DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two)
|
|
- Sandra Briggs
- 8 years ago
- Views:
Transcription
1 DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two) By Amy Terry Sheehan Vendors and other third parties are vital to most businesses, but can leave a company dangerously vulnerable to a breach of its data or network. As the Target breach demonstrated, even a non-it vendor can cause widespread damage. Properly vetting third parties remains one of the most challenging aspects of cybersecurity programs. In order to appropriately allocate due diligence resources, companies must first assess potential third parties to determine which of them present low, medium or high levels of cybersecurity risk and subsequently conduct the corresponding levels of diligence. This article, the first in our series, provides a framework for companies to (1) categorize potential vendors based on risk, including specific questions to ask; and (2) conduct initial due diligence on vendors that present a medium and high level of risk. Part Two will address the third step of deeper due diligence for high-risk vendors. The Weak Link in Cybersecurity To truly secure a company s sensitive data and networked systems, companies must have a thorough and thoughtful due diligence and selection process in place for selecting responsible and reliable third-party vendors. Making a decision regarding a third-party vendor driven by pure business considerations without factoring in the security considerations is a common mistake, David Fagan, a partner at Covington & Burling, said. Regulators, enforcers, plaintiffs lawyers are all looking to vendors as a recurring weak link in data security, Alan Raul, a partner at Sidley Austin, said. Even if they are not the weak link, it s incumbent upon the company to confirm the vendor is at least as secure as any other component of the computing architecture. Companies should not treat every vendor the same, said Andrew Serwin, a partner at Morrison Foerster. A vendor who gets little to no personal information or who does not have broad access to the company s systems has a far different risk profile than a vendor who gets sensitive personally identifiable information (PII) or personal health information (PHI) or has network access, he said. Taking a one-size-fits-all approach to due diligence is a mistake, Serwin said. Companies should approach third-party due diligence in segments or buckets. Step One: Preliminary Risk Assessment Determining whether the vendor belongs in the low, medium or high-risk category will in turn trigger the appropriate level of due diligence. For certain vendors, no specific due diligence on this issue is required. For others, the first step will require a series of questions and requests for documentation. And the riskiest relationships will require additional deeper due diligence. Companies should have a process in place to categorize vendors in terms of levels of risk and then they should apply assessment from that basis, Fagan said. The first step should be to assign a risk classification to them. And that should track to what kind of assessment you provide. Through the preliminary risk assessment, companies can group third parties into at least three categories: 1. Vendors that present no data or cybersecurity risk and therefore warrant little to no related due diligence; 1
2 2. Vendors that present some risk and require initial questioning, the results of which may be sufficient or may lead to deeper diligence; and 3. The riskiest relationships that require deep cybersecurity diligence, possibly including a third-party assessment or a boots-on-the-ground examination. Data Classification One element of the preliminary risk assessment involves determining the type of data the potential vendor will have. Sensitivity of information is a key factor in determining the vendor s risk level. Sensitive data consists of proprietary and confidential business information in addition to individual customer and/or employee information. Companies should ask themselves detailed questions regarding the data that will be shared with a potential third party such as: What data would the vendor have access to? What is the volume of that data? Is the data sensitive and/or non-public? Does the data include private employee information (i.e., social security numbers or dates of birth)? Does the data contain private customer information (social security numbers, bank account numbers or credit card numbers)? Does the data include proprietary business data, confidential information or trade secrets (i.e., law firm; cloud vendor)? Is the data regulated (i.e., PHI)? Is the data subject to contractual obligations? Does the data include any other sensitive information? Sensitive personal information about a company s customers or employees creates the potential for significant harm to its reputation in the event that the vendor fails to adequately protect the information, Richard Harris, a partner at Day Pitney, stated. Examples of sensitive customer information include non-public information such as social security numbers, bank account numbers, dates of birth and credit card numbers. Companies should be thinking about whether that vendor has appropriate data protection programs in place sufficient and appropriate for the type of information being entrusted to them, he said. Network Access In addition to thinking about data, companies must ask central cybersecurity questions to determine what level of diligence to conduct with a potential vendor, such as: Would the potential vendor have access to the company s networked systems? What part(s) of the system would it have access to? How critical are those parts of the company s system? Any vendor that is going to have access to your data network should be considered a higher-risk vendor, Harris said. For example, non-it vendors often have system access, such as the refrigeration, heating and air conditioning subcontractor that allegedly caused a system breach at Target in I expect that nobody focused on the fact this subcontractor had access to a network that was interconnected with Target s payment system network, Harris said. For these types of high-risk vendors that connect to a company s network, the company should conduct a specific cybersecurity assessment, Fagan said. Services Companies should also consider what type of service the potential vendor would provide. Questions should include: What is the role of the vendor? Would it provide a critical function? What is the expected length of the relationship with this potential vendor? 2
3 Depending on how critical they are to your operation, if the firm is not going to function without them being in place... then obviously a stronger and deeper diligence is warranted, Raj Bakhru, a partner at ACA Aponix, said. Proactive Approach Ideally, in addition to evaluating the risk of a vendor piecemeal as that relationship is considered, companies should step back and do a broader internal assessment of their own vulnerabilities and the third parties connected to those areas. The company can make this part of an overall information governance strategy where the company s own risk assessment and data mapping is taken into account from the get go, Raul said. A company should conduct an internal risk assessment and inventory of their computer systems, and information databases, Raul said. So in determining which of their vendors and service providers pose the greatest risks to them, they ought to know their internal risk points, potential vulnerabilities and data flows and then decide which of their service providers are implicated in those risk control points, he said. Examples of third parties that would be implicated through this method include cloud vendors if the company is securing sensitive or proprietary information in the cloud or a payroll processing vendor if the company is outsourcing that HR function. Step Two: First-Level Due Diligence for Medium- and High-Risk Third Parties The first category of vendors that present no risk at all (such as an office supplies provider that does not receive data or connect to a network) should be chosen on the product and the price, Fagan said. However, the medium- and high-risk categories of vendors require initial due diligence as the next step. Any potential third party who will receive any kind of data or access should receive a questionnaire, series of questionnaires or questions as part of a request for proposal. In some instances, the responses to those initial questions will determine whether additional scrutiny is required or whether the company should walk away and fulfill its need for those goods or services another way. In other cases, satisfactory answers to the questionnaire with proper documentation will be sufficient to complete the diligence process. Initial Questionnaire The initial questionnaire should request the third party s relevant policies and procedures. The first step is seeing what is on paper. You want to see if the company has the right policies and procedures in place, Serwin said. It is certainly by no means the only step, but if the paper is not there it raises questions about the maturity of the program, he said. The questions should be very specific about data security and information governance, Bakhru said. It is very hard for a third party to circumvent a specific question such as Can your employees access external or file sharing sites? whereas if you were to ask Have you implemented data loss protection? the answer will always be yes, he said. Questions should include: Are there written information security plans and processes? Is there a written cybersecurity plan? Has there been a breach or other type of network compromise in the past five years? If so, what changes have been made? Has there been a third-party audit or certification of the vendor? If there has been an audit or certification, what standard was used? Where is data stored (which country, who controls it, what type of place)? Would data be segmented off from other companies data? 3
4 What principles are applied to the data for security (i.e., ISO 27001; NIST framework)? Does the vendor have cyber risk insurance? How does the vendor protect against insider risk? Do employees have direct access to data? Do the vendor s offices have badge-restricted access in place? How are personnel vetted? Does the third party perform background checks on employees who will have access to the company s data or system? If so, are checks regularly conducted before hiring? What is the vendor s incident response plan? Does the vendor conduct penetration testing? What are the qualifications of the personnel involved in cybersecurity? What training do relevant personnel receive? What is the vendor s program for sub vendors? In addition, companies should request all relevant supporting documentation such as written plans, processes, audits, assessments and/or certifications. Customized Questions Additional questions should also be formulated based on the company s own practices. The company should try to verify that the vendor has similar security provisions to their own, Bakhru said. For example, if the vendor will have the ability to access the firm s network drives and the firm has blocked USB access, it s only sensible to ensure the vendor has blocked USB access as well. The FINRA Report on Cybersecurity Practice also recommends ensuring that the vendor s practices match the level of security in place at the company. And questions can be formulated based on a company s own security policies. These may include, depending on the company s practices and the risk level of the vendor: What limits are placed on data access by vendor employees? What virus protection is in place? Is data encrypted while at rest and/or in transit? What subcontractor controls are in place? What is the system patch management that is used to make code changes? Is ethical hacking used to discover potential vulnerabilities of systems? What change management processes are used? What program coding methodologies are used? What are the business recovery practices? Regulated Data Certain data is subject to regulation and companies need to understand whether any of the information that is shared is subject to regulation, Harris said. And then, in order to comply with those regulations, the company must ensure the vendors treat that data in ways that comply with the relevant regulations. Certain industries need to pay particular attention to specific regulations such as government contractors/defense, financial, health, education, telecommunications and energy sectors. Relevant questions should be included when conducting vendor diligence. Contractual Obligations In addition, contracts govern the use of some data. For example, a company that is sharing credit card information with a third party needs to apply the payment card industry data security standards [DSS]. That company, as a condition to its acceptance of credit cards, likely has promised to protect the data in accordance with DSS standards. It needs to pass that obligation onto any vendor that is going to be handling that information, Harris said. Specific questions to ensure the vendor meets those obligations should be added to the relevant questionnaire. Core Cyber Assessment According to Fagan, if somebody will be connecting directly into the network, a company should be doing more of a core cyber assessment than just data security. A company s procurements impact the integrity and 4
5 reliability of its network and information and therefore the company needs to assess the integrity and reliability of the vendor s product or service. For example, if the company is procuring IT equipment, the questionnaire should include questions such as: Where are you sourcing equipment from? Who has access to it? How do you screen them? How do you know when someone checks in? How is it tested? Certain industries need to follow specific regulations to ensure their vendors meet the specifications, for example, financial institutions and the defense industry, Fagan said. Resiliency Particularly for long-term vendor relationships, companies should consider the size, sophistication and stability of vendors. Regardless of the risk, companies should assess the resiliency of the vendor, Serwin said. The questions to ask are (1) are they going to be around long term to provide the service they are providing you? and (2) do they have the resources to adequately deal with cybersecurity or security issues and if something goes wrong do they have the ability to stand behind the promises they have made? he said. Next Steps for Medium- and High-Risk Third Parties For some vendors, the relevant questions and a review of the relevant documents are sufficient and the relationship can move forward. However, if the answers require follow-up or more detailed responses, the next steps should include further questioning in writing or conference calls to discuss the policies and how they work, Serwin said. Follow-up questions will depend on the initial answers. For example, after a company reviews the written policies, subsequent questions should address the procedures behind the written policies, how rigorously these policies are enforced and the consequences for a breach. If the initial risk assessment indicated a high-risk status, or answers to further questions raised additional concerns, deeper due diligence is required. That may entail, in addition to further questioning in writing or on the phone, an independent evaluation and verification, checking references or sending a team to put boots on the ground for a firsthand examination. Part Two of the article series will explore deeper due diligence. Flexibility When examining the vendors policies and procedures, a company needs to have principles it is applying, while at the same time allowing for some flexibility so that it can compete and make a decision where security is a factor but it s not the only factor, Fagan said. For example, businesses cannot insist that every vendor across the board, regardless of the type of data that is going to be shared, needs to be certified. That is just not practical, he said. 5
Managing data security and privacy risk of third-party vendors
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
More informationIdentifying and Managing Third Party Data Security Risk
Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:
More informationNew York State Department of Financial Services. Update on Cyber Security in the Banking Sector: Third Party Service Providers
New York State Department of Financial Services Update on Cyber Security in the Banking Sector: Third Party Service Providers April 2015 Update on Cyber Security in Banking Sector: Third-Party Service
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationTHE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS
THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Managing risk associated with third-party outsourcing
More informationwww.sharedassessments.org 2015 The Shared Assessments Program - All Rights Reserved 2
The Significance of Information Security and Privacy Controls on Law Firms as Third Party Service Providers and Collaborative Opportunities for Resolution April 2015 Abstract As regulators increase pressure
More informationUtica College. Information Security Plan
Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles
More informationCyber Risks in the Boardroom
Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing
More informationPayment Card Industry Data Security Standards
Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This
More informationWestern Australian Auditor General s Report. Information Systems Audit Report
Western Australian Auditor General s Report Information Systems Audit Report Report 10 June 2012 Auditor General s Overview The Information Systems Audit Report is tabled each year by my Office. It summarises
More informationCyber Security & Managing KYC Data
SPECIAL REPORT Cyber Security & Managing KYC Data The views and opinions expressed in this paper are those of the author(s) and do not necessarily reflect the official policy or position of Thomson Reuters.
More informationProtect your organization s sensitive information and reputation with high-risk data discovery
www.pwc.com Protect your organization s sensitive information and reputation with high-risk data discovery Locate, identify, and classify sensitive data to reduce data privacy risks, lower potential data
More informationLogging In: Auditing Cybersecurity in an Unsecure World
About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that
More informationTELEFÓNICA UK LTD. Introduction to Security Policy
TELEFÓNICA UK LTD Introduction to Security Policy Page 1 of 7 CHANGE HISTORY Version No Date Details Authors/Editor 7.0 1/11/14 Annual review including change control added. Julian Jeffery 8.0 1/11/15
More informationA Guide to the Cyber Essentials Scheme
A Guide to the Cyber Essentials Scheme Published by: CREST Tel: 0845 686-5542 Email: admin@crest-approved.org Web: http://www.crest-approved.org/ Principal Author Jane Frankland, Managing Director, Jane
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationHow to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors
How to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors July 2014 Executive Summary Data breaches cost organizations millions and sometimes even billions of dollars in
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationNew York State Department of Financial Services. Report on Cyber Security in the Insurance Sector
New York State Department of Financial Services Report on Cyber Security in the Insurance Sector February 2015 Report on Cyber Security in the Insurance Sector I. Introduction Cyber attacks against financial
More informationThe Next Generation of Security Leaders
The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish
More informationThe impact of the personal data security breach notification law
ICTRECHT The impact of the personal data security breach notification law On 1 January 2016 legislation will enter into force in The Netherlands requiring organisations to report personal data security
More information12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013
Regulatory Updates Eric M. Wright, CPA, CITP Schneider Downs & Co., Inc. December 5, 2013 Eric M. Wright, CPA, CITP Eric has been involved with Information Technology with Schneider Downs since 1983. He
More informationCIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016
CIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016 My name is Jacob Olcott and I am pleased to share some observations on
More informationWHITE PAPER Third-Party Risk Management Lifecycle Guide
WHITE PAPER Third-Party Risk Management Lifecycle Guide Develop and maintain compliant third-party relationships by following these foundational components of a best-practice assessment program. Third
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationCloud Security Concerns And What Can I Do About It?
FishNet Security White Paper Cloud Security Concerns And What Can I Do About It? By Jason Hicks, Senior Consultant Governance, Risk & Compliance CISSP, HISP, CICP Cloud computing promises to provide many
More informationThe Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
More information9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania
Evaluating and Managing Third Party IT Service Providers Are You Really Getting The Assurance You Need To Mitigate Information Security and Privacy Risks? Kevin Secrest IT Audit Manager, University of
More informationCybersecurity and the Threat to Your Company
Why is BIG Data Important? March 2012 1 Cybersecurity and the Threat to Your Company A Navint Partners White Paper September 2014 www.navint.com Cyber Security and the threat to your company September
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More informationDodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare
Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Strengthening Cybersecurity Defenders #ISC2Congress Healthcare and Security "Information Security is simply a personal
More informationDeveloping National Frameworks & Engaging the Private Sector
www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012
More informationCybersecurity..Is your PE Firm Ready? October 30, 2014
Cybersecurity..Is your PE Firm Ready? October 30, 2014 The Panel Melinda Scott, Founding Partner, Scott Goldring Eric Feldman, Chief Information Officer, The Riverside Company Joe Campbell, CTO, PEF Services
More informationBetter secure IT equipment and systems
Chapter 5 Central Services Data Centre Security 1.0 MAIN POINTS The Ministry of Central Services, through its Information Technology Division (ITD), provides information technology (IT) services to government
More informationHow To Protect Yourself From A Hacker Attack
Cybersecurity Demystified: Information Technology Security Trends Joe Oleksak, Plante Moran Agenda Data Security Trends Example Attacks Industry Examples An Answer 1 Who Are The Victims? Targets - victims
More informationReducing Cyber Risk in Your Organization
Reducing Cyber Risk in Your Organization White Paper 2016 The First Step to Reducing Cyber Risk Understanding Your Cyber Assets With nearly 80,000 cyber security incidents worldwide in 2014 and more than
More informationInformation Security Risk Assessment Methodology
Information Security Risk Assessment Methodology An Information security risk assessment should take into account system-level risk (inclusive of applications and systems) and process-level risk (inclusive
More informationISMS Implementation Guide
atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: 512-615-7300 Fax: 512-615-7301 www.atsec.com ISMS Implementation Guide atsec information security ISMS Implementation
More informationDEVELOPING A CYBERSECURITY POLICY ARCHITECTURE
TECHNICAL PROPOSAL DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE A White Paper Sandy Bacik, CISSP, CISM, ISSMP, CGEIT July 2011 7/8/2011 II355868IRK ii Study of the Integration Cost of Wind and Solar
More informationCustomer-Facing Information Security Policy
Customer-Facing Information Security Policy Global Security Office (GSO) Version 2.6 Last Updated: 03/23/2015 Symantec Corporation Table of Contents Compliance Framework... 1 High-Level Information Security
More informationEd McMurray, CISA, CISSP, CTGA CoNetrix
Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats
More informationFedRAMP Standard Contract Language
FedRAMP Standard Contract Language FedRAMP has developed a security contract clause template to assist federal agencies in procuring cloud-based services. This template should be reviewed by a Federal
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationITAR Compliance Best Practices Guide
ITAR Compliance Best Practices Guide 1 Table of Contents Executive Summary & Overview 3 Data Security Best Practices 4 About Aurora 10 2 Executive Summary & Overview: International Traffic in Arms Regulations
More informationTHE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS
THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS Data Law Group, P.C. Kari Kelly Deborah Shinbein YOU CAN T OUTSOURCE COMPLIANCE! Various statutes and regulations govern
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationDESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the
More informationCloud Computing in a Regulated Environment
Computing in a Regulated Environment White Paper by David Stephenson CTG Regulatory Compliance Subject Matter Expert February 2014 CTG (UK) Limited, 11 Beacontree Plaza, Gillette Way, READING, Berks RG2
More information(Instructor-led; 3 Days)
Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of
More information3/4/2015. Scope of Problem. Data Breaches A Daily Phenomenon. Cybersecurity: Minimizing Risk & Responding to Breaches. Anthem.
Cybersecurity: Minimizing Risk & Responding to Breaches March 5, 2015 Andy Chambers Michael Kelly Jimmie Pursell Scope of Problem Data Breaches A Daily Phenomenon Anthem JP Morgan / Chase Sony Home Depot
More informationCyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s
Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices
More information2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.
2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program. Entry Name HFA Submission Contact Phone Email Qualified Entries must be received by
More informationCybersecurity: What In-House Counsel Needs to Know
Cybersecurity: What In-House Counsel Needs to Know November 19, 2013 Vivian A. Maese vivian.maese@dechert.com 2013 Dechert LLP So what does all of the legal activity in cybersecurity mean to you? The top
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationBusiness Associate Management Methodology
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
More informationKLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT
1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT About Kyle Lai 2 Kyle Lai, CIPP/G/US, CISSP, CISA, CSSLP, BSI Cert. ISO 27001 LA President of KLC Consulting, Inc. Over 20 years in IT and Security Security
More informationData Breaches and Trade Secrets: What to Do When Your Client Gets Hacked
Data Breaches and Trade Secrets: What to Do When Your Client Gets Hacked R. Mark Halligan, FisherBroyles, LLP Andreas Kaltsounis, Stroz Friedberg Amy L. Carlson, Stoel Rives LLP Moderated by David A. Bateman,
More informationTOP 10 Security Questions Introduction Breaches and other privacy and security incidents in healthcare are on the rise due to the vast size of the industry and the oneoffs of protected health information
More informationOFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT
County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Audit Manager: Lynne Prizzia, CISA, CRISC Senior Auditor:
More informationCyber Security - What Would a Breach Really Mean for your Business?
Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber
More informationFive keys to a more secure data environment
Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational
More informationThe silver lining: Getting value and mitigating risk in cloud computing
The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationPII Compliance Guidelines
Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last
More informationThe Changing IT Risk Landscape Understanding and managing existing and emerging risks
The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationPROPOSED INTERPRETIVE NOTICE
August 28, 2015 Via Federal Express Mr. Christopher J. Kirkpatrick Secretary Office of the Secretariat Commodity Futures Trading Commission Three Lafayette Centre 1155 21st Street, N.W. Washington, DC
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationData Security Best Practices for In-House Counsel
Donna L. Wilson, Linda D. Kornfeld and Rebecca Perry Association of Corporate Counsel San Diego August 6, 2015 1 DONNA L. WILSON Tel: (310) 312-4144 Email: DLWilson@manatt.com Donna L. Wilson is co-chair
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP
More informationAddress C-level Cybersecurity issues to enable and secure Digital transformation
Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,
More informationHow do you give cybersecurity the highest priority in your organization? Cyber Protection & Resilience Solutions from CGI
How do you give cybersecurity the highest priority in your organization? Cyber Protection & Resilience Solutions from CGI CGI Cyber Protection & Resilience Solutions Optimized risk management and protection
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationCONTROLLING DATA IN THE CLOUD: OUTSOURCING COMPUTATION WITHOUT OUTSOURCING CONTROL
CONTROLLING DATA IN THE CLOUD: OUTSOURCING COMPUTATION WITHOUT OUTSOURCING CONTROL Paper By: Chow, R; Golle, P; Jakobsson, M; Shai, E; Staddon, J From PARC & Masuoka, R And Mollina From Fujitsu Laboratories
More informationCLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013
CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE October 2, 2013 By: Diane M. Gorrow Soule, Leslie, Kidder, Sayward & Loughman, P.L.L.C. 220 Main Street
More informationCORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT
CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT How advancements in automated security testing software empower organizations to continuously measure information
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationCybersecurity@RTD Program Overview and 2015 Outlook
Cybersecurity@RTD Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD Information Technology Department of Finance & Administration
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationPlan of Attack 5 Step Plan
Plan of Attack 5 Step Plan Naming those Digital Assets Practicing Digital Doomsday Training + Policies and Procedures Technology Tuning Security in the Supply Chain Next Steps Sample Plan 0 to 30 Days
More informationRisky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015
Risky Business Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015 What We ll Cover About Me Background The threat Risks to your organization What your organization can/should
More informationA Best Practice Guide
A Best Practice Guide Contents Introduction [2] The Benefits of Implementing a Privacy Management Programme [3] Developing a Comprehensive Privacy Management Programme [3] Part A Baseline Fundamentals
More informationData Centres North Data Centre Security is the tail wagging the dog? May 11-12 2015
Data Centres North Data Centre Security is the tail wagging the dog? May 11-12 2015 Mark Bailey - Partner charlesrussellspeechlys.com Introduction Why do data centres exist? process data? protect data?
More informationEffectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased
More informationCloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com
Cloud Computing Risks & Reality Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com What is Cloud Security The quality or state of being secure to be free from danger & minimize risk To be protected from
More informationVendor Management. Outsourcing Technology Services
Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring
More informationClick to edit Master title style
EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity
More informationHOSTING. Managed Security Solutions. Managed Security. ECSC Solutions
Managed Security Managed Security MANAGED SECURITY SOLUTIONS I would highly recommend for your company s network review... were by far the best company IT Manager, Credit Management Agency Presenting IT
More informationDefensible Strategy To. Cyber Incident Response
Cyber Incident Response Defensible Strategy To Cyber Incident Response Cyber Incident Response Plans Every company should develop a written plan (cyber incident response plan) that identifies cyber attack
More informationA Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst
TRACESECURITY WHITE PAPER GRC Simplified... Finally. A Guide to Successfully Implementing the NIST Cybersecurity Framework Jerry Beasley CISM and TraceSecurity Information Security Analyst TRACESECURITY
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationAdministrative Procedures Memorandum A1452
Page 1 of 11 Date of Issue February 2, 2010 Original Date of Issue Subject References February 2, 2010 PRIVACY BREACH PROTOCOL Policy 2197 Management of Personal Information APM 1450 Management of Personal
More informationNATIONAL CYBER SECURITY AWARENESS MONTH
NATIONAL CYBER SECURITY AWARENESS MONTH Tip 1: Security is everyone s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the
More informationBEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT
BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT Exelon Corporation Cybersecurity Supply Chain Risk Management INTERVIEWS Spencer Wilcox Managing Security Strategist and Special Assistant to the Chief
More informationCloud Security: Getting It Right
Cloud Security: Getting It Right Sponsored by Armor Independently conducted by Ponemon Institute LLC Publication Date: October 2015 Ponemon Institute Research Report Cloud Security: Getting It Right Ponemon
More informationUMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE
UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE Originator Patch Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Recommended by Director
More information