Third-Party Risk Management for Life Sciences Companies
|
|
- Philip Little
- 7 years ago
- Views:
Transcription
1 April 2016 Third-Party Risk Management for Life Sciences Companies Five Leading Practices for Data Protection By Mindy Herman, PMP, and Michael Lucas, CISSP Audit Tax Advisory Risk Performance
2 Crowe Horwath The last thing a life sciences company wants is to have proprietary information stolen or confidential data made public. When a company delegates the responsibility for data security to an outside party, the risk of compromised data increases and managing the risk becomes a little more complex. When the company relies on a great many outside parties to provide a wide array of services, the thirdparty risk multiplies along with the complexity of managing it. That s when a mature and effective third-party risk management program is required. 2
3 Third-Party Risk Management for Life Sciences Companies: Five Leading Practices for Data Protection As life sciences companies (pharmaceutical, medical device, and biotechnology companies) increasingly rely on third parties for a variety of services, the challenges of effectively managing the associated risks are growing dramatically. Anybody trying to determine the sheer scope of third-party relationships throughout an enterprise is likely to be overwhelmed. In addition, successful coordination of third-party risk management efforts in a global organization requires planning, resources, and time. A company s use of third parties can be considered its extended enterprise a risk landscape stretching well beyond its doors and firewalls. A life sciences company is likely to use third parties that employ technology throughout their value chains, from research and development to marketing. Third parties with access to sensitive information, such as intellectual property, clinical trial patients health records, and proprietary product development data, extend the risk of the organization. Consider a research division that engages a supplier for cloud storage of molecule development details that are the intellectual property of the division s company. A supplier with weak IT controls that permit a hacker to steal or otherwise compromise the intellectual property could put the company s future earnings at risk. Five Leading Practices Companies often find setting expectations for third parties a challenge, partly because risks vary with each third-party relationship. To comprehensively evaluate third parties performance and mitigate the risk of working with them, a company first must establish the applicable processes and performance standards that third parties will be expected to adhere to. Setting expectations at the beginning of a relationship helps to maximize the value the company derives from the third party and manage the associated risks in alignment with expectations. As the number and complexity of third-party relationships increase, it is important for companies to task people who have knowledge of the organization with creating and carrying out work plans to address risk while managing the execution of contracted commitments. Although every company has its unique organizational dynamic, taking certain actions can help companies overcome the challenges of establishing an effective third-party risk management program, especially when information security and privacy are concerns. Based on our experience working with life sciences companies, we recommend that a company include these practices in its third-party risk management program: 1. Create a comprehensive list of third parties. 2. Focus assessments on the most relevant risks. 3. Increase the granularity of assessments. 4. Realize risk reduction by closing identified gaps. 5. Manage decisions with risk data visualization. A short discussion of each of these recommendations follows. 3
4 Crowe Horwath Identify Third Parties Establishing a clear and authoritative list of all third parties is often a more complex undertaking than expected. Companies with less mature risk management programs often don t have a complete book of record. In other cases, even if companies have in place a strong procurement process for engaging third parties, business units might circumvent the process and engage a third party directly or add on services that increase risk exposure, further complicating efforts to get a handle on the use of outside parties. Following are some of the techniques for identifying third parties and creating a master list: Monitor network traffic for cloud service providers. Compare exported accounts payable lists with a list of known third parties. Examine purchasing-card (P-card) spending. Go beyond third-party identification to include alliances and research partners, license arrangements, and other cooperative agreements. Include affiliates and globally procured services. Focus Assessments on the Most Relevant Risks Identifying all third parties that work with a company can yield a long list. It would be inefficient for most companies to assess the risk associated with every single third party they engage. Instead, companies typically narrow the third-party book of record into a more manageable list by using an assessment that provides a quantifiable value based on the type of services and the associated risks of the services. The risk assessment should include a series of questions that aligns with how a company uses the third party and drills down into characteristics that affect the likelihood of the impact of the associated risks. Following are some of the questions that can help assess risk related to protecting intellectual property, clinical trial data, and privacy: By what means does the third party access the company s data? How sensitive is the data? Is personal information, such as contact details, social security numbers, or medical records, included? 4
5 Third-Party Risk Management for Life Sciences Companies: Five Leading Practices for Data Protection At the end of a risk assessment, each third party receives a risk rating on a rating scale. These ratings allow for the list to be further prioritized and for the company to decide which third parties require due diligence. If clinical trial details on the identities of 10,000 patients are stored in the third party s system, the risks associated with using a software as a service (SaaS) application are higher than the risks of using a hosted application that contains only anonymous marketing data about consumers. Companies should assess other risk areas such as operational, patient safety, regulatory, compliance, pipeline, contractual, and financial risks in addition to data security risks to efficiently address all relevant areas at once. Coordinating assessment activities across the company s control functions encourages the effective use of both the company s and the third party s time. Increase the Granularity of Assessments Control assessments are essential for pinpointing the gaps areas in which risk could be heightened because third-party controls don t meet company standards. A control assessment investigates whether a third party has protections in place that are adequate for providing the service or services it was engaged to deliver. To confirm that the third party is meeting the company s previously established expectations, this effort should be tied closely to the company s policies and standards. The control assessment s in-depth analysis often covers areas such as the following: Personnel management. What are the third party s personnel controls, and how does it screen applicants? Are appropriate policies and procedures constructed to govern employees and activities? Network. How is data loss prevented? How strong are the network detective and preventive controls? Are the network access controls adequate? Data management. Is an adequate user management process in place? Is encryption used to help ensure that only authorized personnel can access information? Platform security. Would the patch and vulnerability management process in place be able to prevent or thwart an attack on the system? Sometimes third parties are reticent to share documents during a control assessment. Using a screen-sharing tool is one way to navigate this challenge. In addition, third parties might be more willing to share information from Statement on Standards for Attestation Engagements (SSAE) 16 and Service Organization Control (SOC) Reports. Those documents, however, usually fail to contain 100 percent of the information an in-depth assessment requires, underscoring the importance of data gathered in a granular risk control assessment. 5
6 Crowe Horwath Realize Risk Reduction by Closing Identified Gaps An effective third-party risk management program not only detects risks but also helps to close the identified gaps. Many companies struggle in this area; they might excel at identifying gaps but can find it difficult to close them. Tracking gaps with a corrective and preventive action process and tasking the business unit that has engaged a third party with strengthening identified weaknesses can help to reduce the risks. It is also helpful for the company to have someone providing oversight and technology enablement to track the gaps until they are closed. Following are a few approaches to addressing gaps identified by a control assessment: Remediate the risk. Third parties often respond to a client s concerns by fixing identified gaps patching their systems, strengthening firewall rules, or addressing poor password protection, for example. Mitigate the exposure. A company might take action on its own to mitigate identified risks. For example, a company could limit the types or quantity of sensitive data a third party processes, thus decreasing the relationship s overall risk. Accept the risk. With an understanding of the potential risk, a company could decide to accept the control gap. Terminate the relationship. If remediating, mitigating, or accepting the risk associated with a particular third party is not possible, a company might decide to stop working with the party. Manage Decisions With Risk Data Visualization To contribute meaningfully to a company s risk management program, stakeholders need to possess the right information and understand how to interpret it. Interactive dashboards and graphics, as well as static charts and diagrams, are excellent tools for visualizing risk data and supporting each individual and team s decision-making processes. For example, employees who directly oversee third parties can benefit from actionable and specific reports that highlight the risk areas that must be accepted, mitigated, or remediated. Particularly when a third party works with multiple areas of a business, reporting clarifies what needs to be done and assigns accountability for each activity. It is also beneficial for company employees on the front lines of risk management to revisit risk assessments periodically, because sometimes the company s third-party relationships expand or otherwise change over time. Revisiting periodically helps to ensure that the risk management activities the company takes with a third party match the risk profile for using that party. 6
7 Third-Party Risk Management for Life Sciences Companies: Five Leading Practices for Data Protection At the same time, other stakeholders might need to understand the company s entire portfolio of risk and relevant developing trends. It s necessary for this group to both see the bigger picture by category, functional area, or specific risk and drill down into details. More detailed queries could, for example, be about high-residual-risk third parties that store or process sensitive information or high-operational-risk third parties with unresolved disaster recovery gaps. Because third-party risk is managed by multiple people in an organization, each stakeholder in the third-party risk management process needs to understand his or her role and responsibilities and have the information needed to carry them out efficiently. When the employees with accountability for managing risk have access to reliable, data-driven reports, program efficacy increases. Further, the board of directors needs accurate reports in order to fulfill its fiduciary duty to see that risks of all kinds, including third-party risks, are managed appropriately. Perpetual Vigilance Developing a complete third-party book of record, prioritizing risks, and increasing the granularity of risk assessments are valuable ways to determine where a life sciences company s most relevant risks related to service providers might hide. However, if the company does not mitigate the identified risks actively and consistently, it s unlikely to reach its goals. Putting a consistent level of effort into the entire cycle of the program is likely to more effectively close control gaps and reduce risk associated with the use of third parties and help to protect the important data that life sciences companies store and use. It can be daunting to begin building a risk management framework from the ground up, or even to admit that an existing system needs improvement. Once committed to sustaining an effective third-party risk management program, a company is likely to be prepared to anticipate potential threats rather than simply react to them. Dedicating time and resources up front is likely to reduce risk and deliver a return on the investment in third-party relationships, thus enabling companies to reduce costs, focus on core business activities, and encourage innovation. 7
8 Contact Information Mindy Herman is a principal with Crowe Horwath LLP and can be reached at or mindy.herman@crowehorwath.com. Michael Lucas is with Crowe and can be reached at , +44 (0) , or michael.lucas@crowehorwath.com. In accordance with applicable professional standards, some firm services may not be available to attest clients. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure RISK F
Top 20 IT Risks for the Healthcare Industry and How to Mitigate Them
Top 20 IT Risks for the Healthcare Industry and How to Mitigate Them By Raj Chaudhary, CRISC, CGEIT, and Robert L. Malarkey, CISSP, CISA Moving into 2015, the healthcare industry continues to undergo dramatic
More informationLeveraging a Maturity Model to Achieve Proactive Compliance
Leveraging a Maturity Model to Achieve Proactive Compliance White Paper: Proactive Compliance Leveraging a Maturity Model to Achieve Proactive Compliance Contents Introduction............................................................................................
More informationIT Insights. Managing Third Party Technology Risk
IT Insights Managing Third Party Technology Risk According to a recent study by the Institute of Internal Auditors, more than 65 percent of organizations rely heavily on third parties, yet most allocate
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationThe Importance of Credit Data Management
October 2015 Credit Data Management Looking Beyond DFAST, Basel III, and CECL By Oleg A. Blokhin, Jack A. Gregory, and David W. Keever Audit Tax Advisory Risk Performance An array of new and evolving regulatory
More informationThe silver lining: Getting value and mitigating risk in cloud computing
The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations
More informationThe Changing IT Risk Landscape Understanding and managing existing and emerging risks
The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More informationConsiderations for firms thinking of using third-party technology (off-the-shelf) banking solutions
Financial Conduct Authority Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions Introduction 1. A firm has many choices when designing its operating model
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More information08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview
Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data
More informationRSA ARCHER OPERATIONAL RISK MANAGEMENT
RSA ARCHER OPERATIONAL RISK MANAGEMENT 87% of organizations surveyed have seen the volume and complexity of risks increase over the past five years. Another 20% of these organizations have seen the volume
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationClick to edit Master title style
EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity
More information10 Smart Ideas for. Keeping Data Safe. From Hackers
0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
More informationPast vs. Present: Third Party Risk
Past vs. Present: Third Party Risk Kevin O Sullivan and Hicham Chahine 3 rd Party Risk, Crowe Horwath LLP April 30th, 2015 Agenda Drivers pushing Third Party Risk Past vs. Present Events and Trends Vendor
More informationCyber Security and the Board of Directors
Helping clients build operational capability in cyber security. A DELTA RISK VIEWPOINT Cyber Security and the Board of Directors An essential responsibility in financial services About Delta Risk is a
More informationLeveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs
IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government
More informationSupporting Effective Compliance Programs
October 2015 Supporting Effective Compliance Programs The Oversight Roles of the Board Audit and Risk Committees in Regulatory Compliance By Paul Osborne, CPA, CAMS, AMLP, and Peggy Sepp, CIA To be effective,
More informationEffective Model Risk Management for Financial Institutions: The Six Critical Components
January 2013 Effective Model Risk Management for Financial Institutions: The Six Critical Components A White Paper by Brookton N. Behm, John A. Epperson, and Arjun Kalra Audit Tax Advisory Risk Performance
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More informationModule 6 Documenting Processes and Controls
A logical place to begin any comprehensive evaluation of internal controls is at the top entity-level controls that might have a pervasive effect on the organization. This includes a consideration of factors
More information3 rd Party Vendor Risk Management
3 rd Party Vendor Risk Management Session 402 Tuesday, June 9, 2015 (11 to 12pm) Session Objectives The need for enhanced reporting on vendor risk management Current outsourcing environment Key risks faced
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationCloud Assurance: Ensuring Security and Compliance for your IT Environment
Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware
More informationPharma CloudAdoption. and Qualification Trends
Pharma CloudAdoption and Qualification Trends OurCloudExperience Numerous implementations of EDMS systems with external hosting for smaller life science clients Development of qualification strategy for
More informationSymantec Security Program Assessment
Leverage security maturity to prioritize achievement of enterprise goals The Symantec Security Program Assessment evaluates the maturity of your information security program providing an understanding
More informationIT Governance. What is it and how to audit it. 21 April 2009
What is it and how to audit it 21 April 2009 Agenda Can you define What are the key objectives of How should be structured Roles and responsibilities Key challenges and barriers Auditing Scope Test procedures
More informationSpecifically Engineered for High-Tech Companies
Crowe Risk Consulting Services Specifically Engineered for High-Tech Companies Audit Tax Advisory Risk Performance Technology companies face an array of risks, many of which are unique to the high-tech
More informationManaging IT Security with Penetration Testing
Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to
More informationCYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES
CYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES How can you better prepare and respond to cyber risks? ACE developed Loss Mitigation Services to help policyholders understand and gauge various areas
More informationCybersecurity: A View from the Boardroom
An Executive Brief from Cisco Cybersecurity: A View from the Boardroom In the modern economy, every company runs on IT. That makes security the business of every person in the organization, from the chief
More informationManaging data security and privacy risk of third-party vendors
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
More informationConnecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm
Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom kpmg.bm Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom 1 Connecting the dots:
More informationLeveraging Network and Vulnerability metrics Using RedSeal
SOLUTION BRIEF Transforming IT Security Management Via Outcome-Oriented Metrics Leveraging Network and Vulnerability metrics Using RedSeal november 2011 WHITE PAPER RedSeal Networks, Inc. 3965 Freedom
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationReport on Hong Kong SME Cloud Adoption and Security Readiness Survey
Report on Hong Kong SME Cloud Adoption and Security Readiness Survey Collaborated by Internet Society Hong Kong and Cloud Security Alliance (HK & Macau Chapter) Sponsored by Microsoft Hong Kong Jointly
More informationGoodData Corporation Security White Paper
GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share
More informationSytorus Information Security Assessment Overview
Sytorus Information Assessment Overview Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM)
More informationHow To Transform It Risk Management
The transformation of IT Risk Management kpmg.com The transformation of IT Risk Management The role of IT Risk Management Scope of IT risk management Examples of IT risk areas of focus How KPMG can help
More informationCybersecurity and internal audit. August 15, 2014
Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices
More informationWho s next after TalkTalk?
Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many
More informationIBM Cognos TM1 on Cloud Solution scalability with rapid time to value
IBM Solution scalability with rapid time to value Cloud-based deployment for full performance management functionality Highlights Reduced IT overhead and increased utilization rates with less hardware.
More informationGovernance, Risk, and Compliance (GRC) White Paper
Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:
More informationVendor Risk Management Financial Organizations
Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current
More informationBoard Portal Security: How to keep one step ahead in an ever-evolving game
Board Portal Security: How to keep one step ahead in an ever-evolving game The views and opinions expressed in this paper are those of the author and do not necessarily reflect the official policy or position
More informationCybersecurity. Considerations for the audit committee
Cybersecurity Considerations for the audit committee Insights on November 2012 governance, risk and compliance Fighting to close the gap Ernst & Young s 2012 Global Information Security Survey 2012 Global
More informationMaximizing Configuration Management IT Security Benefits with Puppet
White Paper Maximizing Configuration Management IT Security Benefits with Puppet OVERVIEW No matter what industry your organization is in or whether your role is concerned with managing employee desktops
More informationHow to ensure control and security when moving to SaaS/cloud applications
How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk
More informationManaging cyber risks with insurance
www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive
More informationKey Cyber Risks at the ERP Level
Key Cyber Risks at the ERP Level Process & Industrial Products (P&IP) Sector December, 2014 Today s presenters Bhavin Barot, Sr. Manager Deloitte & Touche LLP Goran Ristovski, Manager Deloitte & Touche
More informationEffective AML Model Risk Management for Financial Institutions: The Six Critical Components
August 2012 Effective AML Model Risk Management for Financial Institutions: The Six Critical Components A White Paper by John A. Epperson, Arjun Kalra, and Brookton N. Behm Audit Tax Advisory Risk Performance
More informationRisk Considerations for Internal Audit
Risk Considerations for Internal Audit Cecile Galvez, Deloitte & Touche LLP Enterprise Risk Services Director Traci Mizoguchi, Deloitte & Touche LLP Enterprise Risk Services Senior Manager February 2013
More informationExperience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
More information5 Tips to Prevent BYOD Security Breaches at Your Firm
5 Tips to Prevent BYOD Security Breaches at Your Firm By Jason Bramwell To eliminate redundancy and reduce costs, many companies have implemented a bring your own device (BYOD) policy for their employees.
More informationIT SECURITY PROGRAM MANAGEMENT
G O E B E L A S S O C I A T E S IT Management with Value and Purpose IT SECURITY PROGRAM MANAGEMENT HOW TO ADD VALUE AND GIVE PURPOSE TO YOUR INFORMATION SECURITY PROGRAM (Suarez, K. 2007) DANIEL C GOEBEL,
More informationInto the cybersecurity breach
Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing
More informationProposed guidance for firms outsourcing to the cloud and other third-party IT services
Guidance consultation 15/6 Proposed guidance for firms outsourcing to the cloud and other third-party IT services November 2015 1. Introduction and consultation 1.1 The purpose of this draft guidance is
More informationIMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE
IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE ABSTRACT Changing regulatory requirements, increased attack surfaces and a need to more efficiently deliver access to the business
More informationCyber security: everybody s imperative. A guide for the C-suite and boards on guarding against cyber risks
Cyber security: everybody s imperative A guide for the C-suite and boards on guarding against cyber risks Secure Enhance risk-prioritized controls to protect against known and emerging threats, and comply
More informationDodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare
Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Strengthening Cybersecurity Defenders #ISC2Congress Healthcare and Security "Information Security is simply a personal
More informationStrategies for assessing cloud security
IBM Global Technology Services Thought Leadership White Paper November 2010 Strategies for assessing cloud security 2 Securing the cloud: from strategy development to ongoing assessment Executive summary
More informationInternal Audit Report on. IT Security Access. January 2010. 2010 January - English - Information Technology - Security Access - FINAL.
Internal Audit Report on January 2010 2010 January - English - Information Technology - Security Access - FINAL.doc Contents Background...3 Introduction...3 IT Security Architecture,Diagram 1...4 Terms
More informationSecurity and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients
Security and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients Executive Overview Within the legal sector, IT system security and compliance have changed dramatically
More informationAn ICS Whitepaper Choosing the Right Security Assessment
Security Assessment Navigating the various types of Security Assessments and selecting an IT security service provider can be a daunting task; however, it does not have to be. Understanding the available
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationGlobal Network Initiative Protecting and Advancing Freedom of Expression and Privacy in Information and Communications Technologies
Global Network Initiative Protecting and Advancing Freedom of Expression and Privacy in Information and Communications Technologies Implementation Guidelines for the Principles on Freedom of Expression
More informationIs your business prepared for Cyber Risks in 2016
Is your business prepared for Cyber Risks in 2016 The 2016 GSS Find out Security with the Assessment Excellus BCBS customers hurt by security breach Hackers Access 80 Mn Medical Records At Anthem Hackers
More informationData Privacy and Gramm- Leach-Bliley Act Section 501(b)
Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement
More informationAddressing Cloud Computing Security Considerations
Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft
More informationFive keys to a more secure data environment
Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational
More informationCloud Security Trust Cisco to Protect Your Data
Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive
More informationSeamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.
Seamless Mobile Security for Network Operators Build a secure foundation for winning new wireless services revenue. New wireless services drive revenues. Faced with the dual challenges of increasing revenues
More informationWelcome to Modulo Risk Manager Next Generation. Solutions for GRC
Welcome to Modulo Risk Manager Next Generation Solutions for GRC THE COMPLETE SOLUTION FOR GRC MANAGEMENT GRC MANAGEMENT AUTOMATION EASILY IDENTIFY AND ADDRESS RISK AND COMPLIANCE GAPS INTEGRATED GRC SOLUTIONS
More informationCYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
More informationRisky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015
Risky Business Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015 What We ll Cover About Me Background The threat Risks to your organization What your organization can/should
More informationTHE BLUENOSE SECURITY FRAMEWORK
THE BLUENOSE SECURITY FRAMEWORK Bluenose Analytics, Inc. All rights reserved TABLE OF CONTENTS Bluenose Analytics, Inc. Security Whitepaper ISO 27001/27002 / 1 The Four Pillars of Our Security Program
More informationDelphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11
Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2
More informationdefense through discovery
defense through discovery about krypton krypton is an advisory and consulting services firm, specialized in the domain of information technology (it) and it-related security krypton is a partnership amongst
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationGuide for the Role and Responsibilities of an Information Security Officer Within State Government
Guide for the Role and Responsibilities of an Information Security Officer Within State Government Table of Contents Introduction 3 The ISO in State Government 4 Successful ISOs Necessary Skills and Abilities
More informationDetect, Contain and Control Cyberthreats
A SANS Whitepaper Written by Eric Cole, PhD June 2015 Sponsored by Raytheon Websense 2015 SANS Institute Introduction Dwell Time Relates to damage because the longer a system is compromised, the bigger
More informationRETHINKING CYBER SECURITY Changing the Business Conversation
RETHINKING CYBER SECURITY Changing the Business Conversation October 2015 Introduction: Diane Smith Michigan Delegate Higher Education Conference Speaker Board Member 2 1 1. Historical Review Agenda 2.
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationBusiness resilience: The best defense is a good offense
IBM Business Continuity and Resiliency Services January 2009 Business resilience: The best defense is a good offense Develop a best practices strategy using a tiered approach Page 2 Contents 2 Introduction
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More informationBest Practices for Building a Security Operations Center
OPERATIONS SECURITY Best Practices for Building a Security Operations Center Diana Kelley and Ron Moritz If one cannot effectively manage the growing volume of security events flooding the enterprise,
More informationCORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT
CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT How advancements in automated security testing software empower organizations to continuously measure information
More informationPenetration Testing Service. By Comsec Information Security Consulting
Penetration Testing Service By Consulting February, 2007 Background The number of hacking and intrusion incidents is increasing year by year as technology rolls out. Equally, there is no hiding place your
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationPCI Compliance for Healthcare
PCI Compliance for Healthcare Best practices for securing payment card data In just five years, criminal attacks on healthcare organizations are up by a stunning 125%. 1 Why are these data breaches happening?
More informationData Governance for Financial Institutions
August 2013 Data Governance for Financial Institutions Regulatory Compliance Requires More Than Just Technology A White Paper by Raj Chaudhary, Michael Del Giudice, Tapan P. Shah, and Christopher J. Sifter
More informationRSA ARCHER AUDIT MANAGEMENT
RSA ARCHER AUDIT MANAGEMENT Solution Overview INRODUCTION AT A GLANCE Align audit plans with your organization s risk profile and business objectives Manage audit planning, prioritization, staffing, procedures
More informationThe introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.
1 Cyber-attacks frequently take advantage of software weaknesses unintentionally created during development. This presentation discusses some ways that improved acquisition practices can reduce the likelihood
More informationWHITE PAPER. Mitigate BPO Security Issues
WHITE PAPER Mitigate BPO Security Issues INTRODUCTION Business Process Outsourcing (BPO) is a common practice these days: from front office to back office, HR to accounting, offshore to near shore. However,
More informationCybersecurity: Learn Critical Strategies to Protecting Your Enterprise November 6, 2013 1:00PM EST
Cybersecurity: Learn Critical Strategies to Protecting Your Enterprise November 6, 2013 1:00PM EST November 6, 2013 Copyright 2013 Trusted Computing Group 1 November 6, 2013 Copyright 2013 Trusted Computing
More informationInformation security governance has become an essential
Copyright 2007 ISACA. All rights reserved. www.isaca.org. Developing for Effective John P. Pironti, CISA, CISM, CISSP, ISSAP, ISSMP Information security governance has become an essential element of overall
More informationVisual Strategic Planning
9909 Mira Mesa Blvd. San Diego, CA 92131 Phone: 800-768-3729 Phone: 858-225-3300 Fax: 858-225-3390 www.smartdraw.com Visual Strategic Planning Thinking and Communicating Visually in the Strategic Planning
More informationADVISORY SERVICES. Risk management in an evolving world. Making the case for social media governance. kpmg.com
ADVISORY SERVICES Risk management in an evolving world Making the case for social media governance kpmg.com Risk management in an evolving world 3 Why good governance should be the foundation of your social
More information