1 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT IAPP KnowledgeNet Presentation Boston, April 24, 2012
2 About Kyle Lai 2 Kyle Lai, CIPP/G/US, CISSP, CISA, CSSLP, BSI Cert. ISO LA President and CTO of KLC Consulting, Inc. Over 20 years in IT and 15 years in Information Security Security Assessment, Network and Application Security Third Party Security Risk Assessment / Management Information Assurance Expert in Financial, Healthcare, and Federal Government sectors. Past Experience consulting for DoD, NIH, VA, RBS, Boeing, CIGNA, HP/EDS, PWC, Major Financial Institutions, and Fortune 1000 Author of the security and privacy software, SMAC MAC Address Changer, with over 1.5 million users
3 Manage Issues Assess Vendor Vendor Risk Classification KLC Vendor Security Management Process 3 Inventory Vendors Classify Risk of Each Vendor by Relationship & Data handled Determine Type of Assessment Onsite / Phone / Self Assessment Create Questionnaire Coordinate Assessment with Vendor Review Questionnaire Responses Conduct Onsite / Phone Assessment Send Questionnaire to Vendor Vendor Complete & Send Back Questionnaire Generate Issues Verify & Finalize Issues with Vendor Vendor Provides Remediation Plan Track Issues Close Issues
4 Vendor Security Management Program 4 How many reviews can you do a year with the assigned resources? How to classify vendor security risk based on data handled? What vendor gets onsite and phone assessments? What is the baseline framework (ISO 27002, GLBA, HIPAA, )? What baseline questions to include in the questionnaire? How will the vendor responses get documented? What results make a vendor High, Medium or Low Risk? How to address and track issues raised? Exception Process? What tool should I use to manage Vendor Security Program? What reports should be generated to track vendor security risks?
5 Tools to Help Manage Vendor Risk 5 Evolution of Tools in Medium to Large Organizations: Vendor Security Risk Management System (Data Collection) Vendor Security Risk Management System (Automation)
6 Dealing with Vendors 6 Define roles and responsibilities What should Vendor Relationship Manager do? When should Assessment Analyst engage the vendor? What is the process to schedule an assessment? How much lead time should you give to the vendor to fill out the questionnaire? How much time do you spend assessing the vendor - onsite and over the phone? What is the escalation process if a vendor is NOT COOPERATING?
7 Managing Issues 7 What tool will you use to track issues? Where will you store the issues? How do you efficiently generate management report? What is the allowed timeframe for vendor to address Critical, High, Medium and Low risk issues? What is the process for following up issue status? What is the process to close the issue? What is the Risk Acceptance Process???
8 Other Items to Consider 8 What Management Reports to generate? What about 4 th parties? How to assess data center providers? How to assess Cloud Service Providers? How to assess application development vendors? How do you assess vendors that are outside of USA? What regulations to consider? How about assessing vendors that no longer doing business with you but have the obligation to store your data for 7 years?
9 Some Common Vendor Issues 9 Lack of Mobile Device Security (Bring Your Own Device - BYOD) Lack of Cloud Computing Usage Policy and Standards Lack of USB Lockdown and/or Encryption Lack of Local Administrator Privilege Lockdown Upcoming Lack of IPv6 networking and security knowledge (Increasing IPv6 based attacks).
10 KLC Consulting, Inc. 10 KLC is developing a Turn-Key Third Party Security Risk Management System on Process Unity platform, releasing in July, We are looking for a Pilot Testing firm Contact: Kyle Lai, CIPP/G/US, CISSP, CSSLP, CISA President & CTO x168 Tarek El Heneidy Director of Operations x138
CLOUD COMPUTING READINESS VOLKER RATH VOLKER RATH 1 CONTENTS HOW SHOULD THIS GUIDE BE USED? 2 WILL MY COMPANY BENEFIT FROM 2 TRANSITIONING SERVICES TO THE CLOUD? CLOUD READINESS OVERVIEW 3 SECURITY CONCERNS
Online Lead Generation: Data Security Best Practices Released September 2009 The IAB Online Lead Generation Committee has developed these Best Practices. About the IAB Online Lead Generation Committee:
Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating
Security Officer s Checklist in a Sourcing Deal Guide Share Europe Ostend, May 9th 2014 Johan Van Mengsel IBM Distinguished IT Specialist IBM Client Abstract Sourcing deals creates opportunities and challenges.
SUSTAINABILITY Sustainability reporting What you should know kpmg.com b Sustainability reporting What you should know KPMG LLP (KPMG) defines corporate sustainability as adopting business strategies that
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Managing the Shadow Cloud Integrating cloud governance into your existing compliance program August 2014 Shadow IT is not a new concept and organizations are well aware of the risks associated with unauthorized
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
FIRST Site Visit Requirements and Assessment Document originally produced by CERT Program at the Software Engineering Institute at Carnegie Mellon University And Cisco Systems PSIRT Revision When Who What
ch01.fm Page 1 Thursday, November 4, 1999 12:19 PM Chapter 1 Lights Out Exposed Planning and executing a successful automation project begins by developing realistic expectations for the purpose and scope
Vanderbilt University Medical Center Project Implementation Process (PIP).......... Project Implementation Process OVERVIEW...4 PROJECT PLANNING PHASE...5 PHASE PURPOSE... 5 TASK: TRANSITION FROM PEP TO
Xerox Litigation Services In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk Your Highest Priority is also Your Greatest Challenge Data breaches are not just
Checklist to Assess Security in IT Contracts Federal Agencies that outsource or contract IT services or solutions must determine if security is adequate in existing and new contracts. Executive Summary
A REPORT BY HARVARD BUSINESS REVIEW ANALYTIC SERVICES Meeting the Cyber Risk Challenge Sponsored by ABOUT ZURICH INSURANCE GROUP Zurich Insurance Group (Zurich) is a leading multi-line insurance provider
Checklist for a Watertight Cloud Computing Contract Companies of all industries are recognizing the need and benefit of moving some if not all of their IT infrastructure to a Cloud whether public or private.
white paper Public or Private Cloud: The Choice is Yours Current Cloudy Situation Facing Businesses There is no debate that most businesses are adopting cloud services at a rapid pace. In fact, a recent
Data Breach Response Guide By Experian Data Breach Resolution 2013-2014 Edition Trust the Power of Experience. 2013 ConsumerInfo.com, Inc. Table of Contents Introduction 3... Data Breach Preparedness 4...
Q&A: Demystifying Cloud Security An Empowered Report: Getting Past Cloud Security Fear Mongering by Chenxi Wang, Ph.D. with Stephanie Balaouras and Lindsey Coit EXECUTIVE SUMMARY At Forrester s Security
GOVERNANCE STRATEGIES New Requirements for Security and Compliance Auditing in the Cloud Cloud computing poses new challenges for IT security, compliance, and audit professionals who must protect corporate
Managing Records: Retention, Destruction and Disposal Presentation by Jennifer L. Cox, J.D. Cox & Osowiecki, LLC Hartford, CT April 10, 2014 Today s Program Identify the universe of records involved Distinguish
www.pwc.com PwC Advisory Oracle practice 2012 How to drive innovation and business growth Leveraging emerging technology for sustainable growth 1 Heart of the matter Top growth driver today is innovation
Summary of Responses to an Industry RFI Regarding a Role for CMS with Personal Health Records Table of Contents EXECUTIVE SUMMARY... 4 1. INTRODUCTON... 7 2. CMS ROLE WITH PHRs... 9 What PHR functionalities
White paper Secure Cloud Services: An Integrated Approach Edition October 2013 Whitepaper Information Management Secure Cloud Services: An Integrated Approach Edition October 2013 Copyright 2013 EXIN All