White paper: Nine Simple Steps to Vendor Management
|
|
- Chad Shelton
- 8 years ago
- Views:
Transcription
1 White paper: Nine Simple Steps to Vendor Management March 2014
2 White Paper: Nine Simple Steps to Vendor Management Using a third-party vendor naturally subjects an institution to risks outside its control. From a data breach to an unexpected shutdown, banks and credit unions are subject to a variety of vendor-related events that could lead to loss of revenue, loss of service or reputation damage. That s why FFIEC stands for vendor management are a significant part of regulatory examinations. Examiners now put a stronger focus on the guidelines, pushing organizations to better prepare themselves for the unexpected. Notably, outsourcing does not remove an institution from liability should vendor fail to meet information security requirements. An effective vendor management program protects an institution by ensuring its vendors are making all necessary efforts to safeguard information and helps prepare for regulatory compliance examinations. Don t Sweat the Small Stuff Vendor management can seem like a tall order, especially when you consider that many banks and credit unions work with more than 100 outside vendors. But oftentimes, institutions make the process harder than it actually is by tackling too many vendor reviews and collecting too much information. The regulations ask you to look at vendors who have access to customer information or processing systems and those that potentially pose critical risks. For most institutions, that s usually no more than a dozen vendors. Focus your attention there. Examiners only expect you to concentrate on those relationships that pose critical risks. Additionally, if you skip this step you potentially appear as if you don t understand the requirements and may open yourself to more questioning. Step-by-Step We ve analyzed the FFIEC vendor due diligence guidelines and consulted examiners to break the process down into nine simple steps. Here s how to get started Step 1: Start with a list of your vendors. List anyone you re doing business with anyone you outsource to in some function, whether it s mowing the lawn, cleaning, credit card processing, public relations, or IT. Step 2: Rate each vendor on criticality Ask yourself, If this vendor stops providing this service tomorrow, what will it do to my organization. If you ll have to shut your doors or stop providing a service, the vendor is critical. If you might not even notice for a while (gosh that grass is getting long), then that s a low criticality vendor. Step 3: Rate each vendor on confidentiality Identify what each vendor has access to in terms of customer information account numbers, names, addresses, account info. As with criticality, rank this access high, medium or low.
3 Step 4: Sort the vendors by rank Sort your list of vendors by both criticality and confidentiality. A high ranking in either category means you need to pay attention to that vendor. Naturally, 12 to 20 vendors will float to the top in either category. If you have more than two dozen in either group, you ve scored them too heavily. Step 5: Normalize your rankings This is a cross check of sorts. Take a look at all your rankings collectively and make sure they make sense as a group. Is it logical that your high risk vendors are really more critical than the ones below? You ll often find minor adjustments when you take a high level overview. Step 6: Identify risks for high ranking vendors According to the regulations, you need to rate all your vendors. But once that s done, you only need to focus on the high criticality and high confidentiality providers. Remember these should be relatively short lists. Identify what risk each of the vendors may pose and what controls they should have in place to temper those risks. For example: This vendor is critical to my operations. What if there s a fire, flood, or power outage? Do they have a disaster recovery plan? A business continuity plan? What happens if they make an error? Do they have liability insurance? They have access to customer information. What security measures are they taking? What is their response plan if a data breach occurs? Does it work with my response plan? Identify the controls (i.e. risk mitigation efforts) they should have in place to a) secure information and b) minimize the impact on your organization. Evaluating Specialist Providers You may feel overwhelmed when it comes to evaluating an IT firm, credit card processor or other complex service provider. Don t be intimidated. The examiners don t expect Herculean review efforts. You don t need to send in your own security testing team. What you do need is assurance the vendor is following industry best practices. When an examiner asks why you feel comfortable with a certain vendor, provide a rational argument and documentation demonstrating you ve done your due diligence. You might request the following: SAS 70 audit report (credit card processors) PCI compliance (credit card processors) Third party certifications Staff experience & education Customer recommendations You don t have to understand the intricacies of a vendor s business. You can secure reasonable proof of quality by relying on third party certifications and other logical evaluation measures. Scout includes recommended due diligence requests for standard financial institution vendors.
4 Step 7: Begin your due diligence Start collecting evidence of those control and risk mitigation processes. Create a file. You want to verify the vendor has a plan in place. See if it meshes with your plan and sounds reasonable. Get a copy of their disaster recovery plan and liability policy. Ask for pertinent staff profiles to determine if they have qualified personnel. Check references and be sure other clients report satisfaction. Step 8: Request improvements or switch vendors If the vendor doesn t have adequate controls in place, you need to have a dialogue and convince them to meet your standards. If you can t find resolution, you may need to select a different vendor. Step 9: Reevaluate Annually, go through your list of vendors and decide if their risk rating needs to be changed. Also, reevaluate your high risk vendors to make sure their controls are appropriate for the current risk environment. Has your relationship changed in the last year? Have security threats evolved? Are their certifications up-to-date and contracts current? Continue to manage your risks and relationships. Prepare for the Unexpected The vendor management process helps your organization plan for the unexpected. As you identify the risks, you need to make sure controls and protocols are in place so that should something happen, neither you nor your vendor has a disastrous outcome. Understand the relationship up front, and make plans to deal with any damaging events. The last thing you want to do in a crisis is spend time figuring out what to do next. And when it comes to public relations, any crisis is better contained when you can show that due diligence was both thorough and thoughtful. Simply put, you don t want to fail because you forgot to plan. Scout for Vendor Management The Vendor Manager module in the Scout suite manages the vendor environment in much the same way Information Manager tracks your organization s risk assessment process. Use Vendor Manager to: Rank vendor criticality, confidentially and performance. Schedule and be reminded of due diligence reviews based on risks and FFIEC guidelines. Attach supporting documents. Right from initial use, Scout automates and simplifies vendor management. It guides users through the process, including prompts to request relevant information and conduct reviews. Scout s vendor management module was built using FFIEC guidance and includes the agency s recommended due diligence considerations. Institutions can customize the application, adding their own due diligence criteria. Users report that consistency and organization improve dramatically with Scout. It helps institutions set consistent review criteria and provides a central storage system for contracts, insurance policies and other essential documentation. Scout is a risk management dashboard that also includes modules for GBLA, Red Flags, BSA, ACH, ERM, Controls Audit and Task Management.
5
Identifying and Managing Third Party Data Security Risk
Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:
More informationAVOIDING PATCH DOOMSDAY Best Practices for Performing Patch Management
AVOIDING PATCH DOOMSDAY Best Practices for Performing Patch Management The Patch Management Imperative Nearly every business in the world today depends on IT to support day-to-day operations and deliver
More informationWhat We ll Cover. Assessing Risk. Common elements in risk assessments NCUA categories of risk Risk assessments required by law
Assessing Risk It s the Law What We ll Cover Common elements in risk assessments NCUA categories of risk Risk assessments required by law What to assess Factors to consider When to assess Resources to
More informationTOP 10 Security Questions Introduction Breaches and other privacy and security incidents in healthcare are on the rise due to the vast size of the industry and the oneoffs of protected health information
More informationPRIVACY OF CONSUMERS' FINANCIAL INFORMATION PART 12 501(b) AND BANK MANAGEMENT
PRIVACY OF CONSUMERS' FINANCIAL INFORMATION PART 12 501(b) AND BANK MANAGEMENT RESOURCES PROVIDED THROUGH APRIL 2001 Slides Narration In the last presentation, you learned about some of the general responsibilities
More informationREGULATORY COMPLIANCE. Dynamic Solutions. Superior Results.
REGULATORY COMPLIANCE Dynamic Solutions. Superior Results. STREAMLINE, STRENGTHEN AND SIMPLIFY YOUR COMPLIANCE EFFORTS CSI S AUTOMATED, DYNAMIC SOLUTIONS MITIGATE RISK, DECREASE COSTS AND IMPROVE COMPLIANCE
More informationMisplaced Trust: Vendor Fraud. IIA/ACFE Conference Patrick Mitchell, Managing Director Sharon Delgado, Senior Manager
Misplaced Trust: Vendor Fraud IIA/ACFE Conference Patrick Mitchell, Managing Director Sharon Delgado, Senior Manager April 17, 2015 Today s Discussion Summary Vendor fraud is a form of occupational fraud
More informationOCC 98-3 OCC BULLETIN
To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel
More informationBuilding a strong business continuity plan
Building a strong business continuity plan Protect your clients and firm with a well-planned business continuity plan A solid business continuity plan (BCP) is about more than simply staying in compliance.
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationPreparing for a Computer System. In a Wholesale Fruit and Vegetable Company
Preparing for a Computer System In a Wholesale Fruit and Vegetable Company by Bruce E. Lederer Market Research and Development Division Agricultural Marketing Service U.S. Department of Agriculture A computer
More informationInformation Technology
Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level
More informationWhat is Penetration Testing?
White Paper What is Penetration Testing? An Introduction for IT Managers What Is Penetration Testing? Penetration testing is the process of identifying security gaps in your IT infrastructure by mimicking
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationA Cautionary Tale Plus Cross-Channel Risk
Dan Tobin A Cautionary Tale Plus Cross-Channel Risk IT Examiner Supervision, Regulation & Credit Dan.tobin@bos.frb.org Agenda A Cautionary Tale Shames-Yeakel v. Citizens Financial Bank Cross-Channel Risk
More information11- INFORMATION TECHNOLOGY RMP SNAPSHOT WORKPROGRAM
11- INFORMATION TECHNOLOGY RMP SNAPSHOT WORKPROGRAM INSTRUCTIONS 1. Review the IT Officer s Questionnaire (ITOQ) and comment on any responses from the ITOQ that result in a finding. 2. Provide responses
More informationNine Steps to Smart Security for Small Businesses
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
More informationElectronic Payment Schemes Guidelines
BANK OF TANZANIA Electronic Payment Schemes Guidelines Bank of Tanzania May 2007 Bank of Tanzania- Electronic Payment Schemes and Products Guidleness page 1 Bank of Tanzania, 10 Mirambo Street, Dar es
More informationSOFTWARE AS A SERVICE SaaS in the Tax and Accounting Profession
SOFTWARE AS A SERVICE SaaS in the Tax and Accounting Profession SOFTWARE AS A SERVICE SaaS in the Tax and Accounting Profession Overview Software as a Service (SaaS), which is often referred to as cloud
More informationIT Security & Compliance Risk Assessment Capabilities
ATIBA Governance, Risk and Compliance ATIBA provides information security and risk management consulting services for the Banking, Financial Services, Insurance, Healthcare, Manufacturing, Government,
More informationEnterprise Risk Management taking on new dimensions
Enterprise Risk Management taking on new dimensions October 2006 The practice of Enterprise Risk Management (ERM) is becoming more critical and complex every day. There is a growing need for organizations
More informationInformation Technology. A Current Perspective on Risk Management
Information Technology A Current Perspective on Risk Management Topics Covered Information Security Program Common Examination Findings Existing and Emerging Risks ACH/Wire Fraud and Corporate Account
More informationGUIDANCE FOR MANAGING THIRD-PARTY RISK
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
More informationWHITE PAPER Third-Party Risk Management Lifecycle Guide
WHITE PAPER Third-Party Risk Management Lifecycle Guide Develop and maintain compliant third-party relationships by following these foundational components of a best-practice assessment program. Third
More informationData Recovery Service Providers: The Low Profile, High Impact Risk to Enterprise Security
Data Recovery Service Providers: The Low Profile, High Impact Risk to Enterprise Security Lynda C. Martel Executive Director, Government & Enterprise Business Relations DriveSavers Data Recovery, Inc.
More informationGAIN CLARITY CRITICAL ISSUES. Your Data in the Cloud : Benefits & Risks GAIN CONTROL. berrydunn.com
GAIN CLARITY CRITICAL ISSUES Your Data in the Cloud : Benefits & Risks berrydunn.com AGENDA Defining Cloud Services Benefits and Risks Core Requirements Myths about Clouds Is Your Data in the Cloud Secure?
More informationOutsourcing Technology Services A Management Decision
Outsourcing Technology Services A Management Decision A Telephone Seminar for National Banks Tuesday, July 20, 2004 And again on Wednesday, July 21, 2004 Agenda Outsourcing activities and relationships
More informationDesigning an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting
Consulting and Professional Services Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting Designing an Operational Risk Program for
More information2014 Vendor Risk Management Benchmark Study
2014 Vendor Risk Management Benchmark Study Introduction/Executive Summary You can have all the security in the world inside your company s four walls, but all it takes is a compromise at one third-party
More informationADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT
ADDING NETWORK INTELLIGENCE INTRODUCTION Vulnerability management is crucial to network security. Not only are known vulnerabilities propagating dramatically, but so is their severity and complexity. Organizations
More informationCloud Security and Managing Use Risks
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
More informationUnderstanding It s Me 247 Security. A Guide for our Credit Union Clients and Owners
Understanding It s Me 247 Security A Guide for our Credit Union Clients and Owners October 2, 2014 It s Me 247 Security Review CU*Answers is committed to the protection of you and your members. CU*Answers
More informationVendor Management. Outsourcing Technology Services
Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring
More informationTHE CURRENT STATE OF CLOUD SECURITY
Protecting Your Investment: THE CURRENT STATE OF CLOUD SECURITY An examination on the evolving state of security as it relates to your cloud-based applications and data A Publication of Fpweb.net Table
More informationStrategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security
Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationThe PNC Financial Services Group, Inc. Business Continuity Program
The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis
More informationThe 9 Ugliest Mistakes Made with Data Backup and How to Avoid Them
The 9 Ugliest Mistakes Made with Data Backup and How to Avoid Them If your data is important to your business and you cannot afford to have your operations halted for days even weeks due to data loss or
More informationRISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655
FOUR KEYS TO CREATING A VENDOR RISK MANAGEMENT PROGRAM THAT WORKS HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655 FOUR KEYS TO CREATING A VENDOR RISK MANAGEMENT PROGRAM THAT WORKS
More informationFraud Protection module
Fraud Protection module Trainer s Introduction While the vast majority of financial transactions are legitimate and honest, the few fraudulent ones can be costly and damaging. By recognizing the warning
More informationHow To Choose A Payroll Outsourcing Service
You ve decided to outsource payroll. Now which type of provider is the best choice? How do you choose the provider that s right for you? Paying your employees and satisfying your payroll tax requirements
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationREGULATORY COMPLIANCE SOFTWARE SOLUTIONS. Dynamic Solutions. Superior Results.
REGULATORY COMPLIANCE SOFTWARE SOLUTIONS Dynamic Solutions. Superior Results. TOOLS THAT REDUCE THE BURDEN OF MANAGING COMPLIANCE AND THE RISK OF NON-COMPLIANCE WATCHDOG ELITE PLATFORM, a holistic platform
More informationMeeting FFIEC Requirements: Enterprise-Wide Testing of Your. Business Continuity Plan
Meeting FFIEC Requirements: Enterprise-Wide Testing of Your Business Continuity Plan April 25, 2012 Robin Remines, CBCP, AMBCI Certified Business Continuity Professional The OGO Difference Focus on making
More informationValidating Third Party Software Erica M. Torres, CRCM
Validating Third Party Software Erica M. Torres, CRCM Michigan Bankers Association Risk Management & Compliance Institute September 29, 2014 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationPerforming Vendor Risk Assessments
Performing Vendor Risk Assessments You can outsource the work, but you can t outsource the risk! Presented by Jennifer F Alfafara Consultant, Resources Global Professionals Introduction 2 There is significant
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationRemote Deposit Capture Customer Due Diligence FFIEC Tier II Exam Considerations Plus Mobile Capture! March 5, 2014. Topics of Discussion
Remote Deposit Capture Customer Due Diligence FFIEC Tier II Exam Considerations Plus Mobile Capture! March 5, 2014 Carolyn C. Dowdy, Speaker Bank Project Solutions does not guaranty by implementing criteria
More informationFight the Noise with SIEM
Fight the Noise with SIEM An Incident Response System Classified: Public An Indiana Bankers Association Preferred Service Provider! elmdemo.infotex.com Managed Security Services by infotex! Page 2 Incident
More informationThe PCI Dilemma. COPYRIGHT 2009. TecForte
The PCI Dilemma Today, all service providers and retailers that process, store or transmit cardholder data have a legislated responsibility to protect that data. As such, they must comply with a diverse
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationBusiness Continuity Management Software
Business Continuity Management (BCM) Software 1 Business Continuity Management Software All In One Continuity Management Solution A Single Platform Approach Manage entire lifecycle with comprehensive BC
More information2008-2009 2008-2009 TRENDS IN BUSINESS CONTINUITY AND CRISIS COMMUNICATIONS SURVEY
2008-2009 The Second Annual Trends in Business Continuity and Crisis Communications Survey has been completed with over 700 participants from a wide range of industries and organizational sizes. The Disaster
More informationBusiness Continuity and Disaster Planning
WHITE PAPER Business Continuity and Disaster Planning A guide to preparing for the unexpected Robert Drewniak Director, Strategic & Advisory Services Disasters are not always the result of high winds and
More informationREGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.
REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES Dynamic Solutions. Superior Results. PERSONALIZED HELP THAT RELIEVES THE BURDEN OF MANAGING COMPLIANCE The burden of managing risk and compliance is
More informationUnified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
More informationEssential Elements of FFIEC Vendor Due Diligence
Essential Elements of FFIEC Vendor Due Diligence Essential Elements of FFIEC Vendor Due Diligence Overview of the Whitepaper This CBIZ Credit Risk Advisory Group whitepaper was written for lenders, financial
More informationCyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015
Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015 Topics Introduction Cyber Security Auditing Program Discuss an effective and compliant Cyber Security Auditing Program from
More informationThe PNC Financial Services Group, Inc. Business Continuity Program
The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page
More informationBlind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.
Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks. For anyone familiar with the banking industry, it comes as no surprise that banks are
More informationWindows Least Privilege Management and Beyond
CENTRIFY WHITE PAPER Windows Least Privilege Management and Beyond Abstract Devising an enterprise-wide privilege access scheme for Windows systems is complex (for example, each Window system object has
More informationEVALUATING YOUR DISASTER READINESS?
EVALUATING YOUR DISASTER READINESS? START WITH YOUR RESPONSE MANAGEMENT VENDOR Business Continuity and Disaster Recovery: Best Practices for Successful Planning What would happen to your organization if
More informationManaging data security and privacy risk of third-party vendors
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
More informationMOVING INTO THE DATA CENTRE: BEST PRACTICES FOR SUCCESSFUL COLOCATION
MOVING INTO THE DATA CENTRE: BEST PRACTICES FOR SUCCESSFUL COLOCATION CONTENTS Overview _ 2 FINDING THE RIGHT DATA CENTRE FOR YOUR BUSINESS _ 3 PREPARING FOR THE MOVE 6 MAKING THE MOVE _ 8 summary _ 9
More informationPCI Compliance for Healthcare
PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?
More informationYou Can t Sue a Disaster. Assess your risk, plan for disruption, protect your firm
You Can t Sue a Disaster. Assess your risk, plan for disruption, protect your firm Speaker Bios Stacy Colvin Partner Hunton & Williams LLP Practicing law since 1993, Stacy advises on the development and
More informationCyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s
Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices
More informationVendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.
Vendor Management: An Enterprise-wide Focus Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd. Why Focus on Vendor Management Increased financial regulatory scrutiny GLBA and Identity Theft Red
More informationOperational Risk Management Policy
Operational Risk Management Policy Operational Risk Definition A bank, including a development bank, is influenced by the developments of the external environment in which it is called to operate, as well
More informationDATASHEET CONTROL COMPLIANCE SUITE VENDOR RISK MANAGER 11.1
DATASHEET CONTROL COMPLIANCE SUITE VENDOR RISK MANAGER 11.1 Continuously Assess, Monitor, & Secure Your Information Supply Chain and Data Center Data Sheet: Security Management Is your organization able
More informationFive keys to a more secure data environment
Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational
More information9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania
Evaluating and Managing Third Party IT Service Providers Are You Really Getting The Assurance You Need To Mitigate Information Security and Privacy Risks? Kevin Secrest IT Audit Manager, University of
More informationThird Party Relationships
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 A B D INTRODUCTION AND PURPOSE Background Yes/No Comments 1. Does the credit union maintain a list of the third party
More information4 Critical Risks Facing Microsoft Office 365 Implementation
4 Critical Risks Facing Microsoft Office 365 Implementation So, your organization has chosen to move to Office 365. Good choice. But how do you implement it AND deal with the following issues: Keep email
More informationCONSIDERATIONS BEFORE MOVING TO THE CLOUD
CONSIDERATIONS BEFORE MOVING TO THE CLOUD What Management Needs to Know Part I By Debbie C. Sasso Principal When talking technology today, it s very rare that the word Cloud doesn t come up. The benefits
More informationPAYMENT CARD PROCESSING
CSU The California State University Office of Audit and Advisory Services PAYMENT CARD PROCESSING California State University, Long Beach Audit Report 15-43 January 5, 2016 EXECUTIVE SUMMARY OBJECTIVE
More informationSimply Sophisticated. Information Security and Compliance
Simply Sophisticated Information Security and Compliance Simple Sophistication Welcome to Your New Strategic Advantage As technology evolves at an accelerating rate, risk-based information security concerns
More informationFAQ S: TRUSTWAVE TRUSTKEEPER PCI MANAGER
FAQ S: TRUSTWAVE TRUSTKEEPER PCI MANAGER SAQ FAQ S Q: Should I complete the PCI Wizard or should I go straight to the PCI Forms? A: The PCI Wizard has been designed to simplify the self-assessment requirement
More informationTHE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS
THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS David Glockner, Managing Director strozfriedberg.com Overview The big picture: what does cybercrime look like today and how is it evolving? What
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationOUTSOURCING DUE DILIGENCE FORM
OUTSOURCING DUE DILIGENCE FORM SERVICE TO BE OUTSOURCED 1. Type of service to be outsourced: Accounting/Finance: Compliance Consulting: Legal Services: Administrative Functions: Information Technology:
More informationCOMPONENTS OF A SUCCESSFUL LAN DISASTER RECOVERY PLAN
COMPONENTS OF A SUCCESSFUL LAN DISASTER RECOVERY PLAN By Leo A. Wrobel Technologists often exhibit an unexpected response when asked by management to produce a disaster recovery plan for an automated system.
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationSteps to recovery. Queensland flood crisis. 19 January 2011
Steps to recovery Queensland flood crisis 19 January 2011 Immediate considerations Business interruption You may have experienced operational outages, IT interruptions as well as disruption to your manufacturing
More informationMoving to the Cloud? DIY VS. MANAGED HOSTING
Moving to the Cloud? DIY VS. MANAGED HOSTING 12 Factors To Consider And Why You Should Be Looking for a Managed Hosting Provider For Your Site or Application as You Move to the Cloud Your site or application
More informationA Best Practice Guide
A Best Practice Guide Contents Introduction [2] The Benefits of Implementing a Privacy Management Programme [3] Developing a Comprehensive Privacy Management Programme [3] Part A Baseline Fundamentals
More informationRemarks by. Thomas J. Curry. Comptroller of the Currency. Before the. Chicago. November 7, 2014
Remarks by Thomas J. Curry Comptroller of the Currency Before the 10 th Annual Community Bankers Symposium Chicago November 7, 2014 Good morning, it s a pleasure to be here today and to have this opportunity
More informationMAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS. Nick Harrahill PayPal Global Security Operations
MAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS Nick Harrahill PayPal Global Security Operations AGENDA Inception of an engagement The legal agreement Assessing the risk Customer call
More informationPAYMENT CARD PROCESSING
CSU The California State University Office of Audit and Advisory Services PAYMENT CARD PROCESSING California State University, Bakersfield Audit Report 15-42 October 13, 2015 EXECUTIVE SUMMARY OBJECTIVE
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
More informationHow To Transform Insurance Through Digital Transformation
Digital transformation can help you tame the perfect storm. The digital future for insurance. Following the 2008 financial crisis, the insurance sector has faced tighter regulation, which has made it harder
More informationProtecting your brand in the cloud Transparency and trust through enhanced reporting
Protecting your brand in the cloud Transparency and trust through enhanced reporting Third-party Assurance November 2011 At a glance Cloud computing has unprecedented potential to deliver greater business
More informationCustomer Success Story. Central Logic. Comprehensive SRA helps healthcare software provider safeguard its customer s PHI and ensure HIPAA compliance.
Customer Success Story Central Logic Comprehensive SRA helps healthcare software provider safeguard its customer s PHI and ensure HIPAA compliance. Page 2 of 6 Central Logic Comprehensive SRA helps healthcare
More informationBusiness Continuity Planning. Presentation and. Direction
Business Continuity Planning Presentation and Direction Thomas Bronack, president Data Center Assistance Group, Inc. 15180 20 th Avenue Whitestone, NY 11357 Phone: (718) 591-5553 Email: bronackt@dcag.com
More information