VENDOR MANAGEMENT An Update & Discussion
Size: px
Start display at page:

Download "VENDOR MANAGEMENT An Update & Discussion"

Transcription

1 VENDOR MANAGEMENT An Update & Discussion

2 Ground Rules TO ENCOURAGE FREE DISCUSSION, NO RECORDING DEVICES OF ANY KIND INCLUDING CELL PHONES, CAMERAS, ETC, ARE ALLOWED NO EXCEPTIONS VIOLATORS WILL BE ASKED TO LEAVE AND BANNED FROM FUTURE PARTICIPATION Plato: Wise men speak because they have something to say; Fools because they have to say something.

3 AGENDA Evolution & Foundation Public Breaches Third Party Third Party Supply Chain Performance Financial Sector Regulatory Sector How? Out of Scope Life Cycle

4 Evolution & Foundation Gramm-Leach Bliley FFIEC: OCC, FDIC, FRB, NCUA Federal Trade Commission FACT ACT Payment Card Industry (PCI) OCC Bulletin Managing Third Party Risk

5 Public Breaches Third Party Target: Public sources intertwined with Krebs On Security Blog s/-and-breaches/target-hackers-tapped-vendorcredentials/d/d-id/ Dairy Queen, Home Depot Backend POS

6 Public Breaches Third Party (Continued) It also disclosed 53 million addresses were stolen Aside From Network Compromise, What Else Is Missed? Why? Audit & Assessment Scope d5a10618b5&e=26dc6f8709 Homeland Security Background Check Database Breached At USIS, Third Party Background Check Firm

7 Third Party Supply Chain Third Party Product Bundling Made IBM Vulnerable: curityweek+rss+feed%29 FTC faults Web privacy firm at 2F11%2F19&id=Ar02809 Payment Gateway Breached: =buffer Third party risks affecting automotive manufacturers Lessons Learned? Facility infrastructure overlooked by regulators, PCI, SSAE 16 Facilities infrastructure viewed first as availability risk rather than network risk vector

8 Financial Sector OCC Bulletin Third Party Risk Operational Risk CLOUD, SaAS, COLO, Guilt By Association General Connectivity (no data sharing) Social Media Netflix/SEC Dodd-Frank and Data Governance Confidentiality & Integrity Purity & timeliness of Data Supporting Executive Info System Development Life Cycle (SDLC)

9 Regulatory Sector pdf million-fine-the-fcc-is-leaping-into-data-security-for-the-first-time/ SEC Examinations: What to Expect When the SEC Is on Its Way -Wall Street & Technology DT_WST_daily_ &elq=67ba52d6cc4c f114d8f2fc4 &elqcampaignid=11105

10 How? Questionnaires: FISAP Reliance On SSAE 16 SOC Reports/AIT Who Defines Scope of Controls & Pays For Attestation? Ssae%2016&s=Site%20Content&start1=0&ct=Site&cs=Searc h&scopes=people,site%20content,conversations ISACA Vendor Management Vendor%20&s=Site%20Content&start1=0&ct=Site&cs=ISAC A&scopes=People,Site%20Content,Conversations NIST, PCI, SANS & ISO

11 How? (Continued) d_party_security_assurance.pdf PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awareness_P rogram Onsite Assessments Validate Infrastructure Policies & Procedures Security Settings & Change Management Records Vulnerability Management Program Network Scans Patch Management Independent Third Party Network Penetration Testing Vendor Score Cards

12 ONLINE & THIRD PARTY TOOLS

13 END

Similar documents

The New Normal: The Expanding Role of Technology Providers in Payment Processing. Pete S. Johnson

The New Normal: The Expanding Role of Technology Providers in Payment Processing. Pete S. Johnson The New Normal: The Expanding Role of Technology Providers in Payment Processing Pete S. Johnson Recent Market Trends Affecting Role of Technology Providers Transition Brick and Mortar ecommerce Mobile

More information

ASSESSING VENDORS USING THE NIST CYBERSECURITY FRAMEWORK

ASSESSING VENDORS USING THE NIST CYBERSECURITY FRAMEWORK ASSESSING VENDORS USING THE NIST CYBERSECURITY FRAMEWORK Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager Dan Banning Director of Marketing

More information

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments Security in the Payment Card Industry OWASP AppSec Seattle Oct 2006 Hap Huynh, Information Security Specialist, Visa USA hhuynh@visa.com Copyright 2006 - The OWASP Foundation Permission is granted to copy,

More information

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd. Vendor Management: An Enterprise-wide Focus Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd. Why Focus on Vendor Management Increased financial regulatory scrutiny GLBA and Identity Theft Red

More information

Identifying and Managing Third Party Data Security Risk

Identifying and Managing Third Party Data Security Risk Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:

More information

MAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS. Nick Harrahill PayPal Global Security Operations

MAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS. Nick Harrahill PayPal Global Security Operations MAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS Nick Harrahill PayPal Global Security Operations AGENDA Inception of an engagement The legal agreement Assessing the risk Customer call

More information

SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR

SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR Michael de Crespigny, CEO Information Security Forum Session ID: GRC R02B Session Classification: General Interest KEY ISSUE Our

More information

9/13/2013. 20/20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

9/13/2013. 20/20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99 20/20 Vision for Vendor Management & Oversight 2013 WBA Technology Conference September 17, 2013 Ken M. Shaurette, CISSP, CISA, CISM, CRISC, IAM Director IT Services Disclaimer The views set forth are

More information

Protecting Your Business From Security Threats. Carl Cadregari, CISA, Executive Vice President Enterprise Risk Management Division The Bonadio Group

Protecting Your Business From Security Threats. Carl Cadregari, CISA, Executive Vice President Enterprise Risk Management Division The Bonadio Group Protecting Your Business From Security Threats Carl Cadregari, CISA, Executive Vice President Enterprise Risk Management Division The Bonadio Group Carl Cadregari, CISA, MCF - EVP, Practice Lead for Enterprise

More information

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com Cloud Computing Risks & Reality Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com What is Cloud Security The quality or state of being secure to be free from danger & minimize risk To be protected from

More information

Leveraging Regulatory Compliance to Improve Cyber Security

Leveraging Regulatory Compliance to Improve Cyber Security Leveraging Regulatory Compliance to Improve Cyber Security Leveraging Regulatory Compliance to Improve Cyber Security Brian Irish, Cyber Security Assurance Manager Salt River Project LEVERAGING REGULATORY

More information

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About? Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About? IIA San Francisco Chapter October 11, 2011 Agenda Introductions Cloud computing overview Risks and audit strategies

More information

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Ed McMurray, CISA, CISSP, CTGA CoNetrix Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats

More information

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT About Kyle Lai 2 Kyle Lai, CIPP/G/US, CISSP, CISA, CSSLP, BSI Cert. ISO 27001 LA President of KLC Consulting, Inc. Over 20 years in IT and Security Security

More information

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda

More information

Cloud Security & Risk. Adam Cravedi, CISA Senior IT Auditor acravedi@compassitc.com

Cloud Security & Risk. Adam Cravedi, CISA Senior IT Auditor acravedi@compassitc.com Cloud Security & Risk Adam Cravedi, CISA Senior IT Auditor acravedi@compassitc.com Agenda About Compass Overcast - Cloud Overview Thunderheads - Risks in the Cloud The Silver Lining - Security Approaches

More information

Cloud Computing: Background, Risks and Audit Recommendations

Cloud Computing: Background, Risks and Audit Recommendations Cloud Computing: Background, Risks and Audit Recommendations October 30, 2014 Table of Contents Cloud Computing: Overview 3 Multiple Models of Cloud Computing 11 Deployment Models 16 Considerations For

More information

How To Be A Successful Compliance Officer

How To Be A Successful Compliance Officer : A Pragmatic Approach to SOC2 and PCI compliance The Cadence Group is a professional services firm specializing in financial and IT compliance and risk management services. Our value proposition includes:

More information

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015 Risky Business Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015 What We ll Cover About Me Background The threat Risks to your organization What your organization can/should

More information

Vendor Management Panel Discussion. Managing 3 rd Party Risk

Vendor Management Panel Discussion. Managing 3 rd Party Risk Vendor Management Panel Discussion Managing 3 rd Party Risk Vendor Risk at its Finest Vendor Risk at its Finest CVS Care Mark Corporation announced that it had mistakenly sent letters to approximately

More information

Logging In: Auditing Cybersecurity in an Unsecure World

Logging In: Auditing Cybersecurity in an Unsecure World About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that

More information

Who s Your Vendor? Secondary Market Compliance and Title Agent Vendor Management

Who s Your Vendor? Secondary Market Compliance and Title Agent Vendor Management Who s Your Vendor? Secondary Market Compliance and Title Agent Vendor Management 2015 LBA Bank Counsel Conference Marx Sterbcow, Managing Attorney, Sterbcow Law Group The Bureau s Scrutiny of Vendor Management

More information

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania Evaluating and Managing Third Party IT Service Providers Are You Really Getting The Assurance You Need To Mitigate Information Security and Privacy Risks? Kevin Secrest IT Audit Manager, University of

More information

Intelligent Vendor Risk Management

Intelligent Vendor Risk Management Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach

More information

Plan of Attack 5 Step Plan

Plan of Attack 5 Step Plan Plan of Attack 5 Step Plan Naming those Digital Assets Practicing Digital Doomsday Training + Policies and Procedures Technology Tuning Security in the Supply Chain Next Steps Sample Plan 0 to 30 Days

More information

Maintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com

Maintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance

More information

How to Lead the People in a Program Based Environment

How to Lead the People in a Program Based Environment SESSION ID: GRC-W01 Balancing Compliance and Operational Security Demands Steve Winterfeld Bank Information Security Officer CISSP, PCIP What is more important? Compliance with laws / regulations Following

More information

THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS

THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS Data Law Group, P.C. Kari Kelly Deborah Shinbein YOU CAN T OUTSOURCE COMPLIANCE! Various statutes and regulations govern

More information

Industry Trends An Introduction to Security Breach Prevention, BYOD, & ERP System Implementation

Industry Trends An Introduction to Security Breach Prevention, BYOD, & ERP System Implementation Industry Trends An Introduction to Security Breach Prevention, BYOD, & ERP System Implementation The Central Florida Chapter of The Florida Government Finance Officers Association 2/7/2014 K. Adam Glover,

More information

Cloud Security and Managing Use Risks

Cloud Security and Managing Use Risks Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access

More information

Responses: Only a 0% Only b 100% Both a and b 0% Neither a nor b 0%

Responses: Only a 0% Only b 100% Both a and b 0% Neither a nor b 0% The Cyber Security Council has requested basic "state of the state" cyber security information from each member firm of the Association. While the information that was requested in the survey questionnaire

More information

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.

3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem. Cybersecurity: Minimizing Risk & Responding to Breaches March 5, 2015 Andy Chambers Michael Kelly Jimmie Pursell Scope of Problem Data Breaches A Daily Phenomenon Anthem JP Morgan / Chase Sony Home Depot

More information

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,

More information

FINRA Publishes its 2015 Report on Cybersecurity Practices

FINRA Publishes its 2015 Report on Cybersecurity Practices Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February

More information

THE BLUENOSE SECURITY FRAMEWORK

THE BLUENOSE SECURITY FRAMEWORK THE BLUENOSE SECURITY FRAMEWORK Bluenose Analytics, Inc. All rights reserved TABLE OF CONTENTS Bluenose Analytics, Inc. Security Whitepaper ISO 27001/27002 / 1 The Four Pillars of Our Security Program

More information

www.pwc.com Third Party Risk Management 12 April 2012

www.pwc.com Third Party Risk Management 12 April 2012 www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Abhinav Goyal, B.E.(Computer Science) MBA Finance Final Trimester Welingkar Institute of Management ISACA Bangalore chapter 13 th February 2010 Credit Card

More information

ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS

ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS Privacy The USA Model Joel Winston Division of Privacy and Identity Protection September 26, 2007 ÉE E 29

More information

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture 2 Data Security and Privacy Principles for IBM SaaS Contents 2 Introduction

More information

Is it Time to Look at an Ektron Managed Cloud Strategy? Copyright 2014 Ektron, Inc.

Is it Time to Look at an Ektron Managed Cloud Strategy? Copyright 2014 Ektron, Inc. Is it Time to Look at an Ektron Managed Cloud Strategy? Agenda 1. Introductions 2. This Session 3. Real Life Stories 4. Ektron s Managed Cloud and Managed Services Managed Cloud Managed Services 5. Customer

More information

CLOUD, SCHMOUD: CAN YOU SAY YOUR DATA S SAFE?

CLOUD, SCHMOUD: CAN YOU SAY YOUR DATA S SAFE? CLOUD, SCHMOUD: CAN YOU SAY YOUR DATA S SAFE? 2 HEY, YOU, IT S NOT ABOUT CLOUD OR NO CLOUD There s a whole lot of talk today about the security of data in the cloud. In short, everyone s wondering, Is

More information

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015 CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015 TODAY S PRESENTER Viviana Campanaro, CISSP Director, Security and

More information

Cybersecurity: Protecting Your Business. March 11, 2015

Cybersecurity: Protecting Your Business. March 11, 2015 Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks

More information

CFPB Readiness Series: Compliant Vendor Management Overview

CFPB Readiness Series: Compliant Vendor Management Overview CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the

More information

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers How to Effectively Collaborate with Cloud Providers Speaker Bio Chad Kissinger Chad Kissinger Founder OnRamp Chad Kissinger is the Founder of OnRamp, an industry leading high security and hybrid hosting

More information

PCI-DSS Penetration Testing

PCI-DSS Penetration Testing PCI-DSS Penetration Testing Adam Goslin, Co-Founder High Bit Security May 10, 2011 About High Bit Security High Bit helps companies obtain or maintain their PCI compliance (Level 1 through Level 4 compliance)

More information

Service Organizations and the Internal Audit function. 2015 conference Institute of Internal Auditors in Israel

Service Organizations and the Internal Audit function. 2015 conference Institute of Internal Auditors in Israel Service Organizations and the Internal Audit function 2015 conference Institute of Internal Auditors in Israel Proprietary This work product/document is intended solely for the information and use of the

More information

Past vs. Present: Third Party Risk

Past vs. Present: Third Party Risk Past vs. Present: Third Party Risk Kevin O Sullivan and Hicham Chahine 3 rd Party Risk, Crowe Horwath LLP April 30th, 2015 Agenda Drivers pushing Third Party Risk Past vs. Present Events and Trends Vendor

More information

ISE Northeast Executive Forum and Awards

ISE Northeast Executive Forum and Awards ISE Northeast Executive Forum and Awards October 3, 2013 Company Name: Project Name: Presenter: Presenter Title: University of Massachusetts Embracing a Security First Approach Larry Wilson Chief Information

More information

IT Risk Management: Guide to Software Risk Assessments and Audits

IT Risk Management: Guide to Software Risk Assessments and Audits IT Risk Management: Guide to Software Risk Assessments and Audits Contents Overview... 3 Executive Summary... 3 Software: Today s Biggest Security Risk... 4 How Software Risk Enters the Enterprise... 5

More information

WELCOME TO SECURE360 2013

WELCOME TO SECURE360 2013 WELCOME TO SECURE360 2013 Don t forget to pick up your Certificate of Attendance at the end of each day. Please complete the Session Survey front and back, and leave it on your seat. Are you tweeting?

More information

Third-Party Risk Management: Busting Myths and Telling Truths

Third-Party Risk Management: Busting Myths and Telling Truths Third-Party Risk Management: Busting Myths and Telling Truths Richik Sarkar, Esq. McDonald Hopkins LLC 600 Superior Avenue, East, Suite 2100 Cleveland, OH 44114 (216) 430-2009 rsarkar@mcdonaldhopkins.com

More information

Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World

Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World July 30, 2015 Sutherland Webinar Michael Steinig 202.383.0804 Michael.Steinig@sutherland.com

More information

BMC s Security Strategy for ITSM in the SaaS Environment

BMC s Security Strategy for ITSM in the SaaS Environment BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...

More information

Auditing Cloud Computing and Outsourced Operations

Auditing Cloud Computing and Outsourced Operations Session 136 Auditing Cloud Computing and Outsourced Operations Monday, May 7, 2012 3:30 PM 5:00 PM Mike Schiller Director of Sales & Marketing IT, Texas Instruments Co Author, IT Auditing: Using Controls

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

A Cautionary Tale Plus Cross-Channel Risk

A Cautionary Tale Plus Cross-Channel Risk Dan Tobin A Cautionary Tale Plus Cross-Channel Risk IT Examiner Supervision, Regulation & Credit Dan.tobin@bos.frb.org Agenda A Cautionary Tale Shames-Yeakel v. Citizens Financial Bank Cross-Channel Risk

More information

HIPAA in the Cloud How to Effectively Collaborate with Cloud Providers

HIPAA in the Cloud How to Effectively Collaborate with Cloud Providers How to Effectively Collaborate with Cloud Providers Agenda Overview of Topics Covered Agenda Evolution of the Cloud Comparison of Private vs. Public Clouds Other Regulatory Frameworks Similar to HIPAA

More information

Hans Bos Microsoft Nederland. hans.bos@microsoft.com

Hans Bos Microsoft Nederland. hans.bos@microsoft.com Hans Bos Microsoft Nederland Email: Twitter: hans.bos@microsoft.com @hansbos Microsoft s Cloud Environment Consumer and Small Business Services Software as a Service (SaaS) Enterprise Services Third-party

More information

Vendor Management Best Practices

Vendor Management Best Practices 23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion

More information

SECURITY RISK MANAGEMENT

SECURITY RISK MANAGEMENT SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W

More information

CIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

CIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016 CIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016 My name is Jacob Olcott and I am pleased to share some observations on

More information

Overview of Topics Covered

Overview of Topics Covered How to Effectively Collaborate with Cloud Providers Agenda Overview of Topics Covered Agenda Evolution of the Cloud Comparison of Private vs. Public Clouds Other Regulatory Frameworks Similar to HIPAA

More information

Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC

Cyber Security 2014 SECURE BANKING SOLUTIONS, LLC Cyber Security CHAD KNUTSON SECURE BANKING SOLUTIONS 2014 SECURE BANKING SOLUTIONS, LLC Presenter Chad Knutson Senior Information Security Consultant Masters in Information Assurance CISSP (Certified Information

More information

Cloud Services Overview

Cloud Services Overview Cloud Services Overview John Hankins Global Offering Executive Ricoh Production Print Solutions May 23, 2012 Cloud Services Agenda Definitions Types of Clouds The Role of Virtualization Cloud Architecture

More information

The Elephant in the Room: What s the Buzz Around Cloud Computing?

The Elephant in the Room: What s the Buzz Around Cloud Computing? The Elephant in the Room: What s the Buzz Around Cloud Computing? Warren W. Stippich, Jr. Partner and National Governance, Risk and Compliance Solution Leader Business Advisory Services Grant Thornton

More information

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Audit Manager: Lynne Prizzia, CISA, CRISC Senior Auditor:

More information

Information Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza

Information Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza Information Security Management System (ISMS) Overview Arhnel Klyde S. Terroza May 12, 2015 1 Arhnel Klyde S. Terroza CPA, CISA, CISM, CRISC, ISO 27001 Provisional Auditor Internal Auditor at Clarien Bank

More information

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards

SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards A Member of OneBeacon Insurance Group SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards Author: Jack Fletcher, Risk Control Technology Specialist Published: November 2014 Executive

More information

To ensure independence, PSC does not represent, resell or receive commissions from any third party hardware, software or solutions vendors.

To ensure independence, PSC does not represent, resell or receive commissions from any third party hardware, software or solutions vendors. About PSC With offices in the USA, Canada, UK and Australia, PSC is a leading PCI, PA DSS, and P2PE assessor, PCI Forensics Company and Approved Scanning Vendor. PSC is one of an elite few companies qualified

More information

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05. Cyber Risk Management Guidance. Purpose

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05. Cyber Risk Management Guidance. Purpose FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05 Cyber Risk Management Guidance Purpose This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance on cyber risk management.

More information

PCI COMPLIANCE TO BUILD HIGHER CONFIDENCE FOR CARD HOLDER AND BOOST CASHLESS TRANSACTION. Suresh Dadlani, ControlCase

PCI COMPLIANCE TO BUILD HIGHER CONFIDENCE FOR CARD HOLDER AND BOOST CASHLESS TRANSACTION. Suresh Dadlani, ControlCase PCI COMPLIANCE TO BUILD HIGHER CONFIDENCE FOR CARD HOLDER AND BOOST CASHLESS TRANSACTION Suresh Dadlani, ControlCase About Vietnam Google search 2 Population 86 Mn Urban Population 25 Mn, approx 30% -

More information

Anthony J. Albanese, Acting Superintendent of Financial Services. Financial and Banking Information Infrastructure Committee (FBIIC) Members:

Anthony J. Albanese, Acting Superintendent of Financial Services. Financial and Banking Information Infrastructure Committee (FBIIC) Members: Andrew M. Cuomo Governor Anthony J. Albanese Acting Superintendent FROM: TO: Anthony J. Albanese, Acting Superintendent of Financial Services Financial and Banking Information Infrastructure Committee

More information

Pharma CloudAdoption. and Qualification Trends

Pharma CloudAdoption. and Qualification Trends Pharma CloudAdoption and Qualification Trends OurCloudExperience Numerous implementations of EDMS systems with external hosting for smaller life science clients Development of qualification strategy for

More information

PCI Compliance Just the Facts. Rick Dakin President Rick.dakin@CoalfireSystems.com 303.554.6333 ext. 7001

PCI Compliance Just the Facts. Rick Dakin President Rick.dakin@CoalfireSystems.com 303.554.6333 ext. 7001 PCI Compliance Just the Facts Rick Dakin President Rick.dakin@CoalfireSystems.com 303.554.6333 ext. 7001 Agenda Regulatory Landscape Scary Bedtime Stories What went wrong? PCI Compliance Process o What

More information

SAP Product and Cloud Security Strategy

SAP Product and Cloud Security Strategy SAP Products and Solutions SAP Product and Cloud Security Strategy Table of Contents 2 SAP s Commitment to Security 3 Secure Product Development at SAP 5 SAP s Approach to Secure Cloud Offerings SAP s

More information

CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link

CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link Peter Milla CASRO Technical Consultant/CIRQ Technical Advisor peter@petermilla.com Background CASRO and Standards CASRO takes

More information

Navigating Vendor Management Issues in Today s Regulatory Environment

Navigating Vendor Management Issues in Today s Regulatory Environment Navigating Vendor Management Issues in Today s Regulatory Environment May 6, 2015 Elizabeth E. McGinn, Partner Moorari K. Shah, Counsel 1 Disclaimer The information contained herein is for informational

More information

Five keys to a more secure data environment

Five keys to a more secure data environment Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational

More information

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals

More information

Agenda. What is cloud? Cloud based services The Good bad and Ugly.. Anatomy of a cloud Guidelines for you

Agenda. What is cloud? Cloud based services The Good bad and Ugly.. Anatomy of a cloud Guidelines for you Agenda What is cloud? Cloud based services The Good bad and Ugly.. Anatomy of a cloud Guidelines for you What is Cloud Computing? Compute as a utility: third major era of computing Cloud enabled by Moore

More information

YEAR END ISSUANCES BY FEDERAL REGULATORS ADDRESS A MULTITUDE OF PRIVACY ISSUES Jane Hils Shea January 23, 2008

YEAR END ISSUANCES BY FEDERAL REGULATORS ADDRESS A MULTITUDE OF PRIVACY ISSUES Jane Hils Shea January 23, 2008 YEAR END ISSUANCES BY FEDERAL REGULATORS ADDRESS A MULTITUDE OF PRIVACY ISSUES Jane Hils Shea January 23, 2008 The final weeks of 2007 saw a flurry of regulatory activity by the federal banking regulatory

More information

SEC 07 : L IAM : Comment accorder sécurité et productivité?

SEC 07 : L IAM : Comment accorder sécurité et productivité? SEC 07 : L IAM : Comment accorder sécurité et productivité? Arnaud DELANDE IBM Security TSS Team Leader Arnaud.delande@fr.ibm.com 2 Multi-perimeter approach to security focuses on the data and where it

More information

Vendor Management Compliance Top 10 Things Regulators Expect

Vendor Management Compliance Top 10 Things Regulators Expect Vendor Management Compliance Top 10 Things Regulators Expect Paul M. Phillips, CFA Attorney, Adams and Reese Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay 2014 EastPay.

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased

More information

Automated Risk Management Using NIST Standards

Automated Risk Management Using NIST Standards Automated Risk Management Using NIST Standards The management of risks to the security and availability of private information is a key element of privacy legislation under the Federal Information Security

More information

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management

More information

Customer-Facing Information Security Policy

Customer-Facing Information Security Policy Customer-Facing Information Security Policy Global Security Office (GSO) Version 2.6 Last Updated: 03/23/2015 Symantec Corporation Table of Contents Compliance Framework... 1 High-Level Information Security

More information

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015 Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015 Topics Introduction Cyber Security Auditing Program Discuss an effective and compliant Cyber Security Auditing Program from

More information

Property of CampusGuard. Compliance With The PCI DSS

Property of CampusGuard. Compliance With The PCI DSS Compliance With The PCI DSS Today s Agenda PCI DSS Introduction How are Colleges and Universities Affected? How Do You Validate Compliance? Best Practices Q&A CampusGuard Full-Service QSA/ASV Firm We Know

More information

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons

More information

2014 Financial Services Industry Compliance Benchmark Study

2014 Financial Services Industry Compliance Benchmark Study 2014 Financial Services Industry Compliance Benchmark Study Presented By: and Executive Summary Beginning in early December 2013, SAI Global Compliance conducted a survey among compliance professionals

More information

MANAGING CYBER RISK IN THE SUPPLY CHAIN

MANAGING CYBER RISK IN THE SUPPLY CHAIN MANAGING CYBER RISK IN THE SUPPLY CHAIN How.trust simplifies the validation of trusted supply partners Author: Gunter Ollmann, CTO INTRODUCTION In today s highly competitive business world the speed at

More information

White Paper. Understanding NIST 800 37 FISMA Requirements

White Paper. Understanding NIST 800 37 FISMA Requirements White Paper Understanding NIST 800 37 FISMA Requirements Contents Overview... 3 I. The Role of NIST in FISMA Compliance... 3 II. NIST Risk Management Framework for FISMA... 4 III. Application Security

More information

Moving your enterprise systems to the cloud? What do you need to know to manage the risks? Jamie Levitt, Director

Moving your enterprise systems to the cloud? What do you need to know to manage the risks? Jamie Levitt, Director www.pwc.com Moving your enterprise systems to the cloud? What do you need to know to manage the risks? November 2015 Jamie Levitt, Director Disclaimer Certain matters reviewed today may represent services

More information

PACB One-Day Cybersecurity Workshop

PACB One-Day Cybersecurity Workshop PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance

More information

Information Security for the Rest of Us

Information Security for the Rest of Us Secure Your Way Forward. AuditWest.com Information Security for the Rest of Us Practical Advice for Small Businesses Brian Morkert President and Chief Consultant 1 Introduction President Audit West IT

More information

The silver lining: Getting value and mitigating risk in cloud computing

The silver lining: Getting value and mitigating risk in cloud computing The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations

More information

Cloud Computing What Auditors need to know

Cloud Computing What Auditors need to know Cloud Computing What Auditors need to know This presentation is provided solely for educational purposes and, in developing and presenting these materials, Deloitte is not providing accounting, business,

More information
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information