Vendor Management. Donald Cristan, VP ISO First United Bank Lubbock, TX
|
|
- Dustin Reynolds
- 8 years ago
- Views:
Transcription
1 Vendor Management Donald Cristan, VP ISO First United Bank Lubbock, TX
2 About Me Donald Cristan Broad Background - Experience Banking Industry since 2002 Information Technology since 1996 CISSP since 2007 Now VP ISO at First United Bank, Lubbock, TX since 2013 Sr. IT Auditor Houston IT Auditing/ Consulting Firm VP ISO for $3.5 billion bank in Lubbock, TX from IT Client Services Manager
3 Overview of Topics Synopsis Presentation Purpose, Caveats and Disclaimers Preface Vendor Management Program Vendor Selection Risk Assessing Vendors Ongoing Monitoring
4 Synopsis Vendor management is a hot topic in the banking industry and receives high exposure during audits and exams Banks are challenged in managing their vendor management program Laws and Regulations Current Environment Banks want to learn and understand how other banks are: Handling their vendor management process Where the opportunities are to improving their program
5 Purpose, Caveats, and Disclaimers This presentation is merely a representation of the work that has provided success in managing our vendor management program at First United Bank I am not an attorney or an expert in banking laws or regulations Some of the views and opinions expressed in this presentation are mine and do not necessarily reflect the views of First United Bank Please consult with your legal team, compliance department, bank executives or external consultants before adopting any of the practices discussed in this presentation
6 Preface Know and understand your banking regulations and laws pertaining to Vendor Management Implement a strong Vendor Management Program that involves key personnel, executives and BOD If possible, bank should centralize their Vendor Management Program to a department or person(s) The challenge is that multiple departments and personnel handle various vendor relations, contracts, and agreements FUB IT Dept currently tracks 300+ vendors (200 IT Vendors and 100+ non-it Vendors)
7 Preface Use a commercial software application for Vendor Management Repository for vendor information, contract information, contract storage, security reports, financials Assists with vendor risk ratings, due diligence reports, risk assessments, performance monitoring, notifications, customer complaint monitoring, OFAC screenings Cost $$ to $$$$ Many vendors to choose from
8 Preface Depending on the application the bank is using and/or the level of reporting the bank requires there may be some manual processes for: Risk Ratings Vendor Due Diligence Ongoing Vendor Monitoring Depending on bank resources (budget and personnel) the vendor management program can be a lengthy process to have a fully centralized vendor management program Vendor Management Program will continuously evolve and change over time
9 Vendor Management Program at First United Bank Recently revamped the current Vendor Management Program Communicated to all Department Managers that IT is centralizing the Vendor Management Program Departments still have the vendor relation All contracts and service agreements tracked by the IT Department Any new projects involving technology must involve the IT Department.
10 Vendor Management Program at First United Bank IT documented all applications, systems, vendor web sites accessed by employees, and data transfer arrangements Matched current vendor information, contracts, and service agreements Contacted the vendor if contracts or agreements were not found or current Contract and agreement renewals (regardless of $, length of term) discussed during monthly IT Committee meeting All other non-it vendor contracts and agreements were collected and added
11 Vendor Management Program at First United Bank Made changes in technical environment not allowing non- IT personnel to: Install SW on PCs or servers Connecting to FTP sites for data transfers Accessing their USB devices or DVD drives to write data to send to vendor Allowing vendors to initiate remote sessions to PCs or servers without the knowledge of IT (current NDA, Confidentiality agreements?)
12 Vendor Management Program at First United Bank Utilize a Project Binder or Project Document to track projects for critical products and services Utilize a Vendor Risk Rating Matrix Risk rating vendors is not a complete science Subjectivity in risk rating computations, criteria, and format Explain / Defend risk ratings Utilize a Vendor Document Matrix Tracks all vendor documents Combination of SW application and manual processes
13 Vendor Selection Current Challenge: Not engaging the IT Dept in the vendor management process early in the selection of vendor product and services causing a dismay of decisions for: Data security Technical infrastructure Vendor relations Contract structuring Risk reviews Lack of executive support Disappointing to find out that a department has acquired a vendor service, hardware, or application after the fact without sufficient due diligence efforts
14 Vendor Selection Critical applications e.g. online banking platforms, mobile banking platforms, web sites, deposit/lending platforms, core systems, mortgage applications Outsourcing arrangements Hosted solutions SW applications HW Managed Services Regardless of the size of the project, ensure good documentation Next, Project Binder or Project Document
15 Project Checklist Critical Product/Services
16 Project Checklist Critical Product/Services
17 Project Checklist Critical Product/Services
18 Project Checklist Critical Product/Services
19 Project Checklist Critical Product/Services
20 Risk Assessing Vendors
21 Vendor Risk Assessment Project Information Vendor Information
22 Vendor Risk Assessment Hardware and Software Information
23 Vendor Risk Assessment IT Support / Vendor Support Information
24 Vendor Risk Assessment Data and Communication
25 Vendor Risk Assessment Documents to be Updated
26 Ongoing Monitoring
27 Vendor Risk Ratings Ongoing Monitoring Automated or Manual process Software Application Depends on available resources SW application probably works best because it will give you a risk rate of your vendor based on predetermined questions Work with the SW vendor to determine the criteria or to understand the criteria for the risk ratings
28 Ongoing Monitoring Manual Ratings Vendor Risk Matrix If resources are available, then manual risk rate Formulas and Calculations are subjective Be prepared to explain or defend your chosen criteria, formulas and overall risk rating score Develop using spreadsheets or database apps What are the key components for ratings?
29 Risk Rate Vendors Type of Service Critical Function Hard-to-Replace Cloud Based Calculate Critical Score
30 Risk Rate Vendors Data Type Data Volume Sensitivity of Data Breach Loss Calculate Critical Score
31 Risk Rate Vendors Calculate the Scores Determine the Risk Rating Critical High Medium Low
32 Vendor Document Collection Collect documentation for Critical and High Risk Rated Vendors Financials Security Reports Information Security Policy / Program Red Flag Compliant Customer Disputes BCP / DR Testing Regulatory Exams Software Application or Spreadsheet / Database
33 Vendor Document Collection Be persistent with your vendors Don t settle for watered down documents Vendors are now providing Vendor Management packets CFO reviews vendor financials and provide a memo documenting review Perform quarterly financial reviews for sub-performing vendors
34 Vendor Documentation
35 Thank you for your time! Contact Information
Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.
Vendor Management: An Enterprise-wide Focus Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd. Why Focus on Vendor Management Increased financial regulatory scrutiny GLBA and Identity Theft Red
More informationCFPB Readiness Series: Compliant Vendor Management Overview
CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the
More informationKLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT
1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT About Kyle Lai 2 Kyle Lai, CIPP/G/US, CISSP, CISA, CSSLP, BSI Cert. ISO 27001 LA President of KLC Consulting, Inc. Over 20 years in IT and Security Security
More information9/13/2013. 20/20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99
20/20 Vision for Vendor Management & Oversight 2013 WBA Technology Conference September 17, 2013 Ken M. Shaurette, CISSP, CISA, CISM, CRISC, IAM Director IT Services Disclaimer The views set forth are
More informationCyber, Security and Privacy Questionnaire
Cyber, Security and Privacy Questionnaire www.fbinsure.com Please note: This is an electronic application. When completed please save and email to: Ed McGuire emcguire@fbinsure.com Cyber, Security & Privacy
More informationHere to Stay. Understand the needs of different business units for security, validation, and monitoring. Frank Jacquette
Now That The Cloud Is Here to Stay Understand the needs of different business units for security, validation, and monitoring Frank Jacquette Jacquette Consulting, Inc. Who is this guy? Founder, CEO, janitor
More informationContingency Plan for HIPAA
TEMPLATE SUITE FOR BUSINESS CONTINUITY PLAN FOR SMALL BUSINESS (LESS THAN 50 EMPLOYEES) INCLUDES Total Cost: $549 Business Impact Analysis Enterprise Business Impact Analysis Survey Short (15 pages) Example
More informationThe Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
More informationInformation Security, Privacy and Compliance Convergence
Information Security, Privacy and Compliance Convergence Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI Rebecca Herold & Associates, LLC April 2009 Agenda Information lifecycles Security and privacy challenges
More informationSecurity Risk Management Strategy in a Mobile and Consumerised World
Security Risk Management Strategy in a Mobile and Consumerised World RYAN RUBIN (Msc, CISSP, CISM, QSA, CHFI) PROTIVITI Session ID: GRC-308 Session Classification: Intermediate AGENDA Current State Key
More informationIT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER
July 9 th, 2012 Prepared By: Mark Akins PCI QSA, CISSP, CISA WHITE PAPER IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD PCI DSS for Merchants The Payment
More informationOUTSOURCING DUE DILIGENCE FORM
OUTSOURCING DUE DILIGENCE FORM SERVICE TO BE OUTSOURCED 1. Type of service to be outsourced: Accounting/Finance: Compliance Consulting: Legal Services: Administrative Functions: Information Technology:
More informationA Checklist for Software as a Service (SaaS) Vendors and Application Service Providers
A Checklist for Software as a Service (SaaS) Vendors and Application Service Providers This checklist is a longer version of a SaaS Checklist that appeared in the July 2009 issue of LAWPRO Magazine at
More informationDEVELOPING A CYBERSECURITY POLICY ARCHITECTURE
TECHNICAL PROPOSAL DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE A White Paper Sandy Bacik, CISSP, CISM, ISSMP, CGEIT July 2011 7/8/2011 II355868IRK ii Study of the Integration Cost of Wind and Solar
More information3 rd -party Security Risk Assessment
3 rd -party Security Risk Assessment Understanding Supplier Chain Risks. Presented by: Nasser Fattah CISSP, CISM, CISA, CGEIT Email: nasser.fattah@gmail.com Linkedin: www.linkedin.com/in/nasserfattah April
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationIT Environments Management
IT Environments Management IT Environments Management is probably one of the most misunderstood concepts in terms of the part it plays within the IT Organisation as a whole, especially its contribution
More informationInformation Security Policies and Procedures Development Framework for Government Agencies. First Edition - 1432 AH
Information Security Policies and Procedures Development Framework for Government Agencies First Edition - 1432 AH 6 Contents Chapter 1 Information Security Policies and Procedures Development Framework
More informationWhat We ll Cover. Assessing Risk. Common elements in risk assessments NCUA categories of risk Risk assessments required by law
Assessing Risk It s the Law What We ll Cover Common elements in risk assessments NCUA categories of risk Risk assessments required by law What to assess Factors to consider When to assess Resources to
More informationStrategies and Best Practices to Implement a Successful Data Loss Prevention Program Sebastian Brenner, CISSP
Strategies and Best Practices to Implement a Successful Data Loss Prevention Program Sebastian Brenner, CISSP Principal Systems Engineer Symantec LAMC Agenda 1 What DLP is and its purpose 2 Challenges
More informationServices Providers. Ivan Soto
SOP s for Managing Application Services Providers Ivan Soto Learning Objectives At the end of this session we will have covered: Types of Managed Services Outsourcing process Quality expectations for Managed
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More information08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview
Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data
More informationMAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS. Nick Harrahill PayPal Global Security Operations
MAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS Nick Harrahill PayPal Global Security Operations AGENDA Inception of an engagement The legal agreement Assessing the risk Customer call
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationOutsourcing Technology Services A Management Decision
Outsourcing Technology Services A Management Decision A Telephone Seminar for National Banks Tuesday, July 20, 2004 And again on Wednesday, July 21, 2004 Agenda Outsourcing activities and relationships
More informationPosition Description University Information Security Officer Miami University
Position Description University Information Security Officer Miami University Basic Function and Responsibility: The University Information Security Officer (ISO) position is responsible for development,
More informationJeanne Kelly, Partner Cloud Computing: The Legal Issues
Jeanne Kelly, Partner Cloud Computing: The Legal Issues 14 June 2010 One of the things we really need to watch out for is that we don t hold cloud deployment back because we have some storyline about how
More information8 Techniques to Improve Your Bank s Vendor Management Program. IBAT TechMecca
8 Techniques to Improve Your Bank s Vendor Management Program IBAT TechMecca February 4, 2014 Speaker 512-351-3700 bsmith@aboundresources.com Brad Smith President, Abound Resources 20+ years experience
More informationVendor Management Challenge Doing More with Less
Vendor Management Challenge Doing More with Less Megan Hertzler Assistant General Counsel Director of Data Privacy Xcel Energy Boris Segalis Partner InfoLawGroup LLP Session ID: GRC-402 Insert presenter
More informationHIPAA Myths. WEDI Regional Affiliates. Chris Apgar, CISSP Apgar & Associates
HIPAA Myths WEDI Regional Affiliates Chris Apgar, CISSP Apgar & Associates Overview Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the
More informationHow To Deal With Cloud Computing
A LEGAL GUIDE TO CLOUD COMPUTING INTRODUCTION Many companies are considering implementation of cloud computing services to decrease IT costs while providing the flexibility to scale usage on demand. The
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationPII Compliance Guidelines
Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last
More informationIsaac Willett April 5, 2011
Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act
More informationQuality Programs for Regulatory Compliance
Quality Programs for Regulatory Compliance Roy Garris, IconATG Regulatory Compliance Practice Manager (866) 785-4266 http://www.iconatg.com info@iconatg.com Version 1.00 Application Vulnerabilities Put
More informationElements of an Effective Compliance System
Registrant Outreach Seminar June 23 and 25, 2015 Elements of an Effective Compliance System Presenters: Trevor Walz, Dena Di Bacco and Stratis Kourous Compliance and Registrant Regulation Branch Disclaimer
More informationIntroduction to Vendor Management
Introduction to Vendor Management BOI October 15, 2013 Speaker Brad Smith President, Abound Resources More than 20 years experience helping community bank achieve their business goals with technology 500+
More informationService Exchange Network
Service Exchange Network ATTORNEYS PROCESS SERVERS COURTS SERVEX CONNECT AUTOMATE REPORT ServeX Powerful Interface for Law Firms and Process Servers Connects the law office to all process servers (participation
More informationPrivacy Best Practices
Privacy Best Practices Mount Royal University Electronic Collection/Storage/Transmission of Personal (Google Drive/Forms/Docs) Google Suite: Document, Presentation, Spreadsheet, Form, Drawing Overview
More informationWhat does HIPAA Compliant mean? Session 137 April 15, 2015
What does HIPAA Compliant mean? Session 137 April 15, 2015 Dana DeMasters, MN, RN, CHPS Privacy/Security Officer Liberty Hospital Tom Walsh, CISSP President & CEO tw-security DISCLAIMER: The views and
More informationSaaS, PaaS & TaaS. By: Raza Usmani
SaaS, PaaS & TaaS By: Raza Usmani SaaS - Introduction Software as a service (SaaS), sometimes referred to as "on-demand software. software and its associated data are hosted centrally (typically in the
More informationHIPAA Myths. WEDI Member Town Hall. Chris Apgar, CISSP Apgar & Associates
HIPAA Myths WEDI Member Town Hall Chris Apgar, CISSP Apgar & Associates Overview Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the Right
More informationCoverholder audit scope Questions. version 2
Coverholder audit scope Questions version 2 6 February 2014 coverholder AudIT SCOPE DRAFT V1.35 Key Contacts Delegated Authorities Team General enquiries: +44 (0)20 7327 6275 Systems help: +44 (0)20 7327
More informationHIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP
HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR Chris Apgar, CISSP 2015 OVERVIEW Missed Regulatory Requirements Common HIPAA Privacy Myths Common HIPAA Security Myths Other Related Myths Finding the Right
More informationInformation Technology Internal Audit Report
Information Technology Internal Audit Report Report #2014-05 July 25, 2014 Table of Contents Page Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives... 4 Scope and Testing
More informationCyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s
Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices
More informationCloud Computing. What is Cloud Computing?
Cloud Computing What is Cloud Computing? Cloud computing is where the organization outsources data processing to computers owned by the vendor. Primarily the vendor hosts the equipment while the audited
More informationCloud Computing: Contracting and Compliance Issues for In-House Counsel
International In-house Counsel Journal Vol. 6, No. 23, Spring 2013, 1 Cloud Computing: Contracting and Compliance Issues for In-House Counsel SHAHAB AHMED Director Legal and Corporate Affairs, Microsoft,
More informationCourse Description for IT Supervisory Themes and Emerging Topics (S&R Technology Lab)
Federal Reserve Board of Governors Course Description for IT Supervisory Themes and Emerging Topics (S&R Technology Lab) Last Revised: June 2009 STREAM Supervision Technology Risks Educate, Analyze and
More informationWho s Regulating Whom & What are the Requirements: Banks As Payment Services Providers
Who s Regulating Whom & What are the Requirements: Banks As Payment Services Providers Tony DaSilva, AAP, CISA S&R Senior Technical Expert Federal Reserve Bank of Atlanta Disclaimer The opinions expressed
More informationIT Insights. Managing Third Party Technology Risk
IT Insights Managing Third Party Technology Risk According to a recent study by the Institute of Internal Auditors, more than 65 percent of organizations rely heavily on third parties, yet most allocate
More informationTRUE TITLE BEST PRACTICES
TRUE TITLE BEST PRACTICES Mission Statement The American Land Title Association (ALTA) seeks to guide its membership on best practices to protect consumers, promote quality service, provide for ongoing
More informationInformation Security Team
Title Document number Add document Document status number Draft Owner Approver(s) CISO Information Security Team Version Version history Version date 0.01-0.05 Initial drafts of handbook 26 Oct 2015 Preface
More informationPerforming Vendor Risk Assessments
Performing Vendor Risk Assessments You can outsource the work, but you can t outsource the risk! Presented by Jennifer F Alfafara Consultant, Resources Global Professionals Introduction 2 There is significant
More informationUW Platteville Credit Card Handling Policy
UW Platteville Credit Card Handling Policy Issued: December 2011 Revision History: November 7, 2013; July 11, 2014; November 1, 2014; August 24, 2015 Overview: In order for UW Platteville to accept credit
More informationTable of Contents. Table of Contents... 1. Chapter 1 Introduction... 5. Sample. Chapter 2 Monitoring and Quality Control... 8
[ Client]... 1 Chapter 1 Introduction... 5 1.1 Goals and Objectives... 5 1.2 Required Review... 5 1.3 Applicability... 5 1.4 Role and Responsibilities of the Compliance Officer... 6 1.5 Role and Responsibilities
More informationLEVERAGE TECHNOLOGY TO EMPOWER INTERNAL AUDIT
LEVERAGE TECHNOLOGY TO EMPOWER INTERNAL AUDIT PRESENTED BY: BRYAN BURNHART, CISA NORTH AMERICAN PRE-SALES MANAGER THOMSON REUTERS GRC COLLEGES AND UNIVERSITIES 2010 Thomson Reuters. All Rights Reserved.
More informationInformation audits in a perimeter-less world
Information audits in a perimeter-less world Jayesh Kamat Practice Head Risk Advisory services Seclore Partner The Business Challenge Information Value Some day, on the corporate balance sheet, there will
More informationThird-Party Cybersecurity and Data Loss Prevention
Third-Party Cybersecurity and Data Loss Prevention SESSION ID: DSP-W04A Brad Keller Sr. Vice President Santa Fe Group Jonathan Dambrot, CISSP CEO, Co-Founder Prevalent Networks 3rd Party Risk Management
More informationREGULATORY COMPLIANCE. Dynamic Solutions. Superior Results.
REGULATORY COMPLIANCE Dynamic Solutions. Superior Results. STREAMLINE, STRENGTHEN AND SIMPLIFY YOUR COMPLIANCE EFFORTS CSI S AUTOMATED, DYNAMIC SOLUTIONS MITIGATE RISK, DECREASE COSTS AND IMPROVE COMPLIANCE
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More information7Seven Things You Need to Know About Long-Term Document Storage and Compliance
7Seven Things You Need to Know About Long-Term Document Storage and Compliance Who Is Westbrook? Westbrook Technologies, based in Branford on the Connecticut coastline, is an innovative software company
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationSoftware as a Service Decision Guide and Best Practices
Software as a Service Decision Guide and Best Practices Purpose of this document Software as a Service (SaaS) is software owned, delivered and managed remotely by one or more providers [Gartner, SaaS Hype
More informationCORL Dodging Breaches from Dodgy Vendors
CORL Dodging Breaches from Dodgy Vendors Tackling Vendor Security Risk Management in Healthcare Introductions Cliff Baker 20 Years of Healthcare Security experience PricewaterhouseCoopers, HITRUST, Meditology
More informationRemote Deposit Capture Customer Due Diligence FFIEC Tier II Exam Considerations Plus Mobile Capture! March 5, 2014. Topics of Discussion
Remote Deposit Capture Customer Due Diligence FFIEC Tier II Exam Considerations Plus Mobile Capture! March 5, 2014 Carolyn C. Dowdy, Speaker Bank Project Solutions does not guaranty by implementing criteria
More informationDisaster Recovery Checklist Disaster Recovery Plan for <System One>
Disaster Recovery Plan for SYSTEM OVERVIEW PRODUCTION SERVER HOT SITE SERVER APPLICATIONS (Use bold for Hot Site) ASSOCIATED SERVERS KEY CONTACTS Hardware Vendor System Owners Database Owner
More informationInformation for Management of a Service Organization
Information for Management of a Service Organization Copyright 2011 American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775 All rights reserved. For information about the procedure
More informationPAYMENT CARD PROCESSING
CSU The California State University Office of Audit and Advisory Services PAYMENT CARD PROCESSING California State University, Bakersfield Audit Report 15-42 October 13, 2015 EXECUTIVE SUMMARY OBJECTIVE
More informationCOMPLIANCE MANAGEMENT SYSTEM
COMPLIANCE MANAGEMENT SYSTEM Ensuring Your Bank Meets Regulatory Standards Overview of Compliance Exams Examination Purpose: Assess the quality of an institution s compliance management system (CMS) for
More informationVendor Management Panel Discussion. Managing 3 rd Party Risk
Vendor Management Panel Discussion Managing 3 rd Party Risk Vendor Risk at its Finest Vendor Risk at its Finest CVS Care Mark Corporation announced that it had mistakenly sent letters to approximately
More informationManaging Open Source Code Best Practices
Managing Open Source Code Best Practices September 24, 2008 Agenda Welcome and Introduction Eran Strod Open Source Best Practices Hal Hearst Questions & Answers Next Steps About Black Duck Software Accelerate
More informationIT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014
IT Cloud / Data Security Vendor Risk Management Associated with Data Security September 9, 2014 Speakers Brian Thomas, CISA, CISSP In charge of Weaver s IT Advisory Services, broad focus on IT risk, security
More informationHow To Understand Cloud Computing
CLOUD COMPUTING Jillian Raw Partner, Kennedys http://www.kennedys-law.com/jraw/ Cloud Computing- what they say about it the cloud will transform the information technology industry profoundly change the
More informationType of Personal Data We Collect and How We Use It
Philips Lumify App Privacy Notice This Privacy Notice was last changed on September 1, 2015. Philips Electronics North America Corporation ("Philips") strongly believes in protecting the privacy of the
More informationCouncil, 14 May 2015. Information Governance Report. Introduction
Council, 14 May 2015 Information Governance Report Introduction 1.1 The Information Governance function within the Secretariat Department is responsible for the HCPC s ongoing compliance with the Freedom
More information5/29/2015. Auditing IT Contracts From Afar. Disclaimer. Agenda
Auditing IT Contracts From Afar Ensuring Compliance Michael Carr, JD, CISSP, CIPP Director, Enterprise IT Architecture & Chief Information Security Officer University of Kentucky June 2015 Disclaimer The
More informationIntelligent Vendor Risk Management
Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach
More informationDisaster Recovery Business Continuity Premium Edition
Brochure More information from http://www.researchandmarkets.com/reports/2787481/ Disaster Recovery Business Continuity Premium Edition Description: The Disaster Recovery Plan (DRP) Template PREMIUM Edition
More informationWhite paper: Nine Simple Steps to Vendor Management
White paper: Nine Simple Steps to Vendor Management March 2014 White Paper: Nine Simple Steps to Vendor Management Using a third-party vendor naturally subjects an institution to risks outside its control.
More informationThe Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations
The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations Jeffrey D. Scott Jeffrey D. Scott, Legal Professional Corporation Practice Advisors
More informationHengtian Information Security White Paper
Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...
More informationTHIRD PARTY. T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s
MANAGING THIRD PARTY RISK T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s Experis -- a different kind of talent company. Experis Tuesday, January 08,
More information9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania
Evaluating and Managing Third Party IT Service Providers Are You Really Getting The Assurance You Need To Mitigate Information Security and Privacy Risks? Kevin Secrest IT Audit Manager, University of
More informationBNSync User License Agreement
BNSync User License Agreement This Agreement ("Agreement") contains the complete terms and conditions that apply to your installation and use of BNSync, a proprietary software product that is owned and
More informationInformation Services and Technology THIRD PARTY CONNECTION AGREEMENT
Information Services and Technology THIRD PARTY CONNECTION AGREEMENT This Third Party Network Connection Agreement (the Agreement ) by and between Information Services and Technology (IS&T), with principal
More informationWeighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers
Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye
More informationCredit Union Liability with Third-Party Processors
World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with
More informationCloud models and compliance requirements which is right for you?
Cloud models and compliance requirements which is right for you? Bill Franklin, Director, Coalfire Stephanie Tayengco, VP of Technical Operations, Logicworks March 17, 2015 Speaker Introduction Bill Franklin,
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationEvaluation Guide: Enterprise Social Relationship Platforms
Evaluation Guide: Enterprise Social Relationship Platforms A Guide to Evaluating Enterprise Social Relationship Platforms For any organization that uses social media, it s no longer practical to operate
More informationDeciphering the Safe Harbor on Breach Notification: The Data Encryption Story
Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story Healthcare organizations planning to protect themselves from breach notification should implement data encryption in their
More informationData Transfer and Security Best Practice Principles for UK-based businesses that collect and use data for online lead generation
Online Lead Generation: Data Transfer and Security Best Practice Principles for UK-based businesses that collect and use data for online lead generation Version: 1.1 Released: 10 March 2011 Updated: 02
More informationHow To Make A Multi-Tenant Platform Secure And Secure
Authentication As A Service Why new Cloud based Authentication solutions will be adopted by about 50% of the companies by 2017? Jason Hart CISSP CISM VP Cloud Solutions What a great world Today's World
More informationA Buyer's Guide to Data Loss Protection Solutions
A Buyer's Guide to Data Loss Protection Solutions 2010 Websense, Inc. All rights reserved. Websense is a registered trademark of Websense, Inc. in the United States and certain international markets. Websense
More informationVendor Management Compliance Top 10 Things Regulators Expect
Vendor Management Compliance Top 10 Things Regulators Expect Peter Davey, AAP VP & Director, Enterprise Payments, CapitalOne Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay
More informationPost-Class Quiz: Business Continuity & Disaster Recovery Planning Domain
1. What is the most common planned performance duration for a continuity of operations plan (COOP)? A. 30 days B. 60 days C. 90 days D. It depends on the severity of a disaster. 2. What is the business
More informationGoing All In on Board Reporting
Going All In on Board Reporting February 13, 2014 10:15 A.M to 11:15 A.M. Tony DaSilva, AAP, CISA Senior Examiner, Federal Reserve Bank of Atlanta Rajiv Donde President, Laru Technologies Peter Davey,
More information