2014 Vendor Risk Management Benchmark Study
|
|
- Della Harrell
- 8 years ago
- Views:
Transcription
1 2014 Vendor Risk Management Benchmark Study
2
3 Introduction/Executive Summary You can have all the security in the world inside your company s four walls, but all it takes is a compromise at one third-party vendor that s connected to you. This creates a bridge directly into your organization. Rocco Grillo, Protiviti Managing Director and Shared Assessments Program Steering Committee Member As the volume of outsourced products and services has surged in recent years, so, too, have the risks associated with vendors and third-party providers. This is occurring in highly regulated industries such as financial services and healthcare, in media and retail, as seen in recent news, as well as in any organization that is relying on third-party vendors to manage operations and processes. These vendors include not just data management, IT and security providers, but also facilities management (cleaning, HVAC) along with any vendor that may have access to your network, data or facilities. The list of standards and regulations with third-party risk implications is long: Consumer Financial Protection Bureau (CFPB) regulations, ISO 27001/2, PCI Security Standards Council s data security standards, Office of the Comptroller of the Currency (OCC) Third-Party Risk Guidance, and NIST s Cybersecurity Framework. The urgency to address this risk is further driven home by recent massive and highly publicized security breaches at several large companies, and the resulting public and regulatory scrutiny of the way personal data is managed in a global IT environment. Despite this, for most organizations, understanding vendor risk and how to manage it appropriately has thus far been more art than science. This is changing in part with the development of the first comprehensive Vendor Risk Management Maturity Model (VRMMM) by the Shared Assessments Program, a consortium of leading financial institutions, Big Four accounting firms and key service providers dedicated to helping organizations understand and manage vendor risk effectively. The VRMMM sets forth best practices for developing a comprehensive third-party risk program and allows a company to evaluate its program s maturity against development goals. The Shared Assessments Program recently partnered with Protiviti, a global consulting firm, to conduct a third-party risk management benchmarking study based on this maturity model. Vendor Risk Management Overall Maturity by Area Category Maturity Level Program Governance 2.9 Policies, Standards, Procedures 2.9 Contracts 3.0 Vendor Risk Identification and Analysis 2.7 Skills and Expertise 2.3 Communication and Information Sharing 2.6 Tools, Measurement and Analysis 2.4 Monitoring and Review Vendor Risk Management Benchmark Study 1
4 If you re outsourcing to or relying on a third party, you can t just shut the door and say it s someone else s problem. You can outsource the function but you ultimately own the risk. If a third party doesn t have the same controls in place or the level of controls you need from a risk management standpoint, you have a serious risk to address. Brad Keller, Senior Vice President & Program Director, The Santa Fe Group (which manages the Shared Assessments Program) The study revealed some interesting trends: Financial services organizations tend to have relatively mature vendor risk management programs compared to other companies This is not a surprise given the highly regulated nature of the financial services industry. Organizations in the insurance subset are at a lower level of maturity in their vendor risk management compared to the financial services set This finding is a surprise given that the insurance industry also is highly regulated. The results suggest there is substantial room for growth among insurance organizations. notable areas for improvement include program governance, and policies, standards and procedures While there is no standard, one size fits all approach to vendor risk management given the nuanced differences between different industries and organizations, having mature program governance capabilities, as well as established policies, standards and procedures for vendor risk management, are considered fundamental steps. These two areas should serve as the foundation for establishing effective vendor risk management practices in other areas. Yet the survey results show that most organizations are no more advanced in these critical areas than they are in other components of vendor risk management Vendor Risk Management Benchmark Study
5 Methodology The Vendor Risk Management Survey was conducted by the Shared Assessments Program and Protiviti in the fourth quarter of 2013 and first quarter of Using governance as the foundational element, this survey is designed to review the components of a comprehensive vendor risk management program. Close to 450 respondents were presented with different components of vendor risk under eight categories related to vendor risk management: Program Governance Policies, Standards, Procedures Contracts Vendor Risk Identification and Analysis Skills and Expertise Communication and Information Sharing Tools, Measurement and Analysis Monitoring and Review For each component, respondents were asked to rate its maturity level as it applies to their organization, according to the following scale: 1 = Initial visioning 2 = Determine roadmap to achieve goals 3 = Fully defined and established 4 = Fully implemented and operational 5 = Continuous improvement benchmarking, moving to best practices 0 = Do not perform 2014 Vendor Risk Management Benchmark Study 3
6 Program Governance Overall Level of Maturity: 2.9 Key Observations Organizations have a higher level of maturity around articulating goals and objectives and ensuring vendor management projects are aligned with those objectives in terms of risk management, security and privacy, among other areas. However, organizations are not allocating enough resources to ensure these key risk and performance targets are met. A higher level of maturity is also needed in communicating the importance of risk-based vendor management to the organization and in using key risk and performance metrics to inform vendor risk policy. Program Governance Overall Results Vendor Risk Component Maturity Level We articulate the goals and objectives of our organization 3.3 We define vendor management policies that include risk management, security, privacy and other areas that are in alignment with our existing organizational policies and objectives 3.1 We define organizational structures that establish responsibility and accountability for overseeing our vendor relationships 3.1 We revise corporate vendor risk policy as needed to achieve strategic objectives 2.8 We define risk monitoring practices and establish an escalation process for exception conditions 2.8 We communicate to our organization the requirements for risk-based vendor management 2.8 We determine the business value expected from our outsourced business relationships, we understand the acceptable range of business risks our organization is willing to assume in pursuing these benefits, and we determine that risks are in alignment with our vendor 2.8 risk policy We align specific vendor management objectives with our strategic organizational objectives 2.8 We evaluate key risk and performance indicators provided in management and board reporting 2.7 We allocate sufficient resources for vendor risk management activities 2.7 Commentary Governance serves as the foundational element of every risk program. Because it provides support for every other element of the program, it is essential that a strong and comprehensive governance structure is in place as part of any vendor risk management program Vendor Risk Management Benchmark Study
7 Program Governance Industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j We define organizational structures that establish responsibility and accountability for overseeing our a vendor relationships b We articulate the goals and objectives of our organization c We align specific vendor management objectives with our strategic organizational objectives We define vendor management policies that include risk management, security, privacy and other areas that are in d alignment with our existing organizational policies and objectives e We allocate sufficient resources for vendor risk management activities f We communicate to our organization the requirements for risk-based vendor management We determine the business value expected from our outsourced business relationships, we understand the g acceptable range of business risks our organization is willing to assume in pursuing these benefits, and we determine that risks are in alignment with our vendor risk policy h We define risk monitoring practices and establish an escalation process for exception conditions i We evaluate key risk and performance indicators provided in management and board reporting j We revise corporate vendor risk policy as needed to achieve strategic objectives 2014 Vendor Risk Management Benchmark Study 5
8 Program Governance Focus on the Financial Services Industry* Vendor Risk Component We define organizational structures that establish responsibility and accountability for overseeing our vendor relationships We articulate the goals and objectives of our organization We align specific vendor management objectives with our strategic organizational objectives We define vendor management policies that include risk management, security, privacy and other areas that are in alignment with our existing organizational policies and objectives We allocate sufficient resources for vendor risk management activities We communicate to our organization the requirements for risk-based vendor management We determine the business value expected from our outsourced business relationships, we understand the acceptable range of business risks our organization is willing to assume in pursuing these benefits, and we determine that risks are in alignment with our vendor risk policy We define risk monitoring practices and establish an escalation process for exception conditions We evaluate key risk and performance indicators provided in management and board reporting We revise corporate vendor risk policy as needed to achieve strategic objectives $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B * Does not include insurance companies Vendor Risk Management Benchmark Study
9 Policies, Standards, Procedures Overall Level of Maturity: 2.9 Key Observations All organizations demonstrate a fair amount of maturity in their vendor selection and contract management processes, including due diligence processes and key personnel assignments. Most organizations have room to grow when it comes to assigning risk to vendors as part of the vendor selection and review processes and integrating this vendor-related risk into the organization s overall risk strategy. Organizations are also lacking in involving senior management in both the approval of vendor policy and risk tiers. There is a notable difference between financial services organizations and other companies when it comes to risk policy, risk assignment and the selection of vendors based on these criteria. The financial services industry is much more risk-conscious, and senior management is more involved in the risk assignment process. One area of concern is the lower maturity around vendor exit criteria and process pointing to potential weaknesses or inconsistencies in performing periodic vendor reviews and risk (re)assignments. Policies, Standards, Procedures Overall Results Vendor Risk Component Maturity Level We have identified key positions involved in the contract management process 3.2 We have created a process for managing contracts 3.2 We have identified key stakeholders involved in each contract process 3.2 We have created a vendor selection process 3.2 We have established standards for vendor selection and due diligence 3.2 We have defined a vendor risk management policy 2.9 We have defined a vendor classification structure 2.9 We have identified existing company policies that may affect the contract process 2.9 We have obtained senior management approval of policy and risk tiers 2.8 We have defined vendor risk tier assignments 2.7 We have defined risk categories for each classification in our vendor classification structure 2.6 We have established criteria and a process for vendor exit strategies 2.5 Commentary Key corporate stakeholders must establish thorough policies and standards for vendor risk classifications and categories that apply equally to vendor selection and ongoing vendor management. These standards allow a company to manage vendor risk uniformly across the enterprise Vendor Risk Management Benchmark Study 7
10 Policies, Standards, Procedures Industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j k l a We have defined a vendor risk management policy b We have defined vendor risk tier assignments c We have obtained senior management approval of policy and risk tiers d We have established standards for vendor selection and due diligence e We have created a vendor selection process f We have defined a vendor classification structure g We have defined risk categories for each classification in our vendor classification structure h We have identified existing company policies that may affect the contract process i We have identified key stakeholders involved in each contract process j We have created a process for managing contracts k We have identified key positions involved in the contract management process l We have established criteria and a process for vendor exit strategies Vendor Risk Management Benchmark Study
11 Policies, Standards, Procedures Focus on the Financial Services Industry* Vendor Risk Component We have defined a vendor risk management policy We have defined vendor risk tier assignments We have obtained senior management approval of policy and risk tiers We have established standards for vendor selection and due diligence We have created a vendor selection process We have defined a vendor classification structure We have defined risk categories for each classification in our vendor classification structure We have identified existing company policies that may affect the contract process We have identified key stakeholders involved in each contract process We have created a process for managing contracts We have identified key positions involved in the contract management process We have established criteria and a process for vendor exit strategies $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B * Does not include insurance companies Vendor Risk Management Benchmark Study 9
12 Contracts Overall Level of Maturity: 3.0 Key Observations Organizations score above average with the contracting process and the incorporation of corporate, regulatory and IT security standards in the contract language and provisions. The same holds true for having an organizational structure in place involved in the negotiation and approval of contracts. Organizations can use help when it comes to reviewing existing contracts, however well structured, to ensure current standards are being met. Organizations that have risk tier assignments, such as those in the financial services industry, do better in this area. More important, many organizations have yet to define or establish a process for embedding performance- and risk-based provisions in contracts including contract review criteria and schedules consistent with these indicators. Contracts Overall Results Vendor Risk Component Maturity Level We have corporate-required standards for mandatory contract language/provisions 3.3 We have defined an organizational structure for vendor contract drafting, negotiation and approval 3.2 We have regulatory-required standards for mandatory contract language/provisions 3.2 We have established procedures for contract exception review and approval 3.2 We have IT/security-required standards for mandatory contract language/provisions 3.2 We have a procedure to review existing contracts for compliance with current contract standards 2.9 We have a remediation process to correct contract deficiencies 2.7 We have a process to ensure inclusion of appropriate performance-based contract provisions (SLAs, KPIs, KRIs, etc.) We have established criteria for the contract review cycle consistent with each vendor risk classification/rating We have a process to ensure inclusion of contract provisions consistent with each vendor risk classification/rating Commentary Because your contract establishes the rights and responsibilities for all aspects of your relationship with your vendor, it is critically important that it addresses all relevant aspects of that relationship. In addition, because of the changing nature of technology and the threat environment, the contract process must be able to accommodate the need for contract revisions to reflect these changes Vendor Risk Management Benchmark Study
13 contracts industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j a b c d e f g h i j We have defined an organizational structure for vendor contract drafting, negotiation and approval We have established procedures for contract exception review and approval We have corporate-required standards for mandatory contract language/provisions We have regulatory-required standards for mandatory contract language/provisions We have It/security-required standards for mandatory contract language/provisions We have a procedure to review existing contracts for compliance with current contract standards We have a remediation process to correct contract deficiencies We have a process to ensure inclusion of appropriate performance-based contract provisions (SLas, KPIs, KrIs, etc.) We have a process to ensure inclusion of contract provisions consistent with each vendor risk classification/rating We have established criteria for the contract review cycle consistent with each vendor risk classification/rating 2014 Vendor Risk Management Benchmark Study 11
14 Contracts Focus on the Financial Services Industry* Vendor Risk Component We have defined an organizational structure for vendor contract drafting, negotiation and approval We have established procedures for contract exception review and approval We have corporate-required standards for mandatory contract language/provisions We have regulatory-required standards for mandatory contract language/provisions We have IT/security-required standards for mandatory contract language/provisions We have a procedure to review existing contracts for compliance with current contract standards We have a remediation process to correct contract deficiencies We have a process to ensure inclusion of appropriate performance-based contract provisions (SLAs, KPIs, KRIs, etc.) We have a process to ensure inclusion of contract provisions consistent with each vendor risk classification/rating We have established criteria for the contract review cycle consistent with each vendor risk classification/rating $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B * Does not include insurance companies Vendor Risk Management Benchmark Study
15 VENDOR RISK IDENTIFICATION AND ANALYSIS Overall Level of Maturity: 2.7 Key Observations Organizations have well-defined and established recordkeeping procedures and approval processes for vendors that take the needs of stakeholders in the organization into account. However, consideration of risk through risk tiering and vendor assessment based on risk criteria is still an emerging area for most companies outside the financial services sector. Envisioned but not yet established is measurable assessment of vendor performance, as well as disseminating and discussing these assessment metrics with management and other stakeholders in the organization to ensure targets for vendor performance are met. Vendor Risk Identification and Analysis Overall Results Vendor Risk Component Maturity Level We review vendor requirements with our business, IT, legal and purchasing colleagues 3.2 We maintain a database of current vendor information 3.1 We assess compliance with vendor contracts 3.0 We identify findings and formulate recommendations 2.9 We consistently follow our process to collect and update vendor information 2.8 We develop vendor assessment reports 2.6 We execute scheduling and coordinate assessment activities with vendors 2.6 We conduct a risk assessment for outsourcing the business function 2.6 We determine vendor assessments to be performed based on risk tiering and resources available 2.6 We perform remediation plan follow-up discussions with the vendors 2.6 We execute vendor risk tiering processes 2.6 We have reviewed the defined business requirements for outsourcing 2.6 We send our vendors our self-assessment questionnaire and document request list 2.6 We establish/revise tiering of our vendors 2.5 We establish a vendor remediation plan or termination/exit strategy (as appropriate), validating this plan with our management and the vendor 2.5 We discuss results of vendor assessments and metrics with management 2.4 We consolidate the results of vendor assessments 2.4 We calculate and distribute vendor assessment metrics 2.2 Commentary This section includes all of the components of the vendor lifecycle from establishing the requirements for determining whether outsourcing is appropriate to the vendor selection and assessment process and assessment/remediation reporting. Failing to include all of the necessary components in this area will result in vendor risks going undetected, with potentially devastating results Vendor Risk Management Benchmark Study 13
16 Vendor Risk Identification and Analysis Industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j k l m n o p q r a b c d e f g h i j k l m n o p q r We have reviewed the defined business requirements for outsourcing We conduct a risk assessment for outsourcing the business function We consistently follow our process to collect and update vendor information We maintain a database of current vendor information We execute vendor risk tiering processes We determine vendor assessments to be performed based on risk tiering and resources available We review vendor requirements with our business, IT, legal and purchasing colleagues We send our vendors our self-assessment questionnaire and document request list We execute scheduling and coordinate assessment activities with vendors We assess compliance with vendor contracts We identify findings and formulate recommendations We develop vendor assessment reports We establish a vendor remediation plan or termination/exit strategy (as appropriate), validating this plan with our management and the vendor We establish/revise tiering of our vendors We perform remediation plan follow-up discussions with the vendors We consolidate the results of vendor assessments We calculate and distribute vendor assessment metrics We discuss results of vendor assessments and metrics with management Vendor Risk Management Benchmark Study
17 Vendor Risk Identification and Analysis Focus on the Financial Services Industry* Vendor Risk Component We have reviewed the defined business requirements for outsourcing We conduct a risk assessment for outsourcing the business function We consistently follow our process to collect and update vendor information We maintain a database of current vendor information $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B We execute vendor risk tiering processes We determine vendor assessments to be performed based on risk tiering and resources available We review vendor requirements with our business, IT, legal and purchasing colleagues We send our vendors our self-assessment questionnaire and document request list We execute scheduling and coordinate assessment activities with vendors We assess compliance with vendor contracts We identify findings and formulate recommendations We develop vendor assessment reports We establish a vendor remediation plan or termination/exit strategy (as appropriate), validating this plan with our management and the vendor We establish/revise tiering of our vendors We perform remediation plan follow-up discussions with the vendors We consolidate the results of vendor assessments We calculate and distribute vendor assessment metrics We discuss results of vendor assessments and metrics with management * Does not include insurance companies Vendor Risk Management Benchmark Study 15
18 Skills and Expertise Overall Level of Maturity: 2.3 Key Observations Overall, organizations are working to develop the skills and expertise needed to manage vendor risk more cost-efficiently, but vendor risk functions are not sufficiently integrated into the business lines to fully achieve this. Vendor risk management policies and key positions bearing responsibility for vendor risk are in place, but they are not yet fully operational; training and staffing issues continue to be problematic. Budgeting for vendor risk management, including travel and training of personnel, and measuring of ROI for vendor risk management are particularly undeveloped. This holds true for nearly everyone, with the exception of healthcare organizations. Skills and Expertise Overall Results Vendor Risk Component Maturity Level Roles and responsibilities are defined clearly within our job descriptions 2.9 We have assigned vendor risk management accountability to an individual in our organization 2.8 We have defined and communicated vendor risk management policies to our key stakeholders 2.8 We have sufficient qualified staff to meet all vendor risk management objectives 2.5 We periodically communicate our vendor risk management policies and procedures to all personnel 2.4 We have sufficient staff to manage vendor risk management activities effectively 2.4 We train vendor risk management resources to maintain appropriate certifications 2.3 We have defined training and education for our vendor risk personnel to enable them to define, execute and manage our program We have allocated budget for vendor risk management functions, including basic travel, subscriptions, training and small projects We have structures in place to define and measure the staffing levels required to meet vendor risk program objectives At least annually, we provide training on vendor risk management policies and procedures to appropriate employee groups based on role We have integrated vendor risk management functions and tools sufficiently into our business lines so that overall costs and budget for dedicated risk management are reduced We have implemented metrics and reporting for compliance to required training and awareness of our vendor risk policies On an annual basis, we measure employee understanding of vendor risk management accountabilities and report results to management We routinely measure or benchmark our vendor risk management budget with management reporting to demonstrate ROI Commentary This section establishes the role of vendor management within the organization, the key factors to consider to determine staffing levels, how vendor training will be executed, and budgeting considerations. Well-established roles and ongoing training for vendor risk managers are critical to a successful program Vendor Risk Management Benchmark Study
19 Skills and expertise industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j k l m n o a b c d e f g h i j k l m n o We have assigned vendor risk management accountability to an individual in our organization roles and responsibilities are defined clearly within our job descriptions We train vendor risk management resources to maintain appropriate certifications We have sufficient staff to manage vendor risk management activities effectively We have structures in place to define and measure the staffing levels required to meet vendor risk program objectives We have sufficient qualified staff to meet all vendor risk management objectives We have defined and communicated vendor risk management policies to our key stakeholders We periodically communicate our vendor risk management policies and procedures to all personnel at least annually, we provide training on vendor risk management policies and procedures to appropriate employee groups based on role We have defined training and education for our vendor risk personnel to enable them to define, execute and manage our program on an annual basis, we measure employee understanding of vendor risk management accountabilities and report results to management We have implemented metrics and reporting for compliance to required training and awareness of our vendor risk policies We have allocated budget for vendor risk management functions, including basic travel, subscriptions, training and small projects We routinely measure or benchmark our vendor risk management budget with management reporting to demonstrate roi We have integrated vendor risk management functions and tools sufficiently into our business lines so that overall costs and budget for dedicated risk management are reduced 2014 Vendor Risk Management Benchmark Study 17
20 Skills and Expertise Focus on the Financial Services Industry* Vendor Risk Component We have assigned vendor risk management accountability to an individual in our organization Roles and responsibilities are defined clearly within our job descriptions We train vendor risk management resources to maintain appropriate certifications We have sufficient staff to manage vendor risk management activities effectively We have structures in place to define and measure the staffing levels required to meet vendor risk program objectives We have sufficient qualified staff to meet all vendor risk management objectives We have defined and communicated vendor risk management policies to our key stakeholders We periodically communicate our vendor risk management policies and procedures to all personnel At least annually, we provide training on vendor risk management policies and procedures to appropriate employee groups based on role We have defined training and education for our vendor risk personnel to enable them to define, execute and manage our program On an annual basis, we measure employee understanding of vendor risk management accountabilities and report results to management We have implemented metrics and reporting for compliance to required training and awareness of our vendor risk policies We have allocated budget for vendor risk management functions, including basic travel, subscriptions, training and small projects We routinely measure or benchmark our vendor risk management budget with management reporting to demonstrate ROI We have integrated vendor risk management functions and tools sufficiently into our business lines so that overall costs and budget for dedicated risk management are reduced $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B * Does not include insurance companies Vendor Risk Management Benchmark Study
21 Communication and Information Sharing Overall Level of Maturity: 2.6 Key Observations Communicating and sharing information with regard to vendor risk management is a goal but not yet a fully implemented process for most of our respondents. Once again, organizations show more maturity in developing processes for communicating vendor incidents and reporting results to management, and less maturity in disseminating education and training with regard to vendor management policies and procedures. The financial services industry not only trends significantly higher on all points, but is also particularly strong in its ongoing vendor assessment and assessment results reporting, reflecting the industry s history and experience with being highly regulated. Communication and Information Sharing Overall Results Vendor Risk Component Maturity Level We have a process in place to escalate and communicate incidents and issues 2.8 We have a process in place to track and communicate incidents 2.7 We have a formal process in place for adoption of the program by executive management and adoption of the program as a standard practice (sourcing, procurement, contracts) 2.7 We have a process in place to report status of vendor assessments 2.6 We have a process in place to periodically evaluate vendor service delivery 2.6 We have a process in place to evaluate compliance with vendor management processes and procedures 2.6 We have a process in place to provide board and executive management response to vendor assessment results 2.5 We have a process in place to evaluate internal compliance with vendor management onboarding, periodic assessment and off-boarding 2.5 We have a process in place to manage vendor inventory 2.5 We have a process in place to periodically assess vendor value (for example, service delivery, vendor security, control environment, operations, etc.) 2.5 We have in place an ongoing education program for vendor management policies, procedures and updates 2.3 Commentary A framework should be in place to establish the process(es) for communicating the results of vendor risk assessments to the board, senior management and key risk committees. The type and complexity of information should be carefully determined (dashboards/scorecards, etc.) to ensure executives are kept fully informed without being overwhelmed with detailed information. A well-developed process for communicating results will help assure senior management that vendors can discharge their obligations to manage vendor risks effectively Vendor Risk Management Benchmark Study 19
22 communication and information Sharing industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j k a b c d e f g h i j k We have a formal process in place for adoption of the program by executive management and adoption of the program as a standard practice (sourcing, procurement, contracts) We have in place an ongoing education program for vendor management policies, procedures and updates We have a process in place to periodically assess vendor value (for example, service delivery, vendor security, control environment, operations, etc.) We have a process in place to evaluate internal compliance with vendor management onboarding, periodic assessment and off-boarding We have a process in place to manage vendor inventory We have a process in place to report status of vendor assessments We have a process in place to evaluate compliance with vendor management processes and procedures We have a process in place to periodically evaluate vendor service delivery We have a process in place to track and communicate incidents We have a process in place to escalate and communicate incidents and issues We have a process in place to provide board and executive management response to vendor assessment results Vendor Risk Management Benchmark Study
23 Communication and Information Sharing Focus on the Financial Services Industry* Vendor Risk Component We have a formal process in place for adoption of the program by executive management and adoption of the program as a standard practice (sourcing, procurement, contracts) We have in place an ongoing education program for vendor management policies, procedures and updates We have a process in place to periodically assess vendor value (for example, service delivery, vendor security, control environment, operations, etc.) We have a process in place to evaluate internal compliance with vendor management onboarding, periodic assessment and off-boarding We have a process in place to manage vendor inventory We have a process in place to report status of vendor assessments We have a process in place to evaluate compliance with vendor management processes and procedures We have a process in place to periodically evaluate vendor service delivery We have a process in place to track and communicate incidents We have a process in place to escalate and communicate incidents and issues We have a process in place to provide board and executive management response to vendor assessment results $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B * Does not include insurance companies Vendor Risk Management Benchmark Study 21
24 Tools, Measurement and Analysis Overall Level of Maturity: 2.4 Key Observations The ability to benchmark, measure and report the financial viability of vendors is at the defined and established level, though not yet fully implemented and operational. Most organizations are beginning to get on track with scheduling reviews for vendor assessments and assigning resources to perform these assessments, but full implementation is not yet achieved. The financial services industry has a notable hands-on, metrics-based approach to assessing its vendors; it is also much more ROI-conscious. Tools, Measurement and Analysis Overall Results Vendor Risk Component Maturity Level We determine the financial viability of key vendors 2.9 We engage finance and procurement partners 2.6 We assign resources to accomplish reviews as scheduled 2.5 We report financial results from our vendors to relevant stakeholders 2.5 We establish vendor review schedules for all vendor assessments (onsite, remote, etc.) 2.4 We establish relevant financial measures and benchmarks 2.4 We provide periodic reporting on review monitoring 2.4 We report risk scoring results to relevant stakeholders 2.3 We process information obtained during the vendor selection or review process into a risk scoring tool based on our risk scoring methodology 2.3 We capture and report on vendor review costs, budget to actual, etc. 2.1 We monitor variances between scheduled reviews and actual reviews performed 2.1 Commentary This section outlines the process necessary to develop and maintain an effective workflow for conducting vendor assessments, including vendor risk scoring and financial viability analysis. Developing mature components in this area is essential to manage assessment resources efficiently and deliver assessment reports in a timely manner Vendor Risk Management Benchmark Study
25 Tools, Measurement and Analysis Industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j k a b c d e f g h i j k We establish vendor review schedules for all vendor assessments (onsite, remote, etc.) We assign resources to accomplish reviews as scheduled We capture and report on vendor review costs, budget to actual, etc. We monitor variances between scheduled reviews and actual reviews performed We provide periodic reporting on review monitoring We process information obtained during the vendor selection or review process into a risk scoring tool based on our risk scoring methodology We report risk scoring results to relevant stakeholders We engage finance and procurement partners We establish relevant financial measures and benchmarks We determine the financial viability of key vendors We report financial results from our vendors to relevant stakeholders 2014 Vendor Risk Management Benchmark Study 23
26 Tools, Measurement and Analysis Focus on the Financial Services Industry* Vendor Risk Component We establish vendor review schedules for all vendor assessments (onsite, remote, etc.) We assign resources to accomplish reviews as scheduled We capture and report on vendor review costs, budget to actual, etc. We monitor variances between scheduled reviews and actual reviews performed $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B We provide periodic reporting on review monitoring We process information obtained during the vendor selection or review process into a risk scoring tool based on our risk scoring methodology We report risk scoring results to relevant stakeholders We engage finance and procurement partners We establish relevant financial measures and benchmarks We determine the financial viability of key vendors We report financial results from our vendors to relevant stakeholders * Does not include insurance companies Vendor Risk Management Benchmark Study
27 Monitoring and Review Overall Level of Maturity: 2.9 Key Observations Most organizations have well-developed processes and involve the appropriate levels of management in the approval, modification and handling of contracts. Organizations are also more developed in their ability to inform stakeholders and respond appropriately to data breaches or other security incidents. Processes to request SLA reporting periodically, survey customers and ensure customer satisfaction are still being articulated and defined. Also developed but not fully functional are processes to conduct vendor testing, including testing via an independent third party, and processes to test vendors business continuity and disaster recovery measures. Monitoring and Review Overall Results Vendor Risk Component Maturity Level We have a process in place to modify contracts and approve modifications by our legal department and an appropriate level of management 3.5 We have a process in place to facilitate approval of final contract terms by our legal department and an appropriate level of management 3.5 We have policies and procedures in place over the process to store, retain and make available contract terms 3.4 We have standard contract terms in place 3.4 We have a process in place to address expired or cancelled contracts 3.2 We have a process in place to respond to, escalate and inform key stakeholders of relevant data security, breach or other similar incidents 3.1 We have a process in place to review applicable audit reports periodically 2.9 We have a process to respond to and inform key stakeholders of regulatory requirements and trends 2.7 We have a process in place to track and analyze customer complaints 2.7 We obtain independent assurance or third-party testing of key vendors 2.7 We have a process in place to periodically require SLA reporting 2.5 We have a process in place to periodically conduct vendor onsite visits and testing 2.5 We have a process in place to test our vendors business continuity and disaster recovery measures periodically, and review the test results 2.5 We have a process to monitor industry and market trends that may negatively impact our vendors 2.4 We have a process in place to periodically conduct customer satisfaction surveys 2.3 Commentary This section includes components for the periodic testing and evaluation of policies and processes to allow management to make well-informed decisions about how to spend resources to manage vendor risk. These components facilitate the ability to review your vendor management program to determine whether revisions need to be made due to changes in the regulatory and/or threat environment Vendor Risk Management Benchmark Study 25
28 Monitoring and Review industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j k l m n o a b c d e f g h i j k l m n o We have standard contract terms in place We have a process in place to facilitate approval of final contract terms by our legal department and an appropriate level of management We have a process in place to modify contracts and approve modifications by our legal department, and an appropriate level of management We have policies and procedures in place over the process to store, retain and make available contract terms We have a process in place to address expired or cancelled contracts We have a process in place to periodically require SLa reporting We have a process in place to track and analyze customer complaints We have a process in place to periodically conduct customer satisfaction surveys We have a process in place to respond to, escalate and inform key stakeholders of relevant data security, breach or other similar incidents We have a process to monitor industry and market trends that may negatively impact our vendors We have a process to respond to and inform key stakeholders of regulatory requirements and trends We have a process in place to review applicable audit reports periodically We have a process in place to test our vendors business continuity and disaster recovery measures periodically, and review the test results We have a process in place to periodically conduct vendor onsite visits and testing We obtain independent assurance or third-party testing of key vendors Vendor Risk Management Benchmark Study
29 Monitoring and Review Focus on the Financial Services Industry* Vendor Risk Component $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B We have standard contract terms in place We have a process in place to facilitate approval of final contract terms by our legal department and an appropriate level of management We have a process in place to modify contracts and approve modifications by our legal department and an appropriate level of management We have policies and procedures in place over the process to store, retain and make available contract terms We have a process in place to address expired or cancelled contracts We have a process in place to periodically require SLA reporting We have a process in place to track and analyze customer complaints We have a process to periodically conduct customer satisfaction surveys We have a process to respond to, escalate and inform key stakeholders of relevant data security, breach or other similar incidents We have a process to monitor industry and market trends that may negatively impact our vendors We have a process to respond to and inform key stakeholders of regulatory requirements and trends We have a process in place to review applicable audit reports periodically We have a process in place to test our vendors business continuity and disaster recovery measures periodically, and review the test results We have a process in place to periodically conduct vendor onsite visits and testing We obtain independent assurance or thirdparty testing of key vendors * Does not include insurance companies Vendor Risk Management Benchmark Study 27
30 SURVEY DEMOGRAPHICS Nearly 450 respondents, including C-suite executives, as well as IT, internal audit and IT audit vice presidents and directors, participated in our study. All demographic information was provided voluntarily and not all participants provided data for every demographic question. Position Chief Financial Officer 2% Chief Audit Executive 9% Chief Risk Officer 2% Chief Information Security Officer 2% Other C-Suite Executive 3% IT VP/Director 13% Internal Audit VP/Director 5% IT Audit VP/Director 2% IT Manager 16% Internal Audit Manager 16% IT Audit Manager 5% Operational Risk Management 9% Procurement/Purchasing/Supply Chain 3% Other 13% Industry Financial Services 36% Healthcare 9% Government/Education/Not-for-profit 8% Insurance 7% Manufacturing 7% Services 4% Technology 4% Professional Services 3% Energy 3% Real Estate 3% Retail 2% Utilities 2% Telecommunications 2% Other 10% Vendor Risk Management Benchmark Study
31 Size of Organization $20 billion+ 14% $10 billion - $19.99 billion 11% $5 billion - $9.99 billion 12% $1 billion - $4.99 billion 24% $500 million - $ million 10% $100 million - $ million 15% Less than $100 million 14% Organization Headquarters North America 97% Europe 2% Asia/Pacific 1% Type of Organization Public 53% Private 28% Not-for-profit 12% Government 6% Other 1% 2014 Vendor Risk Management Benchmark Study 29
2015 Vendor Risk Management Benchmark Study. The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management
2015 Vendor Risk Management Benchmark Study The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management INTRODUCTION/EXECUTIVE SUMMARY MANY ORGANIZATIONS ARE NOT PREPARED
More informationThird-Party Cybersecurity and Data Loss Prevention
Third-Party Cybersecurity and Data Loss Prevention SESSION ID: DSP-W04A Brad Keller Sr. Vice President Santa Fe Group Jonathan Dambrot, CISSP CEO, Co-Founder Prevalent Networks 3rd Party Risk Management
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationVendor Risk Management Financial Organizations
Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current
More informationIndependent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015
Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including
More informationGovernance, Risk, and Compliance (GRC) White Paper
Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:
More informationBuilding Best Practices for Effective Monitoring of a Third Party s Incident Event Management Program. A Shared Assessments Briefing Paper
Building Best Practices for Effective Monitoring of a Third Party s Incident Event Management Program A Shared Assessments Briefing Paper Abstract Just 43% of incident management professionals report their
More informationPractical Vendor Management to Minimize Compliance Risks November 12, 2015
Practical Vendor Management to Minimize Compliance Risks November 12, 2015 v 1 Today s Speakers Ray Everett Principal Consultant & Director Product Management TRUSTe Charlie Miller SVP Shared Assessments
More informationThe CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).
Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of
More informationCOMMUNIQUE. Information Technology (IT) Governance Guidance
COMMUNIQUE 14-COM-002 July 14, 2014 Information Technology (IT) Governance Guidance The Credit Union Prudential Supervisors Association (CUPSA) has established an IT Risk Working Group to focus on IT governance
More informationShared Assessments Program Case Study
Shared Assessments Program Case Study A Collaborative Approach to Onsite Assessments Using the Shared Assessments AUP, the Standardized Testing Procedures for Onsite Assessments April 2015 Background About
More informationBlind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.
Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks. For anyone familiar with the banking industry, it comes as no surprise that banks are
More informationDodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare
Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Strengthening Cybersecurity Defenders #ISC2Congress Healthcare and Security "Information Security is simply a personal
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationCompliance Risk Management Survey A Point of View
FINANCIAL SERVICES Compliance Risk Management Survey A Point of View July 2014 kpmg.com Compliance Risk Management Survey A Point of View 3 Introduction As the financial crisis unfolded, regulators looked
More informationGoldman Sachs Residential Mortgage Servicing Vendor Management Policy Addendum U.S.-Based Program
Goldman Sachs Residential Mortgage Servicing Vendor Management Policy Addendum U.S.-Based Program Effective Date: January 27, 2014 Vendor Management Policy Addendum TABLE OF CONTENTS 1. INTRODUCTION...
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationWHITE PAPER Third-Party Risk Management Lifecycle Guide
WHITE PAPER Third-Party Risk Management Lifecycle Guide Develop and maintain compliant third-party relationships by following these foundational components of a best-practice assessment program. Third
More informationStepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM
Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and
More informationSHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS
SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS An overview of how the Shared Assessments Program SIG 2014
More informationVendor Risk Management in the New Regulatory Environment. kpmg.com
Vendor Risk Management in the New Regulatory Environment kpmg.com Vendor Risk Management in the New Regulatory Environment 2 Vendor Risk Management in the New Regulatory Environment Background Regulators
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationIT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014
IT Vendor Due Diligence Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014 Carolinas HealthCare System (CHS) Second largest not-for-profit healthcare system
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationHow to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors
How to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors July 2014 Executive Summary Data breaches cost organizations millions and sometimes even billions of dollars in
More informationGrowing Vendor Management
V E N D O R M A N A G E M E N T P R O F I L E S E R I E S A Wh it e Pap e r by Ve n d or I NS I G HT an d C MPG, L L C Growing Vendor Management as a Sustainable Business Process with Automated Vendor
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationPwC Viewpoint on Third Party Risk Management
www.pwc.com PwC Viewpoint on Third Party Risk Management November 2013 Significant others: How companies can effectively manage the risks of vendor relationships Are vendors more trouble than they re worth?
More informationToday s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation
Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation Assessing the Financial Services Industry Results from Protiviti s 2014 IT Priorities and
More informationBreaking Down the Silos: A 21st Century Approach to Information Governance. May 2015
Breaking Down the Silos: A 21st Century Approach to Information Governance May 2015 Introduction With the spotlight on data breaches and privacy, organizations are increasing their focus on information
More informationISE Northeast Executive Forum and Awards
ISE Northeast Executive Forum and Awards October 3, 2013 Company Name: Project Name: Presenter: Presenter Title: University of Massachusetts Embracing a Security First Approach Larry Wilson Chief Information
More informationDeveloping and Maintaining a World-Class Third Party Risk Assessment Program
Developing and Maintaining a World-Class Third Party Risk Assessment Program Presented by: Tom Garrubba, Senior Director, The Santa Fe Group/Shared Assessments Program Monday, September 15, 2014 - IIA
More informationAUDIT OF INFORMATION TECHNOLOGY Management (Action Plan) Responses February 2005 # PRIORITY DESCRIPTION MANAGEMENT RESPONSE
AUDIT OF INFORMATION TECHNOLOGY Management (Action Plan) Responses February 2005 # PRIORITY DESCRIPTION MANAGEMENT RESPONSE Ref: Chapter 3.1 GOVERNANCE FRAMEWORK Information Technology Steering Committee
More informationMEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationThe Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
More informationSupporting Effective Compliance Programs
October 2015 Supporting Effective Compliance Programs The Oversight Roles of the Board Audit and Risk Committees in Regulatory Compliance By Paul Osborne, CPA, CAMS, AMLP, and Peggy Sepp, CIA To be effective,
More informationEXIN.Passguide.EX0-001.v2014-10-25.by.SAM.424q. Exam Code: EX0-001. Exam Name: ITIL Foundation (syllabus 2011) Exam
EXIN.Passguide.EX0-001.v2014-10-25.by.SAM.424q Number: EX0-001 Passing Score: 800 Time Limit: 120 min File Version: 24.5 http://www.gratisexam.com/ Exam Code: EX0-001 Exam Name: ITIL Foundation (syllabus
More informationBEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT
BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT Communications Company One Company s Supply Chain Transformation Journey INTERVIEWS Senior Manager Supply Chain Operations Strategy Manager Procurement
More informationOCCUPATIONAL GROUP: Information Technology. CLASS FAMILY: Security CLASS FAMILY DESCRIPTION:
OCCUPATIONAL GROUP: Information Technology CLASS FAMILY: Security CLASS FAMILY DESCRIPTION: This family of positions provides security and monitoring for the transmission of information in voice, data,
More informationManaging Sub-Servicing Partnerships
Managing Sub-Servicing Partnerships 2 Managing Sub-Servicing Partnerships WHY IT IS IMPORTANT TO GINNIE MAE: Ginnie Mae recognizes that there are entities that specialize in the servicing and are better
More informationProject Management and ITIL Transitions
Project Management and ITIL Transitions April 30 th 2012 Linda Budiman Director CSC 1 Agenda Thought Leadership: Linda Budiman What is ITIL & Project Management: Applied to Transitions Challenges & Successes:
More informationSecurity & IT Governance: Strategies to Building a Sustainable Model for Your Organization
Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization Outside View of Increased Regulatory Requirements Regulatory compliance is often seen as sand in the gears requirements
More informationTO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel
AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationToday s IT Organization Delivering Security, Value and Performance Amid Major Transformation
Today s IT Organization Delivering Security, Value and Performance Amid Major Transformation Assessing the Results of Protiviti s 2014 IT Priorities Survey Nearly two out of three organizations are undergoing
More informationThe NIST Cybersecurity Framework
View the online version at http://us.practicallaw.com/5-599-6825 The NIST Cybersecurity Framework RICHARD RAYSMAN, HOLLAND & KNIGHT LLP AND JOHN ROGERS, BOOZ ALLEN HAMILTON A Practice Note discussing the
More informationCyber ROI. A practical approach to quantifying the financial benefits of cybersecurity
Cyber ROI A practical approach to quantifying the financial benefits of cybersecurity Cyber Investment Challenges In 2015, global cybersecurity spending is expected to reach an all-time high of $76.9
More informationImplementing Information Governance: A Best Practice Approach to Enable Compliance and Reduce Costs & Risks
Implementing Information Governance: A Best Practice Approach to Enable Compliance and Reduce Costs & Risks July 23, 2015 2015 Iron Mountain Incorporated. All rights reserved. Iron Mountain and the design
More informationCFPB Readiness Series: Compliant Vendor Management Overview
CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the
More informationManagement. assessing & managing THIRD PARTY RISKS
?Vendor Management assessing & managing THIRD PARTY RISKS Client Focused. Solution Driven. Between the evolving regulatory landscape and the fast-paced, technologically-driven nature of today s business
More informationVendor Management. Outsourcing Technology Services
Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring
More information2014 Audit of the Board s Information Security Program
O FFICE OF I NSPECTOR GENERAL Audit Report 2014-IT-B-019 2014 Audit of the Board s Information Security Program November 14, 2014 B OARD OF G OVERNORS OF THE F EDERAL R ESERVE S YSTEM C ONSUMER FINANCIAL
More informationCORL Dodging Breaches from Dodgy Vendors
CORL Dodging Breaches from Dodgy Vendors Tackling Vendor Security Risk Management in Healthcare Introductions Cliff Baker 20 Years of Healthcare Security experience PricewaterhouseCoopers, HITRUST, Meditology
More informationIntroduction to ITIL: A Framework for IT Service Management
Introduction to ITIL: A Framework for IT Service Management D O N N A J A C O B S, M B A I T S E N I O R D I R E C T O R C O M P U T E R O P E R A T I O N S I N F O R M A T I O N S Y S T E M S A N D C
More informationCredit Union Liability with Third-Party Processors
World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with
More informationNew York State Department of Financial Services. Update on Cyber Security in the Banking Sector: Third Party Service Providers
New York State Department of Financial Services Update on Cyber Security in the Banking Sector: Third Party Service Providers April 2015 Update on Cyber Security in Banking Sector: Third-Party Service
More informationTo: Our Clients and Friends March 25, 2014
Financial Services Group To: Our Clients and Friends March 25, 2014 A Significant Change Is Occurring Regarding Regulatory Oversight of Banks and Their Third Party Relationships. Both Banks and their Vendors
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More informationITIL by Test-king. Exam code: ITIL-F. Exam name: ITIL Foundation. Version 15.0
ITIL by Test-king Number: ITIL-F Passing Score: 800 Time Limit: 120 min File Version: 15.0 Sections 1. Service Management as a practice 2. The Service Lifecycle 3. Generic concepts and definitions 4. Key
More informationOffice of Inspector General Evaluation of the Consumer Financial Protection Bureau s Consumer Response Unit
Office of Inspector General Evaluation of the Consumer Financial Protection Bureau s Consumer Response Unit Consumer Financial Protection Bureau September 2012 September 28, 2012 MEMORANDUM TO: FROM: SUBJECT:
More informationIdentifying and Managing Third Party Data Security Risk
Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:
More informationthe evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group
the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group 54 Banking PersPective Quarter 2, 2014 Responsibility for the oversight of information security and
More informationVendor Management Program Office Onshore or offshore?
Vendor Management Program Office Onshore or offshore? Deloitte s previous article 1 discusses the five most common challenges which have prohibited clients from optimizing their Vendor Management (VM)
More informationMaking Revenue Cycle Outsourcing an Organization Wide Responsibility
Making Revenue Cycle Outsourcing an Organization Wide Responsibility Michael S. Browning Chief Financial Officer Madison County Hospital Jeffrey Ellerbrock Consultant (formerly with The Outsource Group)
More informationMICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all
More informationCIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016
CIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016 My name is Jacob Olcott and I am pleased to share some observations on
More informationStrategies for assessing cloud security
IBM Global Technology Services Thought Leadership White Paper November 2010 Strategies for assessing cloud security 2 Securing the cloud: from strategy development to ongoing assessment Executive summary
More informationINFOCUS. Five Questions to Guide Cybersecurity Risk Management BY EARL CRANE
promontory.com INFOCUS JUNE 3, 2015 BY EARL CRANE Five Questions to Guide Cybersecurity Risk Management The quick transformation of cybersecurity risk management from obscure specialty to top-of-thehouse
More informationNAREIM Session: Dangers and challenges of The Cloud. President, NiceNets Consulting, LLC
Main Types of Cloud Environments: - Public Cloud: A service built on an external platform run by a cloud service provider such as IBM, Amazon Web Services or Microsoft Azure. Subscribers can get access
More informationVendor Management Best Practices
23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion
More informationWhitepaper: 7 Steps to Developing a Cloud Security Plan
Whitepaper: 7 Steps to Developing a Cloud Security Plan Executive Summary: 7 Steps to Developing a Cloud Security Plan Designing and implementing an enterprise security plan can be a daunting task for
More informationOPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,
More informationAnthony J. Albanese, Acting Superintendent of Financial Services. Financial and Banking Information Infrastructure Committee (FBIIC) Members:
Andrew M. Cuomo Governor Anthony J. Albanese Acting Superintendent FROM: TO: Anthony J. Albanese, Acting Superintendent of Financial Services Financial and Banking Information Infrastructure Committee
More informationApril 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Salt River Project P.O. Box 52025 Mail Stop: CUN204 Phoenix, AZ 85072 2025 Phone: (602) 236 6011 Fax: (602) 629 7988 James.Costello@srpnet.com James J. Costello Director, Enterprise IT Security April 8,
More informationA Privacy Officer s Guide to Providing Enterprise De-Identification Services. Phase I
IT Management Advisory A Privacy Officer s Guide to Providing Enterprise De-Identification Services Ki Consulting has helped several large healthcare organizations to establish de-identification services
More informationInformation Security Program CHARTER
State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information
More informationHuman Resource Services PO Box 115009 Classification and Compensation Gainesville, FL 32611-5009 352-392-2477 352-846-3058 Fax
Human Resource Services PO Box 115009 Classification and Compensation Gainesville, FL 32611-5009 352-392-2477 352-846-3058 Fax UFIT Classification Specifications Revised March 20, 2014 Job Title: IT Senior
More informationFrom Vision to Implementation: Integrated Strategic Planning
A three-page excerpt from our 18-page Best Practice Guidebook: From Vision to Implementation: Integrated Strategic Planning 1 Best Practice Guidebook From Vision to Implementation: Integrated Strategic
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationPRIVACY OF CONSUMERS' FINANCIAL INFORMATION PART 12 501(b) AND BANK MANAGEMENT
PRIVACY OF CONSUMERS' FINANCIAL INFORMATION PART 12 501(b) AND BANK MANAGEMENT RESOURCES PROVIDED THROUGH APRIL 2001 Slides Narration In the last presentation, you learned about some of the general responsibilities
More informationFINANCIAL INSTITUTIONS: MANAGING OPERATIONAL RISK WITH RSA ARCHER
FINANCIAL INSTITUTIONS: MANAGING OPERATIONAL RISK WITH RSA ARCHER As a board-level discussion topic at all financial institutions (FI) today, operational risk is real and public disclosure of significant
More informationPROTIVITI FLASH REPORT
PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity
More informationOutsourcing Technology Services A Management Decision
Outsourcing Technology Services A Management Decision A Telephone Seminar for National Banks Tuesday, July 20, 2004 And again on Wednesday, July 21, 2004 Agenda Outsourcing activities and relationships
More informationCyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015
Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015 Topics Introduction Cyber Security Auditing Program Discuss an effective and compliant Cyber Security Auditing Program from
More informationIT Governance Regulatory. P.K.Patel AGM, MoF
IT Governance Regulatory Perspective P.K.Patel AGM, MoF Agenda What is IT Governance? Aspects of IT Governance What banks should consider before implementing these aspects? What banks should do for implementation
More informationWhy you should adopt the NIST Cybersecurity Framework
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
More informationThird Party Security Guidelines. e-governance
for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type of Information Document
More informationDigital Asset Manager, Digital Curator. Cultural Informatics, Cultural/ Art ICT Manager
Role title Digital Cultural Asset Manager Also known as Relevant professions Summary statement Mission Digital Asset Manager, Digital Curator Cultural Informatics, Cultural/ Art ICT Manager Deals with
More informationGOVERNANCE DEFINED. Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts
GOVERNANCE DEFINED Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts Governance over the use of technology assets can be seen
More informationOCC 98-3 OCC BULLETIN
To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel
More informationRISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655
FOUR KEYS TO CREATING A VENDOR RISK MANAGEMENT PROGRAM THAT WORKS HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655 FOUR KEYS TO CREATING A VENDOR RISK MANAGEMENT PROGRAM THAT WORKS
More informationU.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report
U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Evaluation Report The Department's Unclassified Cyber Security Program - 2012 DOE/IG-0877 November 2012 MEMORANDUM FOR
More informationCustomer Success Story. Central Logic. Comprehensive SRA helps healthcare software provider safeguard its customer s PHI and ensure HIPAA compliance.
Customer Success Story Central Logic Comprehensive SRA helps healthcare software provider safeguard its customer s PHI and ensure HIPAA compliance. Page 2 of 6 Central Logic Comprehensive SRA helps healthcare
More informationDATASHEET CONTROL COMPLIANCE SUITE VENDOR RISK MANAGER 11.1
DATASHEET CONTROL COMPLIANCE SUITE VENDOR RISK MANAGER 11.1 Continuously Assess, Monitor, & Secure Your Information Supply Chain and Data Center Data Sheet: Security Management Is your organization able
More informationDevelopment, Acquisition, Implementation, and Maintenance of Application Systems
Development, Acquisition, Implementation, and Maintenance of Application Systems Part of a series of notes to help Centers review their own Center internal management processes from the point of view of
More informationFive Approaches to Managing Third-Party Risk
Five Approaches to Managing Third-Party Risk by Lou Payeur, CG Risk & Regulatory Practice Lead Financial institutions are operating at record levels. And while the mix of business and profits may be different
More information