Top 10 Tips for Effectively Assessing Third-party Vendors

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Top 10 Tips for Effectively Assessing Third-party Vendors"

Transcription

1 Top 10 Tips for Effectively Assessing Third-party Vendors Presented by: Tom Garrubba, Manager, Technical Assessments Group, CVS Caremark Web Hull, Senior Privacy & Compliance Specialist, Iron Mountain

2 Top 10 Tips 1. One size doesn t fit all and it isn t free

3 1. One size doesn t fit all and it isn t free! The Role Players Regulators & Standard Setters Customers The Corporation and the Business Units The Vendor Subcontractors/down stream vendors Who does the real work? Employees, 3 rd party, mix, other Program Initiation and Alignment Formula for Implementation Centralized Decentralized Who pays for it

4 Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment

5 2. Determine what data is in-scope for assessment Who? Regulators (FTC, Federal Reserve, HHS, FDIC, etc.) Industry (PCI) Customers Own criteria What Information? Customer Information Employee information Why? You are compelled to perform due diligence it by law, regulation, standard Your customers demand it as you are putting their info at risk by giving it to another company.

6 Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment 3. Accurately & thoroughly describe how the data will flow

7 3. Accurately & thoroughly describe how the data will flow Precisely and completely describe Services the vendor will provide; Customer, employee, & company data and information the vendor will collect and/or have access to What the vendor will do with this data and information. Where this data and information will be processed & stored How the data will get to the vendor Any subcontractors to be used

8 Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment 3. Accurately & thoroughly describe how the data will flow 4. Triage risk High, Medium, & Low

9 4. Triage Risk - High, Medium, & Low Why? Focus limited resources Reduce vendor s efforts How? Short questionnaire 10 + questions Who? Business owner & vendor Other benefits Shape/reduce longer assessment

10 Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment 3. Accurately & thoroughly describe how the data will flow 4. Triage risk High, Medium, & Low 5. Start with an assessment & data collection instrument

11 5. Start with an assessment and data collection instrument Assessment = A due diligence activity to gain a level of comfort with the overall security, privacy, data protection posture of the vendor Send a questionnaire to them and have it returned for analysis Use an existing questionnaire - SIG Standard Information Gathering - Industry standard questionnaire developed by members of the Shared Assessments ( program Covers all domains of ISO as well as HIPAA-HITRUST, PCS-DSS, CoBIT, NIST, GLBA, Privacy & Cloud Develop & send your own questionnaire Have qualified people assess their responses CISA, CRISC, CISSP, CIPP/US/G/C/IT/IT, Pre-Assessment Phase (i.e., Phase 1) of the VAP Lifecycle

12 5. Start with an assessment and data collection instrument VAP Phase 1: Pre-Assessment Obtain all information regarding the scope of work Find out the data that will be CSTUPD ed Collect Store Transmit Use Process Destroy Converse with the assigned BU and/or the vendor contacts to fully understand what, where, and how s If applicable, determine if the assessment will be handled by an internal or external assessor Send the vendor the questionnaire to be completed

13 5. Start with an assessment and data collection instrument Define Scope Define Data in use (CSTUPD) Distribute questionnaire Phase 1: Pre- Assessment Phase 2: Assessment Perform Kickoff Obtain BU and Vendor Docs Acquire SIG Responses Perform AUP Document CI s Phase 4: Re- Assessment Phase 3: Post- Assessment Reevaluate Data Type Reevaluate Location Risk Scoring Update BU and Vendor Management Track CI s File BU/Vendor Docs Remediate CI s

14 Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment 3. Accurately & thoroughly describe how the data will flow 4. Triage risk High, Medium, & Low? 5. Start with an assessment & data collection instrument 6. Trust but Verify - Collect evidence

15 6. Trust but Verify Collect evidence VAP Phase 2: Assessment Have a meeting with the BU and vendor to discuss contacts, deliverables, and timelines Request/Review pertinent documentation from: The BU - Contracts, SOW s, NDA s, BAA s The Vendor - SSAE-16 Type II documents; ISO 27001/2 cert, CMM level, NAID, Review the returned questionnaire responses Note contingent items (non-compliant items, findings, etc.) Update BU and Vendor Management Track Contingent Items Compose the assessment report File BU/Vendor Documents Track through remediation all contingent items

16 Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment 3. Accurately & thoroughly describe how the data will flow 4. Triage risk High, Medium, & Low? 5. Start with an assessment & data collection instrument 6. Trust but Verify - Collect evidence 7. Accept or remediate non-compliant findings

17 7. Accept or remediate non-compliant items Contingent Items (aka: issues, findings, observations, notable items, etc.) You can accept the risk associated with a particular item or You can require remediation of the item Require remediation by the vendor or business unit Risk-rate and prioritize as such Actively monitor until they are closed Escalate to appropriate levels of management if timelines are not met Adjust the timelines if the vendor cannot reasonably meet the target dates

18 7. Accept or remediate non-compliant items Contingent Items 3 Types of CI s Contractual Contracts, SOW s, NDA s, BAA s; Incomplete; Out of date HR-Related Drug testing; Background checks; Credit checks Technical/Operations Typical IT/operations-related issues/findings/observations

19 Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment 3. Accurately & thoroughly describe how the data will flow 4. Triage risk High, Medium, & Low? 5. Start with an assessment & data collection instrument 6. Trust but Verify - Collect evidence 7. Accept or remediate non-compliant findings 8. Identify & assess critical, downstream vendors/subcontractors

20 8. Identify & assess critical, downstream vendors/subcontractors Down Stream Vendors/Subcontractors If you have a contract with them See if you ve already assessed them; if not then assess them! Request the same documentation as if they were a primary vendor If you don t have a contract with them Work with the primary vendor to obtain documentation Have the primary vendor set up a call to see what the DSV/subcon is willing to provide Use the same assessor if possible (they know the scope of work)!

21 8. Identify & assess critical, downstream vendors/subcontractors Determine the risk of these downstream vendors High, Medium, Low Seek third party attestations and other evidence regarding vendor s high risk vendors. SSAE-16, AUP, ISO 27001/2, PCI cert, etc. Review attestations & make a decision Make sure that your contract contains relevant terms

22 Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment 3. Accurately & thoroughly describe how the data will flow 4. Triage risk High, Medium, & Low? 5. Start with an assessment & data collection instrument 6. Trust but Verify - Collect evidence 7. Accept or remediate non-compliant findings 8. Identify & assess critical, downstream vendors/subcontractors 9. Determine if/when an on-site review is necessary

23 9. Determine if/when an onsite review is necessary Have the Primary vendor identify its vendors that: Will process, have access to or potential access to, transport, store, protected data Are in another country Determine how the vendor assesses, contracts with, and monitors these vendors You might have to do some work here Conference call interview, other Q & As, Determine if your staff or External Assessors will be needed!

24 Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment 3. Accurately & thoroughly describe how the data will flow 4. Triage risk High, Medium, & Low? 5. Start with an assessment & data collection instrument 6. Trust but Verify - Collect evidence 7. Accept or remediate non-compliant findings 8. Identify & assess critical, downstream vendors/subcontractors 9. Determine if/when an on-site review is indicated 10. Determine when a reassessment should be performed

25 10. Determine when a reassessment should be performed VAP Phase 4: Re-assessment Start planning by determining what criteria? Based on type of data (PCI, PHI, etc.)? Suggestions include: PCI = Annual PHI, Sensitive PII = Annual Non-sensitive PII, Strategic, other proprietary =??? Based on the geographic location? Onshore Offshore Offshore but with safe harbor agreements Based via scoring system? Risk Rating SIG Other GRC tool In house tool Combination of the above?

26 Top 10 Tips But wait there s more!

27 Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment 3. Accurately & thoroughly describe how the data will flow 4. Triage risk High, Medium, & Low? 5. Start with an assessment & data collection instrument 6. Trust but Verify - Collect evidence 7. Accept or remediate non-compliant findings 8. Identify & assess critical, downstream vendors/subcontractors 9. Determine if/when an on-site review is indicated 10. Determine when a reassessment should be performed and 11. Retain all assessment data, decisions, & records

28 11. Retain all assessment data, decisions and records Why? You are going to need them later! Regulatory, internal or other audit Something goes wrong (e.g., negative assessment) Reassessment How? GRC system, SharePoint, or some other centralized system. Back It Up (Murphy s Law!)

29 Top 10 Tips And if you call right now!!!

30 BONUS #1 Manage Your External Assessors They are an extension of your VAP team and should be treated as such Discuss their progress at least weekly Ensure they pull you in when the assessment begins to look bad - no surprises! Participate in closing meetings for key/offshore vendors Make sure vendors will accept their NDA s Be prepared for the legal departments to red-line the document! Be prepared to adjust start/end dates

31 BONUS #2 Use Operational Metrics VRB status monitoring Assessments assigned to assessors Internal/external assessments open Pre-assessment review Stage gates monitoring Assessor kickoff How long it takes to get the questionnaire back How long it takes to resolve AUP items (questions, documentation) Assessments in management review Contingencies due in the past 30/60/90/>120 Days

32 Thank You! & Questions?

33 For More Information (412) (617) Resources FAQs and tips for getting started Case studies Enterprise Cloud Computing Guide Detailed comparisons with regulations and international standards (HIPAA/HITECH, PCI, ISO, COBIT, NIST) Members Partners HIPAA HITECH PCI

Developing and Maintaining a World-Class Third Party Risk Assessment Program

Developing and Maintaining a World-Class Third Party Risk Assessment Program Developing and Maintaining a World-Class Third Party Risk Assessment Program Presented by: Tom Garrubba, Senior Director, The Santa Fe Group/Shared Assessments Program Monday, September 15, 2014 - IIA

More information

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT About Kyle Lai 2 Kyle Lai, CIPP/G/US, CISSP, CISA, CSSLP, BSI Cert. ISO 27001 LA President of KLC Consulting, Inc. Over 20 years in IT and Security Security

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

Vendor Management Panel Discussion. Managing 3 rd Party Risk

Vendor Management Panel Discussion. Managing 3 rd Party Risk Vendor Management Panel Discussion Managing 3 rd Party Risk Vendor Risk at its Finest Vendor Risk at its Finest CVS Care Mark Corporation announced that it had mistakenly sent letters to approximately

More information

SECURITY RISK MANAGEMENT

SECURITY RISK MANAGEMENT SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W

More information

Hans Bos Microsoft Nederland. hans.bos@microsoft.com

Hans Bos Microsoft Nederland. hans.bos@microsoft.com Hans Bos Microsoft Nederland Email: Twitter: hans.bos@microsoft.com @hansbos Microsoft s Cloud Environment Consumer and Small Business Services Software as a Service (SaaS) Enterprise Services Third-party

More information

HITRUST CSF Assurance Program

HITRUST CSF Assurance Program HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview

More information

CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link

CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link Peter Milla CASRO Technical Consultant/CIRQ Technical Advisor peter@petermilla.com Background CASRO and Standards CASRO takes

More information

Intelligent Vendor Risk Management

Intelligent Vendor Risk Management Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach

More information

9/13/2013. 20/20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

9/13/2013. 20/20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99 20/20 Vision for Vendor Management & Oversight 2013 WBA Technology Conference September 17, 2013 Ken M. Shaurette, CISSP, CISA, CISM, CRISC, IAM Director IT Services Disclaimer The views set forth are

More information

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Web Hull Privacy, Data Protection, & Compliance Advisor Society

More information

Information Security, Privacy and Compliance Convergence

Information Security, Privacy and Compliance Convergence Information Security, Privacy and Compliance Convergence Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI Rebecca Herold & Associates, LLC April 2009 Agenda Information lifecycles Security and privacy challenges

More information

Technology & Performance - esettlements - spro Vendor Performance

Technology & Performance - esettlements - spro Vendor Performance Technology & Performance - esettlements - spro Vendor Performance Harry Nowell Manager Corporate Procurement Technology and Performance Topic. Session 3: 10 a.m. 10 :40 a.m. Speaker Session 4: 10:50 a.m.

More information

A Flexible and Comprehensive Approach to a Cloud Compliance Program

A Flexible and Comprehensive Approach to a Cloud Compliance Program A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility

More information

HIPAA and HITRUST - FAQ

HIPAA and HITRUST - FAQ A COALFIRE WHITE PAPER HIPAA and HITRUST - FAQ by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead Coalfire February 2013 Introduction Organizations are

More information

IIA Conference. September 18, 2015. Paige Needling Director, Global Information Security Recall, Inc.

IIA Conference. September 18, 2015. Paige Needling Director, Global Information Security Recall, Inc. IIA Conference September 18, 2015 Paige Needling Director, Global Information Security Recall, Inc. IT SECURITY UMBRELLA Compliance for IT Data Privacy Protection Privacy Risk Assessment Vulnerability

More information

www.pwc.com Third Party Risk Management 12 April 2012

www.pwc.com Third Party Risk Management 12 April 2012 www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.

More information

Third-Party Cybersecurity and Data Loss Prevention

Third-Party Cybersecurity and Data Loss Prevention Third-Party Cybersecurity and Data Loss Prevention SESSION ID: DSP-W04A Brad Keller Sr. Vice President Santa Fe Group Jonathan Dambrot, CISSP CEO, Co-Founder Prevalent Networks 3rd Party Risk Management

More information

Practical Vendor Management to Minimize Compliance Risks November 12, 2015

Practical Vendor Management to Minimize Compliance Risks November 12, 2015 Practical Vendor Management to Minimize Compliance Risks November 12, 2015 v 1 Today s Speakers Ray Everett Principal Consultant & Director Product Management TRUSTe Charlie Miller SVP Shared Assessments

More information

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP Auditing your institution's cybersecurity incident/breach response plan Objectives > Provide an overview of incident/breach response plans and their intended benefits > Describe regulatory/legal requirements

More information

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions

More information

Vendor Management Best Practices

Vendor Management Best Practices 23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion

More information

OC Chapter. Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes.

OC Chapter. Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes. OC Chapter Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes. 2 Why Assess a Vendor? You don t want to be a Target for hackers via your vendors

More information

MAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS. Nick Harrahill PayPal Global Security Operations

MAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS. Nick Harrahill PayPal Global Security Operations MAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS Nick Harrahill PayPal Global Security Operations AGENDA Inception of an engagement The legal agreement Assessing the risk Customer call

More information

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com Cloud Computing Risks & Reality Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com What is Cloud Security The quality or state of being secure to be free from danger & minimize risk To be protected from

More information

Privacy and Outsourcing

Privacy and Outsourcing Privacy and Outsourcing Doron Rotman, National Privacy Service Leader August 2007 ADVISORY You can outsource liability you can t outsource responsibility and accountability! 1 1 Introduction Sourcing defined

More information

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania Evaluating and Managing Third Party IT Service Providers Are You Really Getting The Assurance You Need To Mitigate Information Security and Privacy Risks? Kevin Secrest IT Audit Manager, University of

More information

Auditing Cloud Computing and Outsourced Operations

Auditing Cloud Computing and Outsourced Operations Session 136 Auditing Cloud Computing and Outsourced Operations Monday, May 7, 2012 3:30 PM 5:00 PM Mike Schiller Director of Sales & Marketing IT, Texas Instruments Co Author, IT Auditing: Using Controls

More information

COMMON HIPAA QUESTIONS

COMMON HIPAA QUESTIONS COMMON HIPAA QUESTIONS 1 As a DevOps platform, we talk to a lot of software engineering teams. Explosive growth in digital health over the last few years means there are many developers and managers who

More information

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES Aligning information with business and operational objectives ESSENTIALS Leverage EMC Consulting as your trusted advisor to move your and compliance

More information

THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT IAPP KnowledgeNet Presentation Boston, April 24, 2012 About Kyle Lai 2 Kyle Lai, CIPP/G/US, CISSP, CISA, CSSLP, BSI Cert. ISO 27001 LA President and CTO

More information

SHARED ASSESSMENTS PROGRAM STANDARDIZED INFORMATION GATHERING (SIG) QUESTIONNAIRE

SHARED ASSESSMENTS PROGRAM STANDARDIZED INFORMATION GATHERING (SIG) QUESTIONNAIRE SHARED ASSESSMENTS PROGRAM STANDARDIZED INFORMATION GATHERING (SIG) QUESTIONNAIRE The Shared Assessments Trust, But Verify Model The Shared Assessments Program Tools are used for managing the vendor risk

More information

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye

More information

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014 IT Vendor Due Diligence Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014 Carolinas HealthCare System (CHS) Second largest not-for-profit healthcare system

More information

Vendor Questions and Answers

Vendor Questions and Answers OHIO DEFERRED COMPENSATION REQUEST FOR PROPOSALS (RFP) FOR COMPREHENSIVE SECURITY ASSESSMENT CONSULTANT Issue Date: December 7, 2016 Written Question Deadline: January 11, 2016 Proposal Deadline: RFP Contact:

More information

Well-Documented Controls Reduce Risk and Support Compliance Initiatives

Well-Documented Controls Reduce Risk and Support Compliance Initiatives White Paper Risks Associated with Missing Documentation for Health Care Providers Well-Documented Controls Reduce Risk and Support Compliance Initiatives www.solutionary.com (866) 333-2133 Many Health

More information

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Strategic Compliance & Securing the Cloud Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security Complexity and Challenges 2 Complexity and Challenges Compliance Regulatory entities

More information

Developing National Frameworks & Engaging the Private Sector

Developing National Frameworks & Engaging the Private Sector www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012

More information

Guided HIPAA Compliance

Guided HIPAA Compliance Guided HIPAA Compliance HIPAA Solutions for Office Managers and Practitioners SecurityMetrics We protect business Since its founding in 2000, privately-held SecurityMetrics has grown from a small security

More information

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Peter Spier Managing Director PCI and Risk Assurance Fortrex Technologies Agenda Instructor Biography Background On

More information

Cloud Security and Managing Use Risks

Cloud Security and Managing Use Risks Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access

More information

Optimizing Capability Maturity for Application Security in the Software Development Lifecycle

Optimizing Capability Maturity for Application Security in the Software Development Lifecycle Optimizing Capability Maturity for Application Security in the Software Development Lifecycle Jonathan Davis, CISA, CISSP, CCSK Vice President, Marketing Steve Wolf - Vice President, Application Security

More information

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Strengthening Cybersecurity Defenders #ISC2Congress Healthcare and Security "Information Security is simply a personal

More information

PCI DSS READINESS AND RESPONSE

PCI DSS READINESS AND RESPONSE PCI DSS READINESS AND RESPONSE EMC Consulting Services offers a lifecycle approach to holistic, proactive PCI program management ESSENTIALS Partner with EMC Consulting for your PCI program management and

More information

State of South Carolina Policy Guidance and Training

State of South Carolina Policy Guidance and Training State of South Carolina Policy Guidance and Training Policy Workshop All Agency IT Risk Strategy June 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy Overview: IT Risk Strategy

More information

FINRA Publishes its 2015 Report on Cybersecurity Practices

FINRA Publishes its 2015 Report on Cybersecurity Practices Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February

More information

Maintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com

Maintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance

More information

Capabilities Overview

Capabilities Overview Premier Provider of egov Services to the Commonwealth of Virginia Capabilities Overview May 2015 Your One Stop Shop for egov Services CAI ITCL Statement of Work Contract Application Development VITA egov

More information

Bridging the HIPAA/HITECH Compliance Gap

Bridging the HIPAA/HITECH Compliance Gap CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According

More information

THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS

THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS Data Law Group, P.C. Kari Kelly Deborah Shinbein YOU CAN T OUTSOURCE COMPLIANCE! Various statutes and regulations govern

More information

TOP 10 Security Questions Introduction Breaches and other privacy and security incidents in healthcare are on the rise due to the vast size of the industry and the oneoffs of protected health information

More information

VENDOR MANAGEMENT An Update & Discussion

VENDOR MANAGEMENT An Update & Discussion VENDOR MANAGEMENT An Update & Discussion Ground Rules TO ENCOURAGE FREE DISCUSSION, NO RECORDING DEVICES OF ANY KIND INCLUDING CELL PHONES, CAMERAS, ETC, ARE ALLOWED NO EXCEPTIONS VIOLATORS WILL BE ASKED

More information

HOW SECURE IS YOUR PAYMENT CARD DATA?

HOW SECURE IS YOUR PAYMENT CARD DATA? HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,

More information

HIPAA SECURITY RISK ANALYSIS FORMAL RFP

HIPAA SECURITY RISK ANALYSIS FORMAL RFP HIPAA SECURITY RISK ANALYSIS FORMAL RFP ADDENDUM NUMBER: (2) August 1, 2012 THIS ADDENDUM IS ISSUED PRIOR TO THE ACCEPTANCE OF THE FORMAL RFPS. THE FOLLOWING CLARIFICATIONS, AMENDMENTS, ADDITIONS, DELETIONS,

More information

{Are you protected?} Overview of Cybersecurity Services

{Are you protected?} Overview of Cybersecurity Services {Are you protected?} Overview of Cybersecurity Services Why Plante Moran is built on thousands of success stories. CLIENT FOCUS The confidence that the client s needs are put ahead of the firm s by a professional

More information

Adding Cloud Solutions to Customer Contracts Robert J. Scott

Adding Cloud Solutions to Customer Contracts Robert J. Scott Adding Cloud Solutions to Customer Contracts Robert J. Scott MSP vs. Cloud Who owns the hardware? Where does the data reside? Dedicated vs. Multi tenant? Who contracts with 3 rd parties? How are services

More information

Comparing the CSF, ISO/IEC and NIST SP Why Choosing the CSF is the Best Choice

Comparing the CSF, ISO/IEC and NIST SP Why Choosing the CSF is the Best Choice Comparing the CSF, ISO/IEC 27001 and NIST SP 800-53 Why Choosing the CSF is the Best Choice June 2014 Why Choosing the CSF is the Best Choice Introduction Many healthcare organizations realize it is in

More information

Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers

Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener eye

More information

Consolidated Audit Program (CAP) A multi-compliance approach

Consolidated Audit Program (CAP) A multi-compliance approach Consolidated Audit Program (CAP) A multi-compliance approach ISSA CONFERENCE Carlos Pelaez, Director, Coalfire May 14, 2015 About Coalfire We help our clients recognize and control cybersecurity risk,

More information

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd. Vendor Management: An Enterprise-wide Focus Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd. Why Focus on Vendor Management Increased financial regulatory scrutiny GLBA and Identity Theft Red

More information

What can HITRUST do for me?

What can HITRUST do for me? What can HITRUST do for me? Dr. Bryan Cline CISO & VP, CSF Development & Implementation Bryan.Cline@HITRUSTalliance.net Jason Taule Chief Security & Privacy Officer Jason.Taule@FEIsystems.com Introduction

More information

Strategies for Integra.ng the HIPAA Security Rule

Strategies for Integra.ng the HIPAA Security Rule Strategies for Integra.ng the HIPAA Rule Kaiser Permanente: Charles Kreling, Execu.ve Director Sherrie Osborne, Director Paulina Fraser, Director Professional Strategies S21 2013 Fall Conference Sail to

More information

Managing Your Privacy Commitments

Managing Your Privacy Commitments www.pwc.com Managing Your Privacy Commitments An update on recent regulatory developments and how to effectively navigate them February 2013 DRAFT FOR DISCUSSION PURPOSES ONLY Agenda Introduction 1. Privacy

More information

Managing Business Risk with HITRUST Leveraging Healthcare s Risk Management Framework

Managing Business Risk with HITRUST Leveraging Healthcare s Risk Management Framework Managing Business Risk with HITRUST Leveraging Healthcare s Risk Management Framework Introduction This presentation is intended to address how an organization can implement the HITRUST Risk Management

More information

Digital Healthcare: Author. A HIPAA compliant cloud strategy. Choosing a Cloud Service Provider. Alex Ginzburg

Digital Healthcare: Author. A HIPAA compliant cloud strategy. Choosing a Cloud Service Provider. Alex Ginzburg : A HIPAA compliant cloud strategy. Choosing a Cloud Service Provider Author Alex Ginzburg VP of Technology, Intervention Insights, Inc. Kanda Software 200 Wells Ave, Newton, MA 02459 617-340-3850 Over

More information

Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective

Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective July 23, 2013 Gerry Hinkley, Pillsbury Allen Briskin, Pillsbury Pillsbury Winthrop Shaw Pittman LLP

More information

Cloudy Privacy Computing

Cloudy Privacy Computing Cloudy Privacy Computing Rebecca Herold, CIPP, CISSP, CISA, CISM, FLMI Final Draft for December 2008 CSI Alert Is cloud computing cumulous or cirrus? At Thanksgiving dinner, some of my relatives (none

More information

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP Outsourced Third Party Relationship Management/ Vendor Management TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP 1 Risk Management Guidance 2 3 Appendix J: 4 - Key Elements Third Party Management

More information

Payment Card Industry (PCI) Data Security Standard (DSS) Motorola PCI Security Assessment

Payment Card Industry (PCI) Data Security Standard (DSS) Motorola PCI Security Assessment Payment Card Industry (PCI) Data Security Standard (DSS) Motorola PCI Security Assessment Retail establishments have always been a favorite target of thieves and shoplifters, but today s worst criminals

More information

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security

More information

You Need To Comply With HIPAA And You Probably Don t Even Know It!

You Need To Comply With HIPAA And You Probably Don t Even Know It! You Need To Comply With HIPAA And You Probably Don t Even Know It! If a hospital or healthcare institution is one of your customers/clients, I hope you changed the way you approached the Health Insurance

More information

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,

More information

HITECH & The Cloud: Control and Accessibility of Data Downstream

HITECH & The Cloud: Control and Accessibility of Data Downstream HITECH & The Cloud: Control and Accessibility of Data Downstream David Holtzman, OCR (Moderator) James Koenig, Privacy Leader; Health Information Privacy & Security Practice Co-Leader, PricewaterhouseCoopers

More information

HIPAA Requirements for Data Security

HIPAA Requirements for Data Security HIPAA Requirements for Data Security Dennis Schmidt, HIPAA Security Officer UNC School of Medicine March, 2012 What does HIPAA Compliant Mean? It depends! The HIPAA Security Rule does not give many specific

More information

Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation

Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation Assessing the Financial Services Industry Results from Protiviti s 2014 IT Priorities and

More information

Obtaining CSF Certification Lessons Learned and Why Do It

Obtaining CSF Certification Lessons Learned and Why Do It Obtaining CSF Certification Lessons Learned and Why Do It Aaron Miri, Chief Technology Officer, Children s medical Center of Dallas Ryan Sawyer, Director, Technology Risk and Identity Governance, WellPoint

More information

Cloud e-mail services: Security, Compliance and Privacy. Nasos Kladakis Solutions Specialist Microsoft Hellas

Cloud e-mail services: Security, Compliance and Privacy. Nasos Kladakis Solutions Specialist Microsoft Hellas Cloud e-mail services: Security, Compliance and Privacy Nasos Kladakis Solutions Specialist Microsoft Hellas Risk Management Program Overview Information Security Policy Security Privacy & Regulatory Service

More information

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1 PCI Policy Compliance Using Information Security Policies Made Easy PCI Policy Compliance Information Shield Page 1 PCI Policy Compliance Using Information Security Policies Made Easy By David J Lineman

More information

Information Technology: This Year s Hot Issue - Cloud Computing

Information Technology: This Year s Hot Issue - Cloud Computing Information Technology: This Year s Hot Issue - Cloud Computing Presented by: Alan Sutin Global IP & Technology Practice Group GREENBERG TRAURIG, LLP ATTORNEYS AT LAW WWW.GTLAW.COM 2011. All rights reserved.

More information

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Payment Card Industry Data Security Standard (PCI DSS) v1.2 Payment Card Industry Data Security Standard (PCI DSS) v1.2 Joint LA-ISACA and SFV-IIA Meeting February 19, 2009 Presented by Mike O. Villegas, CISA, CISSP 2009-1- Agenda Introduction to PCI DSS Overview

More information

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma IT Governance, Risk and Compliance (GRC) : A Strategic Priority Joerg Asma Agenda Introductions An Overview of IT Governance Risk & Compliance (IT-GRC) The Value Proposition Implementing an IT-GRC Program

More information

WHITE PAPER Third-Party Risk Management Lifecycle Guide

WHITE PAPER Third-Party Risk Management Lifecycle Guide WHITE PAPER Third-Party Risk Management Lifecycle Guide Develop and maintain compliant third-party relationships by following these foundational components of a best-practice assessment program. Third

More information

Enabling Compliance Requirements using ISMS Framework (ISO27001)

Enabling Compliance Requirements using ISMS Framework (ISO27001) Enabling Compliance Requirements using ISMS Framework (ISO27001) Shankar Subramaniyan Manager (GRC) Wipro Consulting Services Shankar.subramaniyan@wipro.com 10/21/09 1 Key Objectives Overview on ISO27001

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

OIG Security Audit: What You Need To Know

OIG Security Audit: What You Need To Know Watch the Replay on YouTube OIG Security Audit: What You Need To Know Executive Series Webinar July 23rd, 2015 Today s Speakers Elana R. Zana Attorney & Author Ogden Murphy Wallace P.L.L.C. ezana@omwlaw.com

More information

Final HIPAA/HITECH Omnibus Rule Makes Significant Changes for Health Plans and Their Business Associates

Final HIPAA/HITECH Omnibus Rule Makes Significant Changes for Health Plans and Their Business Associates Final HIPAA/HITECH Omnibus Rule Makes Significant Changes for Health Plans and Their Business Associates After a very long wait, the Department of Health and Human Services ( HHS ) has issued a final HIPAA/HITECH

More information

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Audit Manager: Lynne Prizzia, CISA, CRISC Senior Auditor:

More information

TOOLS and BEST PRACTICES

TOOLS and BEST PRACTICES TOOLS and BEST PRACTICES Daniele Catteddu Managing Director EMEA, Cloud Security Alliance ABOUT THE CLOUD SECURITY ALLIANCE To promote the use of best practices for providing security assurance within

More information

IT Security & Compliance Risk Assessment Capabilities

IT Security & Compliance Risk Assessment Capabilities ATIBA Governance, Risk and Compliance ATIBA provides information security and risk management consulting services for the Banking, Financial Services, Insurance, Healthcare, Manufacturing, Government,

More information

The New Normal: The Expanding Role of Technology Providers in Payment Processing. Pete S. Johnson

The New Normal: The Expanding Role of Technology Providers in Payment Processing. Pete S. Johnson The New Normal: The Expanding Role of Technology Providers in Payment Processing Pete S. Johnson Recent Market Trends Affecting Role of Technology Providers Transition Brick and Mortar ecommerce Mobile

More information

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

Sample Statement of Work

Sample Statement of Work Sample Statement of Work Customer name Brad Miller brad@solidborder.com Fishnet Security Sample Statement of Work: Customer Name Scope of Work Engagement Objectives Customer, TX ( Customer or Client )

More information

Performing Vendor Risk Assessments

Performing Vendor Risk Assessments Performing Vendor Risk Assessments You can outsource the work, but you can t outsource the risk! Presented by Jennifer F Alfafara Consultant, Resources Global Professionals Introduction 2 There is significant

More information

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.

More information

Compliance Doesn t Mean Security Achieving Security and Compliance with the latest Regulations and Standards

Compliance Doesn t Mean Security Achieving Security and Compliance with the latest Regulations and Standards Compliance Doesn t Mean Security Achieving Security and Compliance with the latest Regulations and Standards Paul de Graaff Chief Strategy Officer Vanguard Integrity Professionals March 11, 2014 Session

More information

CFPB Readiness Series: Compliant Vendor Management Overview

CFPB Readiness Series: Compliant Vendor Management Overview CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the

More information

WHITE PAPER Leveraging GRC for PCI DSS Compliance. By: Chris Goodwin, Co-founder and CTO, LockPath

WHITE PAPER Leveraging GRC for PCI DSS Compliance. By: Chris Goodwin, Co-founder and CTO, LockPath WHITE PAPER Leveraging GRC for PCI DSS Compliance By: Chris Goodwin, Co-founder and CTO, LockPath The Payment Card Industry Data Security Standard ( PCI DSS ) is set forth by a consortium of payment card

More information

Identifying and Managing Third Party Data Security Risk

Identifying and Managing Third Party Data Security Risk Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:

More information