val IT Guidance
18 Cloud Computing Strategy Cloud computing means that the computer hardware and software we use is provided for us as a service by another company and is accessed over the Internet, rather than sitting on our desktops or somewhere inside our network. The term "moving to the cloud" refers to an organization moving away from a traditional capital expenditure model (buy dedicated hardware and depreciate it over a period of time) to an operating expense model (use a shared cloud infrastructure and pay as we use it). Strong vendor due diligence practices are critical to protecting the organization s interests in this type of arrangement.
19 Questions & Discussion
Strategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA vandeke@gmail.com 11.16.2013
Strategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA vandeke@gmail.com 11.16.2013 AGENDA IT s Changing Landscape ISACA s Response Vision and Mission COBIT 5
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationInformation Security Governance:
Information Security Governance: Designing and Implementing Security Effectively 2 nd Athens International Forum on Security 15 16 Jan 2009 Anestis Demopoulos, CISA, CISSP, CIA President of ISACA Athens
More informationVendor Security Risk Management
ISACA San Francisco Fall Conference 2007 Vendor Security Risk Management Dan Morrison September 17, 2007 Topics of Discussion Context-Information, operations &
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationAdding Cloud Solutions to Customer Contracts Robert J. Scott
Adding Cloud Solutions to Customer Contracts Robert J. Scott MSP vs. Cloud Who owns the hardware? Where does the data reside? Dedicated vs. Multi tenant? Who contracts with 3 rd parties? How are services
More informationTOP 10 Security Questions Introduction Breaches and other privacy and security incidents in healthcare are on the rise due to the vast size of the industry and the oneoffs of protected health information
More informationQuestion: 1 Which of the following should be the FIRST step in developing an information security plan?
1 ISACA - CISM Certified Information Security Manager Exam Set: 1, INFORMATION SECURITY GOVERNANCE Question: 1 Which of the following should be the FIRST step in developing an information security plan?
More informationIT Governance. What is it and how to audit it. 21 April 2009
What is it and how to audit it 21 April 2009 Agenda Can you define What are the key objectives of How should be structured Roles and responsibilities Key challenges and barriers Auditing Scope Test procedures
More informationAgenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014
OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2 Linda Sanches, MPH Senior Advisor, Health Information Privacy HCCA Compliance Institute March 31, 2014 Agenda Background Audit Phase
More informationA smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved
A smarter way to protect your brand Minimizing Compliance Risks of Proactive OCR HIPAA Audits Copyright 2012 Compliance 360 All Rights Reserved Compliance 360 at a Glance Compliance, Risk and Audit Solutions
More informationVendor Management Best Practices
23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion
More informationCOMMUNIQUE. Information Technology (IT) Governance Guidance
COMMUNIQUE 14-COM-002 July 14, 2014 Information Technology (IT) Governance Guidance The Credit Union Prudential Supervisors Association (CUPSA) has established an IT Risk Working Group to focus on IT governance
More informationWhitepaper: 7 Steps to Developing a Cloud Security Plan
Whitepaper: 7 Steps to Developing a Cloud Security Plan Executive Summary: 7 Steps to Developing a Cloud Security Plan Designing and implementing an enterprise security plan can be a daunting task for
More informationIntroduction to Vendor Management
Introduction to Vendor Management BOI October 15, 2013 Speaker Brad Smith President, Abound Resources More than 20 years experience helping community bank achieve their business goals with technology 500+
More informationEmptoris Contract Management Solution for Healthcare Providers
Emptoris Contract Management Solution for Healthcare Providers An Emptoris White Paper Emptoris, an IBM Company www.emptoris.com CMS-HP-4/12 Emptoris Contract Management Solution for Healthcare Providers
More informationAnatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault
Anatomy of an IT Outsourcing Deal Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault 3656867 Agenda Key Considerations for IT Outsourcing Decision Anatomy of an Outsourcing
More informationCloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com
Cloud Computing Risks & Reality Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com What is Cloud Security The quality or state of being secure to be free from danger & minimize risk To be protected from
More informationHCCA COMPLIANCE INSTITUTE. HCCA - AHIA Auditing & Monitoring Focus Group Progress Report
HCCA COMPLIANCE INSTITUTE New Orleans, LA Tuesday, April 19, 2005 Workshop from 3:00pm 4:00pm HCCA - AHIA Auditing & Monitoring Focus Group Progress Report Randall Brown, CIA Baylor Healthcare System Corporate
More informationOFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT
County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Audit Manager: Lynne Prizzia, CISA, CRISC Senior Auditor:
More informationObtaining CSF Certification Lessons Learned and Why Do It
Obtaining CSF Certification Lessons Learned and Why Do It Aaron Miri, Chief Technology Officer, Children s medical Center of Dallas Ryan Sawyer, Director, Technology Risk and Identity Governance, WellPoint
More informationFIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES
FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES The implications for privacy and security in the emergence of HIEs The emergence of health information exchanges (HIE) is widely
More informationThird-Party Vendor Compliance Programs: The Value, the Need, the Risk
Third-Party Vendor Compliance Programs: The Value, the Need, the Risk HCCA Compliance Institute Session 602 Tuesday, April 19, 2016 1:00-2:00 PM HCCA CI - 2016 1 Presenters Corey M. Perman, JD Vice President,
More informationHealthcare Payment Processing: Managing Data Security and Privacy Risks
Moderator: Linda A. Malek Chair, Healthcare Moses & Singer LLP Healthcare Payment Processing: Managing Data Security and Privacy Risks Thursday, September 13, 2012 Panelists: Beth L. Rubin Senior Counsel
More informationImplementing Practical Information Security Programs
Implementing Practical Information Security Programs CISO Summit March 17-19, 2013 Presented by: David Cass, SVP & Chief Information Security Officer, Elsevier Information Security & Data Protection Office
More informationThe Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More information3/17/2015. Healthcare Technology Audit Basics. Session Objectives. Jennifer McGill, CIA, CISA, CGEIT April 20, 2015
Healthcare Technology Audit Basics Jennifer McGill, CIA, CISA, CGEIT April 20, 2015 Session Objectives Review information technology basic concepts. Use real world examples to identify and understand healthcare
More informationHealthcare Technology Audit Basics. Session Objectives
Healthcare Technology Audit Basics Jennifer McGill, CIA, CISA, CGEIT April 20, 2015 Session Objectives Review information technology basic concepts. Use real world examples to identify and understand healthcare
More informationA s a covered entity or business associate, you have
Health IT Law & Industry Report VOL. 7, NO. 19 MAY 11, 2015 Reproduced with permission from Health IT Law & Industry Report, 07 HITR, 5/11/15. Copyright 2015 by The Bureau of National Affairs, Inc. (800-372-1033)
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationEstablishing A Multi-Factor Authentication Solution. Report to the Joint Legislative Oversight Committee on Information Technology
Establishing A Multi-Factor Authentication Solution Report to the Joint Legislative Oversight Committee on Information Technology Keith Werner State Chief Information Officer Department of Information
More informationHIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1
HIPAA/HITECH Privacy and Security for Long Term Care 1 John DiMaggio Chief Executive Officer, Blue Orange Compliance Cliff Mull Partner, Benesch, Healthcare Practice Group About the Presenters John DiMaggio,
More informationFeature. Vendor Due Diligence
Feature Vendor Due Diligence Jennifer Bayuk, CISA, CISM, CGEIT, is an independent consultant on topics including information security policy, process, management and metrics. For 10 years she managed information
More information2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents
2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)
More informationThird-Party Cybersecurity and Data Loss Prevention
Third-Party Cybersecurity and Data Loss Prevention SESSION ID: DSP-W04A Brad Keller Sr. Vice President Santa Fe Group Jonathan Dambrot, CISSP CEO, Co-Founder Prevalent Networks 3rd Party Risk Management
More informationStepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM
Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and
More informationNorth Carolina's Information Technology Consolidation Audit
STATE OF NORTH CAROLINA PERFORMANCE AUDIT INFORMATION TECHNOLOGY CONSOLIDATION JANUARY 2013 OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE AUDITOR PERFORMANCE AUDIT INFORMATION TECHNOLOGY CONSOLIDATION
More informationThe HIPAA Omnibus Final Rule
WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia
More informationIntroduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors
Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors Importance of Effective Internal Controls and COSO COSO
More informationHIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers
How to Effectively Collaborate with Cloud Providers Speaker Bio Chad Kissinger Chad Kissinger Founder OnRamp Chad Kissinger is the Founder of OnRamp, an industry leading high security and hybrid hosting
More informationFIRST COAST HEALTH ALLIANCE, LLC CHARTER AUDIT, FINANCE, AND NETWORK CONTRACTS COMMITTEE
AUDIT, FINANCE, AND NETWORK CONTRACTS COMMITTEE 1. Establishment and Purpose. The Audit, Finance, and Networks Contracts Committee is established by the Board for the purpose of overseeing the integrity
More information2012 HIPAA Privacy and Security Audits
Office of the Secretary Office for Civil Rights (OCR) 2012 HIPAA Privacy and Security Audits Linda Sanches OCR Senior Advisor, Health Information Privacy Lead, HIPAA Compliance Audits OCR 1 Agenda Background
More information2014 Vendor Risk Management Benchmark Study
2014 Vendor Risk Management Benchmark Study Introduction/Executive Summary You can have all the security in the world inside your company s four walls, but all it takes is a compromise at one third-party
More informationBridging the HIPAA/HITECH Compliance Gap
CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According
More informationSTATE OF NORTH CAROLINA
STATE OF NORTH CAROLINA PERFORMANCE AUDIT DEPARTMENT OF ADMINISTRATION, DIVISION OF PURCHASE AND CONTRACT STATE TERM CONTRACTING PROCESS OCTOBER 2010 OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE
More informationTHIRD-PARTY RISK: HOW TO BETTER UTILIZE ENERGY VENDOR AUDITS 8/25/2015. August 27, 2015
8/25/2015 THIRD-PARTY RISK: HOW TO BETTER UTILIZE ENERGY VENDOR AUDITS August 27, 2015 Shane Torkelson, CPE, CISA, CIA Director Enterprise Risk Solutions storkelson@bkd.com 1 TO RECEIVE CPE CREDIT Participate
More informationCFPB Readiness Series: Compliant Vendor Management Overview
CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the
More informationSan Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP
Presented by Mike O. Villegas, CISA, CISSP Agenda Information Security (IS) Vision at Newegg.com Typical Issues at Most Organizations Information Security Governance Four Inter-related CoBIT Domains ISO
More informationA Privacy Officer s Guide to Providing Enterprise De-Identification Services. Phase I
IT Management Advisory A Privacy Officer s Guide to Providing Enterprise De-Identification Services Ki Consulting has helped several large healthcare organizations to establish de-identification services
More informationHIPAA in the Cloud How to Effectively Collaborate with Cloud Providers
How to Effectively Collaborate with Cloud Providers Agenda Overview of Topics Covered Agenda Evolution of the Cloud Comparison of Private vs. Public Clouds Other Regulatory Frameworks Similar to HIPAA
More informationInternal Audit RFP 2013 Questions and Answers
Question set 1: 1. What do you like about your current outsource IA arrangement and what has prompted your consideration of alternative providers? IIT policy requires periodic placement of IA business
More informationBusiness Associates, HITECH & the Omnibus HIPAA Final Rule
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
More informationCISM (Certified Information Security Manager) Document version: 6.28.11
CISM (Certified Information Security Manager) Document version: 6.28.11 Important Note About CISM PDF techexams CISM PDF is a comprehensive compilation of questions and answers that have been developed
More informationOverview of Topics Covered
How to Effectively Collaborate with Cloud Providers Agenda Overview of Topics Covered Agenda Evolution of the Cloud Comparison of Private vs. Public Clouds Other Regulatory Frameworks Similar to HIPAA
More informationData Recovery Service Providers: The Low Profile, High Impact Risk to Enterprise Security
Data Recovery Service Providers: The Low Profile, High Impact Risk to Enterprise Security Lynda C. Martel Executive Director, Government & Enterprise Business Relations DriveSavers Data Recovery, Inc.
More informationThe HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.
The HITECH Act: Implications to HIPAA Covered Entities and Business Associates Linn F. Freedman, Esq. Introduction and Overview On February 17, 2009, President Obama signed P.L. 111-05, the American Recovery
More informationCORL Dodging Breaches from Dodgy Vendors
CORL Dodging Breaches from Dodgy Vendors Tackling Vendor Security Risk Management in Healthcare Introductions Cliff Baker 20 Years of Healthcare Security experience PricewaterhouseCoopers, HITRUST, Meditology
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationCybersecurity in the States 2012: Priorities, Issues and Trends
Cybersecurity in the States 2012: Priorities, Issues and Trends Commission on Maryland Cyber Security and Innovation June 8, 2012 Pam Walker, Director of Government Affairs National Association of State
More informationManaging data security and privacy risk of third-party vendors
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
More informationSunday March 30, 2014, 9am noon HCCA Conference, San Diego
Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose
More informationAUDIT REPORT. The Department of Energy's Management of Cloud Computing Activities
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT The Department of Energy's Management of Cloud Computing Activities DOE/IG-0918 September 2014 Department
More informationDodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare
Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Strengthening Cybersecurity Defenders #ISC2Congress Healthcare and Security "Information Security is simply a personal
More informationSeptember 2005 Report No. 06-009
An Audit Report on The Health and Human Services Commission s Consolidation of Administrative Support Functions Report No. 06-009 John Keel, CPA State Auditor An Audit Report on The Health and Human Services
More informationSecuring Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use
Securing Patient Portals What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use September 2013 Table of Contents Abstract... 3 The Carrot and the Stick: Incentives and Penalties for Securing
More informationAudit of Veterans Health Administration Blood Bank Modernization Project
Department of Veterans Affairs Office of Inspector General Audit of Veterans Health Administration Blood Bank Modernization Project Report No. 06-03424-70 February 8, 2008 VA Office of Inspector General
More informationSoftware Licenses Managing the Asset and Related Risks
AUDITOR GENERAL S REPORT ACTION REQUIRED Software Licenses Managing the Asset and Related Risks Date: February 4, 2015 To: From: Wards: Audit Committee Auditor General All Reference Number: SUMMARY The
More informationCitation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit 2020. Abstract from Nordic ISACA Conference 2014, Oslo, Norway.
Aalborg Universitet Vision for IT Audit 2020 Berthing, Hans Henrik Aabenhus Publication date: 2014 Document Version Early version, also known as pre-print Link to publication from Aalborg University Citation
More informationKey Considerations for Information Technology Governance. 900 Monroe NW Grand Rapids, MI 49503 (616) 632-8000
Key Considerations for Information Technology Governance What is IT Governance? Big Picture approach to information and data management Sets priorities: Managing performance Delivering value Managing risk
More informationDecember 2014 Report No. 15-017. An Audit Report on The Telecommunications Managed Services Contract at the Health and Human Services Commission
John Keel, CPA State Auditor An Audit Report on The Telecommunications Managed Services Contract at the Health and Human Services Commission Report No. 15-017 An Audit Report on The Telecommunications
More informationVendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire
Vendor Management Challenges and Solutions for HIPAA Compliance Jim Sandford Vice President, Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control
More informationEnabling Information PREVIEW VERSION
Enabling Information These following pages provide a preview of the information contained in COBIT 5: Enabling Information. The main benefit of this publication is that it provides COBIT 5 users with a
More informationCyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13
Cyber Security Consultancy Standard Version 0.2 Crown Copyright 2015 All Rights Reserved Page 1 of 13 Contents 1. Overview... 3 2. Assessment approach... 4 3. Requirements... 5 3.1 Service description...
More informationPreparing for HIPAA and Meaningful Use Compliance Audits
Preparing for HIPAA and Meaningful Use Compliance Audits Presented by: David Holtzman VP of Compliance, CynergisTek CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com
More informationAnd The Question Is: What are the Key AMC Compliance Focus Areas in the Current Regulatory Environment?
And The Question Is: What are the Key AMC Compliance Focus Areas in the Current Regulatory Environment? Panel Members: Joan Podleski, Duke University Luanna Putney, University of California Kristen West,
More informationInformation Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services
Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...
More informationWilliam Rusty Huseman 3733 University Blvd. West, Suite 305-A Jacksonville, FL 32217
William Rusty Huseman est, Email: Rusty@husemanhealthlaw.com 1 Audit & Compliance Audit Who can audit your practice? What to expect? What to do if you are audited? Compliance 2 What you MUST have in place
More informationBig Data, Big Risk? Data Management and Privacy. Presented by: Timothy Banks, Heather Innes, and Colonel Vihar Joshi
Big Data, Big Risk? Data Management and Privacy Presented by: Timothy Banks, Heather Innes, and Colonel Vihar Joshi Data Management & Privacy Compliance Heather Innes Chief Privacy Officer, General Motors
More informationagility made possible
SOLUTION BRIEF CA IT Asset Manager how can I manage my asset lifecycle, maximize the value of my IT investments, and get a portfolio view of all my assets? agility made possible helps reduce costs, automate
More informationNIST HIPAA Toolkit CASE STUDIES. June 7, 2012
NIST HIPAA Toolkit CASE STUDIES June 7, 2012 Presenters Susan A. Miller, JD, Moderator Sherry Wilson, E-VP, Jopari Solutions Jim Sheldon-Dean, Lewis Creek Systems, LLC AGENDA What is the toolkit, and where
More informationArizona State University. HIPAA Compliance. Audit Report Number 15-08. May 7, 2015
This page left blank intentionally. Summary The Health Insurance Portability and Accountability Act of 1996 (HIPAA) audit was included on the Arizona State University (ASU) FY 2015 annual audit plan approved
More informationPerforming a Compliance Risk Assessment for Compliance Auditing & Monitoring in Healthcare Organizations
Performing a Compliance Risk Assessment for Compliance Auditing & Monitoring in Healthcare Organizations Author: Glen C. Mueller, Chief Audit & Compliance Officer, Scripps Health, San Diego, CA Introduction
More informationSecurity & IT Governance: Strategies to Building a Sustainable Model for Your Organization
Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization Outside View of Increased Regulatory Requirements Regulatory compliance is often seen as sand in the gears requirements
More informationDesign of Database Security Policy In Enterprise Systems
Design of Database Security Policy In Enterprise Systems by Krishna R Singitam Database Architect Page 1 of 10 Table of Contents 1. Abstract... 3 2. Introduction... 3 2.1. Understanding the Necessity of
More informationHealthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014
Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014 Agenda Introduction / Session Overview HIT Budgeting 101 Security and Compliance EHR budgeting HIT Where Are We Going Q & A 2 Copyright
More informationIntegrating Project Management and Service Management
Integrating Project and Integrating Project and By Reg Lo with contributions from Michael Robinson. 1 Introduction Project has become a well recognized management discipline within IT. is also becoming
More informationHIPAA and the HITECH Act
WHITE PAPER: THE HITECH BALANCING ACT The Hi-Tech Balancing Act: Securely Walking the Tightrope of Patient Care October 2009 By John McNeely President and CEO Sword & Shield Enterprise Security, Inc. [
More informationVendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.
Vendor Management: An Enterprise-wide Focus Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd. Why Focus on Vendor Management Increased financial regulatory scrutiny GLBA and Identity Theft Red
More informationOffice of Compliance and Ethics Introductory Report. Lynette Fons, Chief Compliance Officer
Office of Compliance and Ethics Introductory Report Lynette Fons, Chief Compliance Officer Why the Office of Compliance and Ethics was Created The City operates in a highly complex regulatory environment
More information2014 HIMSS Analytics Cloud Survey
2014 HIMSS Analytics Cloud Survey June 2014 2 Introduction Cloud services have been touted as a viable approach to reduce operating expenses for healthcare organizations. Yet, engage in any conversation
More informationEstablishing An Effective Corporate Compliance Program Joan Feldman, Esq. Vincenzo Carannante, Esq. William Roberts, Esq.
Establishing An Effective Corporate Compliance Program Joan Feldman, Esq. Vincenzo Carannante, Esq. William Roberts, Esq. November 11, 2014 Shipman & Goodwin LLP 2014. All rights reserved. HARTFORD STAMFORD
More informationBlending Corporate Governance with. Information Security
Blending Corporate Governance with Information Security WHAT IS CORPORATE GOVERNANCE? Governance has proved an issue since people began to organise themselves for a common purpose. How to ensure the power
More informationAudit Plan Update. Percentage of Total Budgeted Hours. Adjusted Budgeted Hours. Actual YTD. Audit & MAS 8,066 8,366 38% 7,085.0 46% 2012 Carry Over
AUDIT COMMITTEE UPDATE DECEMBER 13, 2013 EXECUTIVE SUMMARY Office of the Internal Auditor Update Since the last Audit Committee meeting, the OIA has focused on finalizing the execution of the 2013 Audit
More informationA SELECTICA GUIDE ALL THINGS STARK LAW WHAT IS STARK LAW, AND HOW CAN CONTRACT MANAGEMENT SOFTWARE HELP YOU COMPLY?
A SELECTICA GUIDE ALL THINGS STARK LAW WHAT IS STARK LAW, AND HOW CAN CONTRACT MANAGEMENT SOFTWARE HELP YOU COMPLY? 1 A Selectica Guide All things Stark: What is Stark Law, and how can contract management
More informationCOBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30
COBIT 5: A New Governance Framework for Managing & Auditing the Technology Environment CS 6-7: Tuesday, July 7 3:30-4:30 Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.net
More informationREGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI
REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI Healthcare Organizations Can Adopt Enterprise-Wide Disclosure Management Systems To Standardize Disclosure Processes,
More informationProfit from the experience of best-in-class companies.
VISA COMMERCIAL SOLUTIONS Global Procure-to-Pay and Commercial Card Best Practices Executive Summary Profit from the experience of best-in-class companies. Today s most successful companies have shifted
More informationISE Northeast Executive Forum and Awards
ISE Northeast Executive Forum and Awards October 3, 2013 Company Name: Project Name: Presenter: Presenter Title: University of Massachusetts Embracing a Security First Approach Larry Wilson Chief Information
More information