2014 Vendor Risk Management Benchmark Study

Size: px
Start display at page:

Download "2014 Vendor Risk Management Benchmark Study"

Transcription

1 2014 Vendor Risk Management Benchmark Study

2

3 Introduction/Executive Summary You can have all the security in the world inside your company s four walls, but all it takes is a compromise at one third-party vendor that s connected to you. This creates a bridge directly into your organization. Rocco Grillo, Protiviti Managing Director and Shared Assessments Program Steering Committee Member As the volume of outsourced products and services has surged in recent years, so, too, have the risks associated with vendors and third-party providers. This is occurring in highly regulated industries such as financial services and healthcare, in media and retail, as seen in recent news, as well as in any organization that is relying on third-party vendors to manage operations and processes. These vendors include not just data management, IT and security providers, but also facilities management (cleaning, HVAC) along with any vendor that may have access to your network, data or facilities. The list of standards and regulations with third-party risk implications is long: Consumer Financial Protection Bureau (CFPB) regulations, ISO 27001/2, PCI Security Standards Council s data security standards, Office of the Comptroller of the Currency (OCC) Third-Party Risk Guidance, and NIST s Cybersecurity Framework. The urgency to address this risk is further driven home by recent massive and highly publicized security breaches at several large companies, and the resulting public and regulatory scrutiny of the way personal data is managed in a global IT environment. Despite this, for most organizations, understanding vendor risk and how to manage it appropriately has thus far been more art than science. This is changing in part with the development of the first comprehensive Vendor Risk Management Maturity Model (VRMMM) by the Shared Assessments Program, a consortium of leading financial institutions, Big Four accounting firms and key service providers dedicated to helping organizations understand and manage vendor risk effectively. The VRMMM sets forth best practices for developing a comprehensive third-party risk program and allows a company to evaluate its program s maturity against development goals. The Shared Assessments Program recently partnered with Protiviti, a global consulting firm, to conduct a third-party risk management benchmarking study based on this maturity model. Vendor Risk Management Overall Maturity by Area Category Maturity Level Program Governance 2.9 Policies, Standards, Procedures 2.9 Contracts 3.0 Vendor Risk Identification and Analysis 2.7 Skills and Expertise 2.3 Communication and Information Sharing 2.6 Tools, Measurement and Analysis 2.4 Monitoring and Review Vendor Risk Management Benchmark Study 1

4 If you re outsourcing to or relying on a third party, you can t just shut the door and say it s someone else s problem. You can outsource the function but you ultimately own the risk. If a third party doesn t have the same controls in place or the level of controls you need from a risk management standpoint, you have a serious risk to address. Brad Keller, Senior Vice President & Program Director, The Santa Fe Group (which manages the Shared Assessments Program) The study revealed some interesting trends: Financial services organizations tend to have relatively mature vendor risk management programs compared to other companies This is not a surprise given the highly regulated nature of the financial services industry. Organizations in the insurance subset are at a lower level of maturity in their vendor risk management compared to the financial services set This finding is a surprise given that the insurance industry also is highly regulated. The results suggest there is substantial room for growth among insurance organizations. notable areas for improvement include program governance, and policies, standards and procedures While there is no standard, one size fits all approach to vendor risk management given the nuanced differences between different industries and organizations, having mature program governance capabilities, as well as established policies, standards and procedures for vendor risk management, are considered fundamental steps. These two areas should serve as the foundation for establishing effective vendor risk management practices in other areas. Yet the survey results show that most organizations are no more advanced in these critical areas than they are in other components of vendor risk management Vendor Risk Management Benchmark Study

5 Methodology The Vendor Risk Management Survey was conducted by the Shared Assessments Program and Protiviti in the fourth quarter of 2013 and first quarter of Using governance as the foundational element, this survey is designed to review the components of a comprehensive vendor risk management program. Close to 450 respondents were presented with different components of vendor risk under eight categories related to vendor risk management: Program Governance Policies, Standards, Procedures Contracts Vendor Risk Identification and Analysis Skills and Expertise Communication and Information Sharing Tools, Measurement and Analysis Monitoring and Review For each component, respondents were asked to rate its maturity level as it applies to their organization, according to the following scale: 1 = Initial visioning 2 = Determine roadmap to achieve goals 3 = Fully defined and established 4 = Fully implemented and operational 5 = Continuous improvement benchmarking, moving to best practices 0 = Do not perform 2014 Vendor Risk Management Benchmark Study 3

6 Program Governance Overall Level of Maturity: 2.9 Key Observations Organizations have a higher level of maturity around articulating goals and objectives and ensuring vendor management projects are aligned with those objectives in terms of risk management, security and privacy, among other areas. However, organizations are not allocating enough resources to ensure these key risk and performance targets are met. A higher level of maturity is also needed in communicating the importance of risk-based vendor management to the organization and in using key risk and performance metrics to inform vendor risk policy. Program Governance Overall Results Vendor Risk Component Maturity Level We articulate the goals and objectives of our organization 3.3 We define vendor management policies that include risk management, security, privacy and other areas that are in alignment with our existing organizational policies and objectives 3.1 We define organizational structures that establish responsibility and accountability for overseeing our vendor relationships 3.1 We revise corporate vendor risk policy as needed to achieve strategic objectives 2.8 We define risk monitoring practices and establish an escalation process for exception conditions 2.8 We communicate to our organization the requirements for risk-based vendor management 2.8 We determine the business value expected from our outsourced business relationships, we understand the acceptable range of business risks our organization is willing to assume in pursuing these benefits, and we determine that risks are in alignment with our vendor 2.8 risk policy We align specific vendor management objectives with our strategic organizational objectives 2.8 We evaluate key risk and performance indicators provided in management and board reporting 2.7 We allocate sufficient resources for vendor risk management activities 2.7 Commentary Governance serves as the foundational element of every risk program. Because it provides support for every other element of the program, it is essential that a strong and comprehensive governance structure is in place as part of any vendor risk management program Vendor Risk Management Benchmark Study

7 Program Governance Industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j We define organizational structures that establish responsibility and accountability for overseeing our a vendor relationships b We articulate the goals and objectives of our organization c We align specific vendor management objectives with our strategic organizational objectives We define vendor management policies that include risk management, security, privacy and other areas that are in d alignment with our existing organizational policies and objectives e We allocate sufficient resources for vendor risk management activities f We communicate to our organization the requirements for risk-based vendor management We determine the business value expected from our outsourced business relationships, we understand the g acceptable range of business risks our organization is willing to assume in pursuing these benefits, and we determine that risks are in alignment with our vendor risk policy h We define risk monitoring practices and establish an escalation process for exception conditions i We evaluate key risk and performance indicators provided in management and board reporting j We revise corporate vendor risk policy as needed to achieve strategic objectives 2014 Vendor Risk Management Benchmark Study 5

8 Program Governance Focus on the Financial Services Industry* Vendor Risk Component We define organizational structures that establish responsibility and accountability for overseeing our vendor relationships We articulate the goals and objectives of our organization We align specific vendor management objectives with our strategic organizational objectives We define vendor management policies that include risk management, security, privacy and other areas that are in alignment with our existing organizational policies and objectives We allocate sufficient resources for vendor risk management activities We communicate to our organization the requirements for risk-based vendor management We determine the business value expected from our outsourced business relationships, we understand the acceptable range of business risks our organization is willing to assume in pursuing these benefits, and we determine that risks are in alignment with our vendor risk policy We define risk monitoring practices and establish an escalation process for exception conditions We evaluate key risk and performance indicators provided in management and board reporting We revise corporate vendor risk policy as needed to achieve strategic objectives $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B * Does not include insurance companies Vendor Risk Management Benchmark Study

9 Policies, Standards, Procedures Overall Level of Maturity: 2.9 Key Observations All organizations demonstrate a fair amount of maturity in their vendor selection and contract management processes, including due diligence processes and key personnel assignments. Most organizations have room to grow when it comes to assigning risk to vendors as part of the vendor selection and review processes and integrating this vendor-related risk into the organization s overall risk strategy. Organizations are also lacking in involving senior management in both the approval of vendor policy and risk tiers. There is a notable difference between financial services organizations and other companies when it comes to risk policy, risk assignment and the selection of vendors based on these criteria. The financial services industry is much more risk-conscious, and senior management is more involved in the risk assignment process. One area of concern is the lower maturity around vendor exit criteria and process pointing to potential weaknesses or inconsistencies in performing periodic vendor reviews and risk (re)assignments. Policies, Standards, Procedures Overall Results Vendor Risk Component Maturity Level We have identified key positions involved in the contract management process 3.2 We have created a process for managing contracts 3.2 We have identified key stakeholders involved in each contract process 3.2 We have created a vendor selection process 3.2 We have established standards for vendor selection and due diligence 3.2 We have defined a vendor risk management policy 2.9 We have defined a vendor classification structure 2.9 We have identified existing company policies that may affect the contract process 2.9 We have obtained senior management approval of policy and risk tiers 2.8 We have defined vendor risk tier assignments 2.7 We have defined risk categories for each classification in our vendor classification structure 2.6 We have established criteria and a process for vendor exit strategies 2.5 Commentary Key corporate stakeholders must establish thorough policies and standards for vendor risk classifications and categories that apply equally to vendor selection and ongoing vendor management. These standards allow a company to manage vendor risk uniformly across the enterprise Vendor Risk Management Benchmark Study 7

10 Policies, Standards, Procedures Industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j k l a We have defined a vendor risk management policy b We have defined vendor risk tier assignments c We have obtained senior management approval of policy and risk tiers d We have established standards for vendor selection and due diligence e We have created a vendor selection process f We have defined a vendor classification structure g We have defined risk categories for each classification in our vendor classification structure h We have identified existing company policies that may affect the contract process i We have identified key stakeholders involved in each contract process j We have created a process for managing contracts k We have identified key positions involved in the contract management process l We have established criteria and a process for vendor exit strategies Vendor Risk Management Benchmark Study

11 Policies, Standards, Procedures Focus on the Financial Services Industry* Vendor Risk Component We have defined a vendor risk management policy We have defined vendor risk tier assignments We have obtained senior management approval of policy and risk tiers We have established standards for vendor selection and due diligence We have created a vendor selection process We have defined a vendor classification structure We have defined risk categories for each classification in our vendor classification structure We have identified existing company policies that may affect the contract process We have identified key stakeholders involved in each contract process We have created a process for managing contracts We have identified key positions involved in the contract management process We have established criteria and a process for vendor exit strategies $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B * Does not include insurance companies Vendor Risk Management Benchmark Study 9

12 Contracts Overall Level of Maturity: 3.0 Key Observations Organizations score above average with the contracting process and the incorporation of corporate, regulatory and IT security standards in the contract language and provisions. The same holds true for having an organizational structure in place involved in the negotiation and approval of contracts. Organizations can use help when it comes to reviewing existing contracts, however well structured, to ensure current standards are being met. Organizations that have risk tier assignments, such as those in the financial services industry, do better in this area. More important, many organizations have yet to define or establish a process for embedding performance- and risk-based provisions in contracts including contract review criteria and schedules consistent with these indicators. Contracts Overall Results Vendor Risk Component Maturity Level We have corporate-required standards for mandatory contract language/provisions 3.3 We have defined an organizational structure for vendor contract drafting, negotiation and approval 3.2 We have regulatory-required standards for mandatory contract language/provisions 3.2 We have established procedures for contract exception review and approval 3.2 We have IT/security-required standards for mandatory contract language/provisions 3.2 We have a procedure to review existing contracts for compliance with current contract standards 2.9 We have a remediation process to correct contract deficiencies 2.7 We have a process to ensure inclusion of appropriate performance-based contract provisions (SLAs, KPIs, KRIs, etc.) We have established criteria for the contract review cycle consistent with each vendor risk classification/rating We have a process to ensure inclusion of contract provisions consistent with each vendor risk classification/rating Commentary Because your contract establishes the rights and responsibilities for all aspects of your relationship with your vendor, it is critically important that it addresses all relevant aspects of that relationship. In addition, because of the changing nature of technology and the threat environment, the contract process must be able to accommodate the need for contract revisions to reflect these changes Vendor Risk Management Benchmark Study

13 contracts industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j a b c d e f g h i j We have defined an organizational structure for vendor contract drafting, negotiation and approval We have established procedures for contract exception review and approval We have corporate-required standards for mandatory contract language/provisions We have regulatory-required standards for mandatory contract language/provisions We have It/security-required standards for mandatory contract language/provisions We have a procedure to review existing contracts for compliance with current contract standards We have a remediation process to correct contract deficiencies We have a process to ensure inclusion of appropriate performance-based contract provisions (SLas, KPIs, KrIs, etc.) We have a process to ensure inclusion of contract provisions consistent with each vendor risk classification/rating We have established criteria for the contract review cycle consistent with each vendor risk classification/rating 2014 Vendor Risk Management Benchmark Study 11

14 Contracts Focus on the Financial Services Industry* Vendor Risk Component We have defined an organizational structure for vendor contract drafting, negotiation and approval We have established procedures for contract exception review and approval We have corporate-required standards for mandatory contract language/provisions We have regulatory-required standards for mandatory contract language/provisions We have IT/security-required standards for mandatory contract language/provisions We have a procedure to review existing contracts for compliance with current contract standards We have a remediation process to correct contract deficiencies We have a process to ensure inclusion of appropriate performance-based contract provisions (SLAs, KPIs, KRIs, etc.) We have a process to ensure inclusion of contract provisions consistent with each vendor risk classification/rating We have established criteria for the contract review cycle consistent with each vendor risk classification/rating $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B * Does not include insurance companies Vendor Risk Management Benchmark Study

15 VENDOR RISK IDENTIFICATION AND ANALYSIS Overall Level of Maturity: 2.7 Key Observations Organizations have well-defined and established recordkeeping procedures and approval processes for vendors that take the needs of stakeholders in the organization into account. However, consideration of risk through risk tiering and vendor assessment based on risk criteria is still an emerging area for most companies outside the financial services sector. Envisioned but not yet established is measurable assessment of vendor performance, as well as disseminating and discussing these assessment metrics with management and other stakeholders in the organization to ensure targets for vendor performance are met. Vendor Risk Identification and Analysis Overall Results Vendor Risk Component Maturity Level We review vendor requirements with our business, IT, legal and purchasing colleagues 3.2 We maintain a database of current vendor information 3.1 We assess compliance with vendor contracts 3.0 We identify findings and formulate recommendations 2.9 We consistently follow our process to collect and update vendor information 2.8 We develop vendor assessment reports 2.6 We execute scheduling and coordinate assessment activities with vendors 2.6 We conduct a risk assessment for outsourcing the business function 2.6 We determine vendor assessments to be performed based on risk tiering and resources available 2.6 We perform remediation plan follow-up discussions with the vendors 2.6 We execute vendor risk tiering processes 2.6 We have reviewed the defined business requirements for outsourcing 2.6 We send our vendors our self-assessment questionnaire and document request list 2.6 We establish/revise tiering of our vendors 2.5 We establish a vendor remediation plan or termination/exit strategy (as appropriate), validating this plan with our management and the vendor 2.5 We discuss results of vendor assessments and metrics with management 2.4 We consolidate the results of vendor assessments 2.4 We calculate and distribute vendor assessment metrics 2.2 Commentary This section includes all of the components of the vendor lifecycle from establishing the requirements for determining whether outsourcing is appropriate to the vendor selection and assessment process and assessment/remediation reporting. Failing to include all of the necessary components in this area will result in vendor risks going undetected, with potentially devastating results Vendor Risk Management Benchmark Study 13

16 Vendor Risk Identification and Analysis Industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j k l m n o p q r a b c d e f g h i j k l m n o p q r We have reviewed the defined business requirements for outsourcing We conduct a risk assessment for outsourcing the business function We consistently follow our process to collect and update vendor information We maintain a database of current vendor information We execute vendor risk tiering processes We determine vendor assessments to be performed based on risk tiering and resources available We review vendor requirements with our business, IT, legal and purchasing colleagues We send our vendors our self-assessment questionnaire and document request list We execute scheduling and coordinate assessment activities with vendors We assess compliance with vendor contracts We identify findings and formulate recommendations We develop vendor assessment reports We establish a vendor remediation plan or termination/exit strategy (as appropriate), validating this plan with our management and the vendor We establish/revise tiering of our vendors We perform remediation plan follow-up discussions with the vendors We consolidate the results of vendor assessments We calculate and distribute vendor assessment metrics We discuss results of vendor assessments and metrics with management Vendor Risk Management Benchmark Study

17 Vendor Risk Identification and Analysis Focus on the Financial Services Industry* Vendor Risk Component We have reviewed the defined business requirements for outsourcing We conduct a risk assessment for outsourcing the business function We consistently follow our process to collect and update vendor information We maintain a database of current vendor information $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B We execute vendor risk tiering processes We determine vendor assessments to be performed based on risk tiering and resources available We review vendor requirements with our business, IT, legal and purchasing colleagues We send our vendors our self-assessment questionnaire and document request list We execute scheduling and coordinate assessment activities with vendors We assess compliance with vendor contracts We identify findings and formulate recommendations We develop vendor assessment reports We establish a vendor remediation plan or termination/exit strategy (as appropriate), validating this plan with our management and the vendor We establish/revise tiering of our vendors We perform remediation plan follow-up discussions with the vendors We consolidate the results of vendor assessments We calculate and distribute vendor assessment metrics We discuss results of vendor assessments and metrics with management * Does not include insurance companies Vendor Risk Management Benchmark Study 15

18 Skills and Expertise Overall Level of Maturity: 2.3 Key Observations Overall, organizations are working to develop the skills and expertise needed to manage vendor risk more cost-efficiently, but vendor risk functions are not sufficiently integrated into the business lines to fully achieve this. Vendor risk management policies and key positions bearing responsibility for vendor risk are in place, but they are not yet fully operational; training and staffing issues continue to be problematic. Budgeting for vendor risk management, including travel and training of personnel, and measuring of ROI for vendor risk management are particularly undeveloped. This holds true for nearly everyone, with the exception of healthcare organizations. Skills and Expertise Overall Results Vendor Risk Component Maturity Level Roles and responsibilities are defined clearly within our job descriptions 2.9 We have assigned vendor risk management accountability to an individual in our organization 2.8 We have defined and communicated vendor risk management policies to our key stakeholders 2.8 We have sufficient qualified staff to meet all vendor risk management objectives 2.5 We periodically communicate our vendor risk management policies and procedures to all personnel 2.4 We have sufficient staff to manage vendor risk management activities effectively 2.4 We train vendor risk management resources to maintain appropriate certifications 2.3 We have defined training and education for our vendor risk personnel to enable them to define, execute and manage our program We have allocated budget for vendor risk management functions, including basic travel, subscriptions, training and small projects We have structures in place to define and measure the staffing levels required to meet vendor risk program objectives At least annually, we provide training on vendor risk management policies and procedures to appropriate employee groups based on role We have integrated vendor risk management functions and tools sufficiently into our business lines so that overall costs and budget for dedicated risk management are reduced We have implemented metrics and reporting for compliance to required training and awareness of our vendor risk policies On an annual basis, we measure employee understanding of vendor risk management accountabilities and report results to management We routinely measure or benchmark our vendor risk management budget with management reporting to demonstrate ROI Commentary This section establishes the role of vendor management within the organization, the key factors to consider to determine staffing levels, how vendor training will be executed, and budgeting considerations. Well-established roles and ongoing training for vendor risk managers are critical to a successful program Vendor Risk Management Benchmark Study

19 Skills and expertise industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j k l m n o a b c d e f g h i j k l m n o We have assigned vendor risk management accountability to an individual in our organization roles and responsibilities are defined clearly within our job descriptions We train vendor risk management resources to maintain appropriate certifications We have sufficient staff to manage vendor risk management activities effectively We have structures in place to define and measure the staffing levels required to meet vendor risk program objectives We have sufficient qualified staff to meet all vendor risk management objectives We have defined and communicated vendor risk management policies to our key stakeholders We periodically communicate our vendor risk management policies and procedures to all personnel at least annually, we provide training on vendor risk management policies and procedures to appropriate employee groups based on role We have defined training and education for our vendor risk personnel to enable them to define, execute and manage our program on an annual basis, we measure employee understanding of vendor risk management accountabilities and report results to management We have implemented metrics and reporting for compliance to required training and awareness of our vendor risk policies We have allocated budget for vendor risk management functions, including basic travel, subscriptions, training and small projects We routinely measure or benchmark our vendor risk management budget with management reporting to demonstrate roi We have integrated vendor risk management functions and tools sufficiently into our business lines so that overall costs and budget for dedicated risk management are reduced 2014 Vendor Risk Management Benchmark Study 17

20 Skills and Expertise Focus on the Financial Services Industry* Vendor Risk Component We have assigned vendor risk management accountability to an individual in our organization Roles and responsibilities are defined clearly within our job descriptions We train vendor risk management resources to maintain appropriate certifications We have sufficient staff to manage vendor risk management activities effectively We have structures in place to define and measure the staffing levels required to meet vendor risk program objectives We have sufficient qualified staff to meet all vendor risk management objectives We have defined and communicated vendor risk management policies to our key stakeholders We periodically communicate our vendor risk management policies and procedures to all personnel At least annually, we provide training on vendor risk management policies and procedures to appropriate employee groups based on role We have defined training and education for our vendor risk personnel to enable them to define, execute and manage our program On an annual basis, we measure employee understanding of vendor risk management accountabilities and report results to management We have implemented metrics and reporting for compliance to required training and awareness of our vendor risk policies We have allocated budget for vendor risk management functions, including basic travel, subscriptions, training and small projects We routinely measure or benchmark our vendor risk management budget with management reporting to demonstrate ROI We have integrated vendor risk management functions and tools sufficiently into our business lines so that overall costs and budget for dedicated risk management are reduced $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B * Does not include insurance companies Vendor Risk Management Benchmark Study

21 Communication and Information Sharing Overall Level of Maturity: 2.6 Key Observations Communicating and sharing information with regard to vendor risk management is a goal but not yet a fully implemented process for most of our respondents. Once again, organizations show more maturity in developing processes for communicating vendor incidents and reporting results to management, and less maturity in disseminating education and training with regard to vendor management policies and procedures. The financial services industry not only trends significantly higher on all points, but is also particularly strong in its ongoing vendor assessment and assessment results reporting, reflecting the industry s history and experience with being highly regulated. Communication and Information Sharing Overall Results Vendor Risk Component Maturity Level We have a process in place to escalate and communicate incidents and issues 2.8 We have a process in place to track and communicate incidents 2.7 We have a formal process in place for adoption of the program by executive management and adoption of the program as a standard practice (sourcing, procurement, contracts) 2.7 We have a process in place to report status of vendor assessments 2.6 We have a process in place to periodically evaluate vendor service delivery 2.6 We have a process in place to evaluate compliance with vendor management processes and procedures 2.6 We have a process in place to provide board and executive management response to vendor assessment results 2.5 We have a process in place to evaluate internal compliance with vendor management onboarding, periodic assessment and off-boarding 2.5 We have a process in place to manage vendor inventory 2.5 We have a process in place to periodically assess vendor value (for example, service delivery, vendor security, control environment, operations, etc.) 2.5 We have in place an ongoing education program for vendor management policies, procedures and updates 2.3 Commentary A framework should be in place to establish the process(es) for communicating the results of vendor risk assessments to the board, senior management and key risk committees. The type and complexity of information should be carefully determined (dashboards/scorecards, etc.) to ensure executives are kept fully informed without being overwhelmed with detailed information. A well-developed process for communicating results will help assure senior management that vendors can discharge their obligations to manage vendor risks effectively Vendor Risk Management Benchmark Study 19

22 communication and information Sharing industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j k a b c d e f g h i j k We have a formal process in place for adoption of the program by executive management and adoption of the program as a standard practice (sourcing, procurement, contracts) We have in place an ongoing education program for vendor management policies, procedures and updates We have a process in place to periodically assess vendor value (for example, service delivery, vendor security, control environment, operations, etc.) We have a process in place to evaluate internal compliance with vendor management onboarding, periodic assessment and off-boarding We have a process in place to manage vendor inventory We have a process in place to report status of vendor assessments We have a process in place to evaluate compliance with vendor management processes and procedures We have a process in place to periodically evaluate vendor service delivery We have a process in place to track and communicate incidents We have a process in place to escalate and communicate incidents and issues We have a process in place to provide board and executive management response to vendor assessment results Vendor Risk Management Benchmark Study

23 Communication and Information Sharing Focus on the Financial Services Industry* Vendor Risk Component We have a formal process in place for adoption of the program by executive management and adoption of the program as a standard practice (sourcing, procurement, contracts) We have in place an ongoing education program for vendor management policies, procedures and updates We have a process in place to periodically assess vendor value (for example, service delivery, vendor security, control environment, operations, etc.) We have a process in place to evaluate internal compliance with vendor management onboarding, periodic assessment and off-boarding We have a process in place to manage vendor inventory We have a process in place to report status of vendor assessments We have a process in place to evaluate compliance with vendor management processes and procedures We have a process in place to periodically evaluate vendor service delivery We have a process in place to track and communicate incidents We have a process in place to escalate and communicate incidents and issues We have a process in place to provide board and executive management response to vendor assessment results $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B * Does not include insurance companies Vendor Risk Management Benchmark Study 21

24 Tools, Measurement and Analysis Overall Level of Maturity: 2.4 Key Observations The ability to benchmark, measure and report the financial viability of vendors is at the defined and established level, though not yet fully implemented and operational. Most organizations are beginning to get on track with scheduling reviews for vendor assessments and assigning resources to perform these assessments, but full implementation is not yet achieved. The financial services industry has a notable hands-on, metrics-based approach to assessing its vendors; it is also much more ROI-conscious. Tools, Measurement and Analysis Overall Results Vendor Risk Component Maturity Level We determine the financial viability of key vendors 2.9 We engage finance and procurement partners 2.6 We assign resources to accomplish reviews as scheduled 2.5 We report financial results from our vendors to relevant stakeholders 2.5 We establish vendor review schedules for all vendor assessments (onsite, remote, etc.) 2.4 We establish relevant financial measures and benchmarks 2.4 We provide periodic reporting on review monitoring 2.4 We report risk scoring results to relevant stakeholders 2.3 We process information obtained during the vendor selection or review process into a risk scoring tool based on our risk scoring methodology 2.3 We capture and report on vendor review costs, budget to actual, etc. 2.1 We monitor variances between scheduled reviews and actual reviews performed 2.1 Commentary This section outlines the process necessary to develop and maintain an effective workflow for conducting vendor assessments, including vendor risk scoring and financial viability analysis. Developing mature components in this area is essential to manage assessment resources efficiently and deliver assessment reports in a timely manner Vendor Risk Management Benchmark Study

25 Tools, Measurement and Analysis Industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j k a b c d e f g h i j k We establish vendor review schedules for all vendor assessments (onsite, remote, etc.) We assign resources to accomplish reviews as scheduled We capture and report on vendor review costs, budget to actual, etc. We monitor variances between scheduled reviews and actual reviews performed We provide periodic reporting on review monitoring We process information obtained during the vendor selection or review process into a risk scoring tool based on our risk scoring methodology We report risk scoring results to relevant stakeholders We engage finance and procurement partners We establish relevant financial measures and benchmarks We determine the financial viability of key vendors We report financial results from our vendors to relevant stakeholders 2014 Vendor Risk Management Benchmark Study 23

26 Tools, Measurement and Analysis Focus on the Financial Services Industry* Vendor Risk Component We establish vendor review schedules for all vendor assessments (onsite, remote, etc.) We assign resources to accomplish reviews as scheduled We capture and report on vendor review costs, budget to actual, etc. We monitor variances between scheduled reviews and actual reviews performed $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B We provide periodic reporting on review monitoring We process information obtained during the vendor selection or review process into a risk scoring tool based on our risk scoring methodology We report risk scoring results to relevant stakeholders We engage finance and procurement partners We establish relevant financial measures and benchmarks We determine the financial viability of key vendors We report financial results from our vendors to relevant stakeholders * Does not include insurance companies Vendor Risk Management Benchmark Study

27 Monitoring and Review Overall Level of Maturity: 2.9 Key Observations Most organizations have well-developed processes and involve the appropriate levels of management in the approval, modification and handling of contracts. Organizations are also more developed in their ability to inform stakeholders and respond appropriately to data breaches or other security incidents. Processes to request SLA reporting periodically, survey customers and ensure customer satisfaction are still being articulated and defined. Also developed but not fully functional are processes to conduct vendor testing, including testing via an independent third party, and processes to test vendors business continuity and disaster recovery measures. Monitoring and Review Overall Results Vendor Risk Component Maturity Level We have a process in place to modify contracts and approve modifications by our legal department and an appropriate level of management 3.5 We have a process in place to facilitate approval of final contract terms by our legal department and an appropriate level of management 3.5 We have policies and procedures in place over the process to store, retain and make available contract terms 3.4 We have standard contract terms in place 3.4 We have a process in place to address expired or cancelled contracts 3.2 We have a process in place to respond to, escalate and inform key stakeholders of relevant data security, breach or other similar incidents 3.1 We have a process in place to review applicable audit reports periodically 2.9 We have a process to respond to and inform key stakeholders of regulatory requirements and trends 2.7 We have a process in place to track and analyze customer complaints 2.7 We obtain independent assurance or third-party testing of key vendors 2.7 We have a process in place to periodically require SLA reporting 2.5 We have a process in place to periodically conduct vendor onsite visits and testing 2.5 We have a process in place to test our vendors business continuity and disaster recovery measures periodically, and review the test results 2.5 We have a process to monitor industry and market trends that may negatively impact our vendors 2.4 We have a process in place to periodically conduct customer satisfaction surveys 2.3 Commentary This section includes components for the periodic testing and evaluation of policies and processes to allow management to make well-informed decisions about how to spend resources to manage vendor risk. These components facilitate the ability to review your vendor management program to determine whether revisions need to be made due to changes in the regulatory and/or threat environment Vendor Risk Management Benchmark Study 25

28 Monitoring and Review industry Results Financial Services Healthcare Insurance All Others a b c d e f g h i j k l m n o a b c d e f g h i j k l m n o We have standard contract terms in place We have a process in place to facilitate approval of final contract terms by our legal department and an appropriate level of management We have a process in place to modify contracts and approve modifications by our legal department, and an appropriate level of management We have policies and procedures in place over the process to store, retain and make available contract terms We have a process in place to address expired or cancelled contracts We have a process in place to periodically require SLa reporting We have a process in place to track and analyze customer complaints We have a process in place to periodically conduct customer satisfaction surveys We have a process in place to respond to, escalate and inform key stakeholders of relevant data security, breach or other similar incidents We have a process to monitor industry and market trends that may negatively impact our vendors We have a process to respond to and inform key stakeholders of regulatory requirements and trends We have a process in place to review applicable audit reports periodically We have a process in place to test our vendors business continuity and disaster recovery measures periodically, and review the test results We have a process in place to periodically conduct vendor onsite visits and testing We obtain independent assurance or third-party testing of key vendors Vendor Risk Management Benchmark Study

29 Monitoring and Review Focus on the Financial Services Industry* Vendor Risk Component $500M to $1B $1B to $5B $5B to $10B $10B to $20B More than $20B We have standard contract terms in place We have a process in place to facilitate approval of final contract terms by our legal department and an appropriate level of management We have a process in place to modify contracts and approve modifications by our legal department and an appropriate level of management We have policies and procedures in place over the process to store, retain and make available contract terms We have a process in place to address expired or cancelled contracts We have a process in place to periodically require SLA reporting We have a process in place to track and analyze customer complaints We have a process to periodically conduct customer satisfaction surveys We have a process to respond to, escalate and inform key stakeholders of relevant data security, breach or other similar incidents We have a process to monitor industry and market trends that may negatively impact our vendors We have a process to respond to and inform key stakeholders of regulatory requirements and trends We have a process in place to review applicable audit reports periodically We have a process in place to test our vendors business continuity and disaster recovery measures periodically, and review the test results We have a process in place to periodically conduct vendor onsite visits and testing We obtain independent assurance or thirdparty testing of key vendors * Does not include insurance companies Vendor Risk Management Benchmark Study 27

30 SURVEY DEMOGRAPHICS Nearly 450 respondents, including C-suite executives, as well as IT, internal audit and IT audit vice presidents and directors, participated in our study. All demographic information was provided voluntarily and not all participants provided data for every demographic question. Position Chief Financial Officer 2% Chief Audit Executive 9% Chief Risk Officer 2% Chief Information Security Officer 2% Other C-Suite Executive 3% IT VP/Director 13% Internal Audit VP/Director 5% IT Audit VP/Director 2% IT Manager 16% Internal Audit Manager 16% IT Audit Manager 5% Operational Risk Management 9% Procurement/Purchasing/Supply Chain 3% Other 13% Industry Financial Services 36% Healthcare 9% Government/Education/Not-for-profit 8% Insurance 7% Manufacturing 7% Services 4% Technology 4% Professional Services 3% Energy 3% Real Estate 3% Retail 2% Utilities 2% Telecommunications 2% Other 10% Vendor Risk Management Benchmark Study

31 Size of Organization $20 billion+ 14% $10 billion - $19.99 billion 11% $5 billion - $9.99 billion 12% $1 billion - $4.99 billion 24% $500 million - $ million 10% $100 million - $ million 15% Less than $100 million 14% Organization Headquarters North America 97% Europe 2% Asia/Pacific 1% Type of Organization Public 53% Private 28% Not-for-profit 12% Government 6% Other 1% 2014 Vendor Risk Management Benchmark Study 29

2015 Vendor Risk Management Benchmark Study. The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management

2015 Vendor Risk Management Benchmark Study. The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management 2015 Vendor Risk Management Benchmark Study The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management INTRODUCTION/EXECUTIVE SUMMARY MANY ORGANIZATIONS ARE NOT PREPARED

More information

Third-Party Cybersecurity and Data Loss Prevention

Third-Party Cybersecurity and Data Loss Prevention Third-Party Cybersecurity and Data Loss Prevention SESSION ID: DSP-W04A Brad Keller Sr. Vice President Santa Fe Group Jonathan Dambrot, CISSP CEO, Co-Founder Prevalent Networks 3rd Party Risk Management

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

Vendor Risk Management Financial Organizations

Vendor Risk Management Financial Organizations Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current

More information

Governance, Risk, and Compliance (GRC) White Paper

Governance, Risk, and Compliance (GRC) White Paper Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:

More information

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Strengthening Cybersecurity Defenders #ISC2Congress Healthcare and Security "Information Security is simply a personal

More information

Practical Vendor Management to Minimize Compliance Risks November 12, 2015

Practical Vendor Management to Minimize Compliance Risks November 12, 2015 Practical Vendor Management to Minimize Compliance Risks November 12, 2015 v 1 Today s Speakers Ray Everett Principal Consultant & Director Product Management TRUSTe Charlie Miller SVP Shared Assessments

More information

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015 OIG-16-A-03 November 12, 2015 All publicly available OIG reports (including

More information

Shared Assessments Program Case Study

Shared Assessments Program Case Study Shared Assessments Program Case Study A Collaborative Approach to Onsite Assessments Using the Shared Assessments AUP, the Standardized Testing Procedures for Onsite Assessments April 2015 Background About

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

COMMUNIQUE. Information Technology (IT) Governance Guidance

COMMUNIQUE. Information Technology (IT) Governance Guidance COMMUNIQUE 14-COM-002 July 14, 2014 Information Technology (IT) Governance Guidance The Credit Union Prudential Supervisors Association (CUPSA) has established an IT Risk Working Group to focus on IT governance

More information

Building Best Practices for Effective Monitoring of a Third Party s Incident Event Management Program. A Shared Assessments Briefing Paper

Building Best Practices for Effective Monitoring of a Third Party s Incident Event Management Program. A Shared Assessments Briefing Paper Building Best Practices for Effective Monitoring of a Third Party s Incident Event Management Program A Shared Assessments Briefing Paper Abstract Just 43% of incident management professionals report their

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Vendor Risk Management in the New Regulatory Environment. kpmg.com

Vendor Risk Management in the New Regulatory Environment. kpmg.com Vendor Risk Management in the New Regulatory Environment kpmg.com Vendor Risk Management in the New Regulatory Environment 2 Vendor Risk Management in the New Regulatory Environment Background Regulators

More information

WHITE PAPER Third-Party Risk Management Lifecycle Guide

WHITE PAPER Third-Party Risk Management Lifecycle Guide WHITE PAPER Third-Party Risk Management Lifecycle Guide Develop and maintain compliant third-party relationships by following these foundational components of a best-practice assessment program. Third

More information

Italy. EY s Global Information Security Survey 2013

Italy. EY s Global Information Security Survey 2013 Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information

More information

Goldman Sachs Residential Mortgage Servicing Vendor Management Policy Addendum U.S.-Based Program

Goldman Sachs Residential Mortgage Servicing Vendor Management Policy Addendum U.S.-Based Program Goldman Sachs Residential Mortgage Servicing Vendor Management Policy Addendum U.S.-Based Program Effective Date: January 27, 2014 Vendor Management Policy Addendum TABLE OF CONTENTS 1. INTRODUCTION...

More information

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and

More information

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Page 1 of 7 The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II). Domain I provides a solid foundation for the governance of

More information

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014 IT Vendor Due Diligence Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014 Carolinas HealthCare System (CHS) Second largest not-for-profit healthcare system

More information

edelta Vendor Risk Management Assessment Services Key Contact Jon Bosco, Managing Partner 122 East 42nd Street Suite 608 New York, NY 10168

edelta Vendor Risk Management Assessment Services Key Contact Jon Bosco, Managing Partner 122 East 42nd Street Suite 608 New York, NY 10168 edelta C O N S U LT I N G Vendor Risk Management Assessment Services Key Contact Jon Bosco, Managing Partner 122 East 42nd Street Suite 608 New York, NY 10168 Office: 646-205-9961 Cell: 917-939-2873 e-mail:

More information

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT Communications Company One Company s Supply Chain Transformation Journey INTERVIEWS Senior Manager Supply Chain Operations Strategy Manager Procurement

More information

Growing Vendor Management

Growing Vendor Management V E N D O R M A N A G E M E N T P R O F I L E S E R I E S A Wh it e Pap e r by Ve n d or I NS I G HT an d C MPG, L L C Growing Vendor Management as a Sustainable Business Process with Automated Vendor

More information

Compliance Risk Management Survey A Point of View

Compliance Risk Management Survey A Point of View FINANCIAL SERVICES Compliance Risk Management Survey A Point of View July 2014 kpmg.com Compliance Risk Management Survey A Point of View 3 Introduction As the financial crisis unfolded, regulators looked

More information

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015 Breaking Down the Silos: A 21st Century Approach to Information Governance May 2015 Introduction With the spotlight on data breaches and privacy, organizations are increasing their focus on information

More information

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks. Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks. For anyone familiar with the banking industry, it comes as no surprise that banks are

More information

White Paper on Financial Institution Vendor Management

White Paper on Financial Institution Vendor Management White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety

More information

Caveat Emptor: What is Vendor Management & Why is it Important to You? Session 4: Vendor Management

Caveat Emptor: What is Vendor Management & Why is it Important to You? Session 4: Vendor Management Caveat Emptor: What is Vendor Management & Why is it Important to You? Session 4: Vendor Management insidearm LLC Legal Disclaimer This information is not intended to be legal advice and may not be used

More information

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management

More information

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS An overview of how the Shared Assessments Program SIG 2014

More information

CORL Dodging Breaches from Dodgy Vendors

CORL Dodging Breaches from Dodgy Vendors CORL Dodging Breaches from Dodgy Vendors Tackling Vendor Security Risk Management in Healthcare Introductions Cliff Baker 20 Years of Healthcare Security experience PricewaterhouseCoopers, HITRUST, Meditology

More information

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,

More information

www.pwc.com Third Party Risk Management 12 April 2012

www.pwc.com Third Party Risk Management 12 April 2012 www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.

More information

2014 Audit of the Board s Information Security Program

2014 Audit of the Board s Information Security Program O FFICE OF I NSPECTOR GENERAL Audit Report 2014-IT-B-019 2014 Audit of the Board s Information Security Program November 14, 2014 B OARD OF G OVERNORS OF THE F EDERAL R ESERVE S YSTEM C ONSUMER FINANCIAL

More information

RSA ARCHER OPERATIONAL RISK MANAGEMENT

RSA ARCHER OPERATIONAL RISK MANAGEMENT RSA ARCHER OPERATIONAL RISK MANAGEMENT 87% of organizations surveyed have seen the volume and complexity of risks increase over the past five years. Another 20% of these organizations have seen the volume

More information

Control Number: Title: Contract Management: Healthcare Services

Control Number: Title: Contract Management: Healthcare Services Idaho Department of Correction Stard Operating Procedure Control Number: 1 of 16 Adopted: 5-20-2011 Reviewed: 6-8-2011 Next Review: 6-8-2013 Management Division General Administration Management: Healthcare

More information

Identifying and Managing Third Party Data Security Risk

Identifying and Managing Third Party Data Security Risk Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:

More information

Managing Sub-Servicing Partnerships

Managing Sub-Servicing Partnerships Managing Sub-Servicing Partnerships 2 Managing Sub-Servicing Partnerships WHY IT IS IMPORTANT TO GINNIE MAE: Ginnie Mae recognizes that there are entities that specialize in the servicing and are better

More information

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

MEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile

More information

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed

More information

Project Management and ITIL Transitions

Project Management and ITIL Transitions Project Management and ITIL Transitions April 30 th 2012 Linda Budiman Director CSC 1 Agenda Thought Leadership: Linda Budiman What is ITIL & Project Management: Applied to Transitions Challenges & Successes:

More information

Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation

Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation Assessing the Financial Services Industry Results from Protiviti s 2014 IT Priorities and

More information

FINRA Publishes its 2015 Report on Cybersecurity Practices

FINRA Publishes its 2015 Report on Cybersecurity Practices Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February

More information

ISE Northeast Executive Forum and Awards

ISE Northeast Executive Forum and Awards ISE Northeast Executive Forum and Awards October 3, 2013 Company Name: Project Name: Presenter: Presenter Title: University of Massachusetts Embracing a Security First Approach Larry Wilson Chief Information

More information

CIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

CIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016 CIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016 My name is Jacob Olcott and I am pleased to share some observations on

More information

OCCUPATIONAL GROUP: Information Technology. CLASS FAMILY: Security CLASS FAMILY DESCRIPTION:

OCCUPATIONAL GROUP: Information Technology. CLASS FAMILY: Security CLASS FAMILY DESCRIPTION: OCCUPATIONAL GROUP: Information Technology CLASS FAMILY: Security CLASS FAMILY DESCRIPTION: This family of positions provides security and monitoring for the transmission of information in voice, data,

More information

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity Cyber ROI A practical approach to quantifying the financial benefits of cybersecurity Cyber Investment Challenges In 2015, global cybersecurity spending is expected to reach an all-time high of $76.9

More information

HITRUST CSF Assurance Program

HITRUST CSF Assurance Program HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview

More information

Public Sector Pension Investment Board

Public Sector Pension Investment Board Public Sector Pension Investment Board Office of the Auditor General of Canada Bureau du vérificateur général du Canada Ce document est également publié en français. Her Majesty the Queen in Right of Canada,

More information

Best Practices in IT Support Systems IMPROVING HELP DESK PERFORMANCE AND SUPPORT

Best Practices in IT Support Systems IMPROVING HELP DESK PERFORMANCE AND SUPPORT Best Practices in IT Support Systems IMPROVING HELP DESK PERFORMANCE AND SUPPORT 12 Building the Case Creating a Robust Help Desk Environment As organizations increasingly rely on integrated electronic

More information

Whitepaper: 7 Steps to Developing a Cloud Security Plan

Whitepaper: 7 Steps to Developing a Cloud Security Plan Whitepaper: 7 Steps to Developing a Cloud Security Plan Executive Summary: 7 Steps to Developing a Cloud Security Plan Designing and implementing an enterprise security plan can be a daunting task for

More information

Supporting Effective Compliance Programs

Supporting Effective Compliance Programs October 2015 Supporting Effective Compliance Programs The Oversight Roles of the Board Audit and Risk Committees in Regulatory Compliance By Paul Osborne, CPA, CAMS, AMLP, and Peggy Sepp, CIA To be effective,

More information

Credit Union Liability with Third-Party Processors

Credit Union Liability with Third-Party Processors World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with

More information

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015 Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015 Topics Introduction Cyber Security Auditing Program Discuss an effective and compliant Cyber Security Auditing Program from

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis (BIA) Page

More information

IT Governance Regulatory. P.K.Patel AGM, MoF

IT Governance Regulatory. P.K.Patel AGM, MoF IT Governance Regulatory Perspective P.K.Patel AGM, MoF Agenda What is IT Governance? Aspects of IT Governance What banks should consider before implementing these aspects? What banks should do for implementation

More information

Anthony J. Albanese, Acting Superintendent of Financial Services. Financial and Banking Information Infrastructure Committee (FBIIC) Members:

Anthony J. Albanese, Acting Superintendent of Financial Services. Financial and Banking Information Infrastructure Committee (FBIIC) Members: Andrew M. Cuomo Governor Anthony J. Albanese Acting Superintendent FROM: TO: Anthony J. Albanese, Acting Superintendent of Financial Services Financial and Banking Information Infrastructure Committee

More information

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.

More information

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP 2015 CEO & Board University Cybersecurity on the Rise Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf

More information

Third Party Security Guidelines. e-governance

Third Party Security Guidelines. e-governance for e-governance Draft DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India. Document Control S/L Type of Information Document

More information

WHITE PAPER THIRD PARTY MANAGEMENT: FUNDAMENTALS

WHITE PAPER THIRD PARTY MANAGEMENT: FUNDAMENTALS THIRD PARTY MANAGEMENT: FUNDAMENTALS by Linda Tuck Chapman Sponsored by Third Party Management Fundamentals Third Party Management isn t new, but its importance is growing in every industry and the financial

More information

Assessment and Compliance with Federal Financial Institutions Examination Council (FFIEC) Requirements

Assessment and Compliance with Federal Financial Institutions Examination Council (FFIEC) Requirements isl Assessment and Compliance with Federal Financial Institutions Examination Council (FFIEC) Requirements DataGuardZ White Paper Forti5 BNP Paribas [Pick the date] What is the history behind FFIEC compliance?

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

Developing and Maintaining a World-Class Third Party Risk Assessment Program

Developing and Maintaining a World-Class Third Party Risk Assessment Program Developing and Maintaining a World-Class Third Party Risk Assessment Program Presented by: Tom Garrubba, Senior Director, The Santa Fe Group/Shared Assessments Program Monday, September 15, 2014 - IIA

More information

SHARED ASSESSMENTS PROGRAM STANDARDIZED INFORMATION GATHERING (SIG) QUESTIONNAIRE

SHARED ASSESSMENTS PROGRAM STANDARDIZED INFORMATION GATHERING (SIG) QUESTIONNAIRE SHARED ASSESSMENTS PROGRAM STANDARDIZED INFORMATION GATHERING (SIG) QUESTIONNAIRE The Shared Assessments Trust, But Verify Model The Shared Assessments Program Tools are used for managing the vendor risk

More information

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization Outside View of Increased Regulatory Requirements Regulatory compliance is often seen as sand in the gears requirements

More information

How to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors

How to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors How to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors July 2014 Executive Summary Data breaches cost organizations millions and sometimes even billions of dollars in

More information

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,

More information

Information Technology Branch Information Technology Systems Acquisition, Development and Maintenance Technical Standard

Information Technology Branch Information Technology Systems Acquisition, Development and Maintenance Technical Standard Information Technology Branch Information Technology Systems Acquisition, Development and Maintenance Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical

More information

A Guide to Minimizing the Risk of IT Asset Disposition

A Guide to Minimizing the Risk of IT Asset Disposition A Guide to Minimizing the Risk of IT Asset Disposition Who is concerned about risk? They may not think about it terms of risk, but almost everyone at your organization is worried about the chinks in its

More information

GEARS Cyber-Security Services

GEARS Cyber-Security Services Florida Department of Management Services Division of State Purchasing Table of Contents Introduction... 1 About GEARS... 2 1. Pre-Incident Services... 3 1.1 Incident Response Agreements... 3 1.2 Assessments

More information

Certified Information Security Manager (CISM)

Certified Information Security Manager (CISM) Certified Information Security Manager (CISM) Course Introduction Course Introduction Domain 01 - Information Security Governance Lesson 1: Information Security Governance Overview Information Security

More information

AUDIT REPORT. The Energy Information Administration s Information Technology Program

AUDIT REPORT. The Energy Information Administration s Information Technology Program U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT The Energy Information Administration s Information Technology Program DOE-OIG-16-04 November 2015 Department

More information

Data Privacy Framework

Data Privacy Framework Data Privacy Framework Table of Contents 1. INTRODUCTION...4 2. SCOPE & DEFINITIONS...4 2.1 SCOPE OF THE DATA PRIVACY FRAMEWORK...4 2.2 DEFINITIONS...4 3. SECURITY ORGANIZATION & RESPONSIBILITIES...4 3.1

More information

April 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

April 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Salt River Project P.O. Box 52025 Mail Stop: CUN204 Phoenix, AZ 85072 2025 Phone: (602) 236 6011 Fax: (602) 629 7988 James.Costello@srpnet.com James J. Costello Director, Enterprise IT Security April 8,

More information

VMware and the Need for Cyber Supply Chain Security Assurance

VMware and the Need for Cyber Supply Chain Security Assurance White Paper VMware and the Need for Cyber Supply Chain Security Assurance By Jon Oltsik, Senior Principal Analyst September 2015 This ESG White Paper was commissioned by VMware and is distributed under

More information

OCC 98-3 OCC BULLETIN

OCC 98-3 OCC BULLETIN To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel

More information

PwC Viewpoint on Third Party Risk Management

PwC Viewpoint on Third Party Risk Management www.pwc.com PwC Viewpoint on Third Party Risk Management November 2013 Significant others: How companies can effectively manage the risks of vendor relationships Are vendors more trouble than they re worth?

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all

More information

Customer Success Story. Central Logic. Comprehensive SRA helps healthcare software provider safeguard its customer s PHI and ensure HIPAA compliance.

Customer Success Story. Central Logic. Comprehensive SRA helps healthcare software provider safeguard its customer s PHI and ensure HIPAA compliance. Customer Success Story Central Logic Comprehensive SRA helps healthcare software provider safeguard its customer s PHI and ensure HIPAA compliance. Page 2 of 6 Central Logic Comprehensive SRA helps healthcare

More information

To: Our Clients and Friends March 25, 2014

To: Our Clients and Friends March 25, 2014 Financial Services Group To: Our Clients and Friends March 25, 2014 A Significant Change Is Occurring Regarding Regulatory Oversight of Banks and Their Third Party Relationships. Both Banks and their Vendors

More information

INFOCUS. Five Questions to Guide Cybersecurity Risk Management BY EARL CRANE

INFOCUS. Five Questions to Guide Cybersecurity Risk Management BY EARL CRANE promontory.com INFOCUS JUNE 3, 2015 BY EARL CRANE Five Questions to Guide Cybersecurity Risk Management The quick transformation of cybersecurity risk management from obscure specialty to top-of-thehouse

More information

PROTIVITI FLASH REPORT

PROTIVITI FLASH REPORT PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity

More information

The PNC Financial Services Group, Inc. Business Continuity Program

The PNC Financial Services Group, Inc. Business Continuity Program The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis

More information

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire Vendor Management Challenges and Solutions for HIPAA Compliance Jim Sandford Vice President, Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control

More information

DTCC RISK COMMITTEE CHARTER

DTCC RISK COMMITTEE CHARTER DTCC RISK COMMITTEE CHARTER Purpose The ability to identify, manage and mitigate risk is fundamental to the services that The Depository Trust & Clearing Corporation ( DTCC ) provides to its members and

More information

Client Update Federal Financial Regulators to Propose Enhanced Cyber Risk Management Standards

Client Update Federal Financial Regulators to Propose Enhanced Cyber Risk Management Standards 1 Client Update Federal Financial Regulators to Propose Enhanced Cyber Risk Management Standards WASHINGON, D.C. Luke Dembosky ldembosky@debevoise.com NEW YORK Jim Pastore jjpastore@debevoise.com David

More information

Information Security Management System for Microsoft s Cloud Infrastructure

Information Security Management System for Microsoft s Cloud Infrastructure Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System

More information

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers Morgan Stanley Policy for the Management of Third Party Residential Mortgage Servicing Providers Title Policy for the Management of Third Party Residential Mortgage Servicing Providers Effective Date Owner

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool 6/9/2016 Tim Segerson, Deputy Director Office of Examination & Insurance FFIEC Cybersecurity Assessment Tool LSCU Cyber Breakout June 17, 2016 Continuing saga of lost sensitive data Every event enhances

More information

ITIL by Test-king. Exam code: ITIL-F. Exam name: ITIL Foundation. Version 15.0

ITIL by Test-king. Exam code: ITIL-F. Exam name: ITIL Foundation. Version 15.0 ITIL by Test-king Number: ITIL-F Passing Score: 800 Time Limit: 120 min File Version: 15.0 Sections 1. Service Management as a practice 2. The Service Lifecycle 3. Generic concepts and definitions 4. Key

More information

New York State Department of Financial Services. Update on Cyber Security in the Banking Sector: Third Party Service Providers

New York State Department of Financial Services. Update on Cyber Security in the Banking Sector: Third Party Service Providers New York State Department of Financial Services Update on Cyber Security in the Banking Sector: Third Party Service Providers April 2015 Update on Cyber Security in Banking Sector: Third-Party Service

More information

AUDIT OF INFORMATION TECHNOLOGY Management (Action Plan) Responses February 2005 # PRIORITY DESCRIPTION MANAGEMENT RESPONSE

AUDIT OF INFORMATION TECHNOLOGY Management (Action Plan) Responses February 2005 # PRIORITY DESCRIPTION MANAGEMENT RESPONSE AUDIT OF INFORMATION TECHNOLOGY Management (Action Plan) Responses February 2005 # PRIORITY DESCRIPTION MANAGEMENT RESPONSE Ref: Chapter 3.1 GOVERNANCE FRAMEWORK Information Technology Steering Committee

More information

Today s IT Organization Delivering Security, Value and Performance Amid Major Transformation

Today s IT Organization Delivering Security, Value and Performance Amid Major Transformation Today s IT Organization Delivering Security, Value and Performance Amid Major Transformation Assessing the Results of Protiviti s 2014 IT Priorities Survey Nearly two out of three organizations are undergoing

More information

Management Advisory Postal Service Transformation Plan (Report Number OE-MA-03-001)

Management Advisory Postal Service Transformation Plan (Report Number OE-MA-03-001) October 29, 2002 RALPH J. MODEN VICE PRESIDENT, STRATEGIC PLANNING SUBJECT: Management Advisory Postal Service Transformation Plan (Report Number ) This management advisory presents the results of our

More information

Vendor Management. Outsourcing Technology Services

Vendor Management. Outsourcing Technology Services Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring

More information

Implementing Information Governance: A Best Practice Approach to Enable Compliance and Reduce Costs & Risks

Implementing Information Governance: A Best Practice Approach to Enable Compliance and Reduce Costs & Risks Implementing Information Governance: A Best Practice Approach to Enable Compliance and Reduce Costs & Risks July 23, 2015 2015 Iron Mountain Incorporated. All rights reserved. Iron Mountain and the design

More information

Quick Guide: Managing ICT Risk for Business

Quick Guide: Managing ICT Risk for Business Quick Guide: Managing ICT Risk for Business This Quick Guide is one of a series of information products aimed at helping small to medium sized enterprises identify and manage risks when assessing, buying

More information

Human Resource Services PO Box 115009 Classification and Compensation Gainesville, FL 32611-5009 352-392-2477 352-846-3058 Fax

Human Resource Services PO Box 115009 Classification and Compensation Gainesville, FL 32611-5009 352-392-2477 352-846-3058 Fax Human Resource Services PO Box 115009 Classification and Compensation Gainesville, FL 32611-5009 352-392-2477 352-846-3058 Fax UFIT Classification Specifications Revised March 20, 2014 Job Title: IT Senior

More information

GOVERNANCE DEFINED. Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts

GOVERNANCE DEFINED. Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts GOVERNANCE DEFINED Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts Governance over the use of technology assets can be seen

More information