Practical Vendor Management to Minimize Compliance Risks November 12, 2015
|
|
- Jeffry Fisher
- 8 years ago
- Views:
Transcription
1 Practical Vendor Management to Minimize Compliance Risks November 12, 2015 v 1
2 Today s Speakers Ray Everett Principal Consultant & Director Product Management TRUSTe Charlie Miller SVP Shared Assessments 2
3 Agenda Welcome Introduction to Shared Assessments 2015 Vendor Risk Management Benchmark Study Current Privacy Best Practice for Managing Vendors Next Steps: Collaborative Onsite Assessments Q&A LIVE DEMO: Vendor Management Assessments 3
4 The Shared Assessments Program Charlie Miller, SVP, Shared Assessments v 4
5 The Shared Assessments Program Setting the standard in U.S. vendor risk assurance since 2005, now expanding internationally Created by leading financial institutions, the Big 4 accounting firms, and key service providers to: Standardize an objective framework for outsourcers to gather service provider information through a repeatable and consistent evaluation process Raise the bar on third party risk management by creating a comprehensive onsite security evaluation process, regardless of who performs the assessment (CPA, independent assessment firm, internal assessor) Ensure a means for keeping current with the latest regulations, standards and new risk control areas Create efficiencies and reduce costs for all stakeholders 5
6 The Shared Assessments Program Tools TRUST Standardized Information Gathering (SIG) Questionnaire-Based Procedure Developed using ISO 27001/2 for the framework methodology Standards correspond to ISO, PCI-DSS, HIPAA/HITECH, COBIT, NIST CSF and FFIEC guidance (Appendix J) Aligns with OCC Provides a complete picture of service provider controls Scoring capability for response analysis and reporting Developed to be a standardized and repeatable process VERIFY Agreed Upon Procedures (AUP) Onsite Assessment Testing Procedures Shared Assessments AUP provides objective, robust, repeatable and consistent procedures to evaluate key controls Factual-based reporting which does not provide an opinion Objective test of controls, validation of vendor self-assessment(s) and report of results Companies view results in the context of their unique vendor risk management requirements 6
7 2015 Vendor Risk Management Benchmark Study Charlie Miller, SVP, Shared Assessments v 7
8 2015 Benchmark Study Remarks Surging volume of outsourced products and services = greater risks associated with vendors and third-party providers. Not only in highly regulated industries (financial services, healthcare), but in any organization relying on third parties to manage critical operations and processes. Greater urgency today recent massive and highly publicized security breaches at several large companies, resulting in public and regulatory scrutiny. Understanding vendor risk management best practices until recently has been difficult. 8
9 Average Results by Respondent Role Maturity Levels 5 = Continuous improvement benchmarking, moving to best practices 4 = Fully implemented and operational 3 = Fully defined and established 2 = Determine roadmap to achieve goals 1 = Initial visioning 0 = Do not perform Category C-Level Execs Directors Managers 1 Program Governance Policies, Standards, Procedures Contracts Vendor Risk Identification and Analysis Skills and Expertise Communication and Information Sharing Tools, Measurement and Analysis Monitoring and Review Average
10 Benchmark Study Final Thoughts Third party security goal posts seem to be moving as risk scope becomes more apparent shell shock for some organizations. Increased management understanding of the size of incremental resources required to better manage increased third party risk has led to reassessment of current organizational capabilities important survey lens. That lens has tempered survey self-assessment results. Of eight survey categories, four were flat compared to last year s results and four showed very slight declines. Resource inadequacy was consistently identified as a major concern (five questions touched on it), but well designed vendor risk programs will respond to the right types of investment. 10
11 Survey Background Shared Assessments partnered with Protiviti to conduct the 2015 Vendor Risk Management Benchmark Study based on the VRMMM Conducted online in Q and Q More than 450 participants 24% of organizations - $10 billion or more in assets/annual revenues Notable industries represented: Financial Services (42%) Insurance (10%) Healthcare (6%) Notable positions represented C-suite (25%) Internal/IT Audit Manager (25%) ORM (20%) Internal/IT Audit VP/Director (10%) IT Manager (7%) IT VP/Director (4%) 11
12 Current Privacy Best Practice for Managing Vendors Ray Everett, Principal Consultant & Director Product Management, TRUSTe v 12
13 Vendor Risk Assessment in Privacy Goals Identify nature of the risks posed Evaluate ability of vendor to mitigate those risks Assess impact of unmitigated risks Monitor risks that cannot be eliminated Enable decision making re accepting those risks and impacts Know your business requirements Know your data flows Know your relationships Know your risk tolerance 13
14 Conducting Vendor Risk Assessments Initial assessment Ongoing assessment cadence Incident-based assessment Calibrating and categorization Core Customer-facing Customer data Back office Non-essential Responsibility and ownership 14
15 Notable FTC Actions in Indirect Liability GMR Transcription (Aug 2014) Relied on service providers and independent typists to process medical records Credit Karma (Aug 2014) Mobile app developer failed to implement required encryption protections but FTC alleged company failed to verify functionality before launch Take-aways: Exercise due diligence before hiring 3 rd party data service providers Have appropriate contractual protections Take steps to verify adherence to policies/requirements 15
16 Next Steps: Collaborative Onsite Assessments Charlie Miller, SVP, Shared Assessments v 16
17 Collaborative Onsite Assessments Introduction Q: How do we achieve standardization, efficiencies and cost savings in the third party risk assessment process? A: By agreeing that third party risk management is not a competitive issue. Collective Intelligence + Industry Standard Improved Risk Assessment Process 17
18 The Environment Dependence on outsourcing critical services increases inherent risk Numerous and overlapping regulatory requirements and heightened expectation on assurance, including increased transparency regarding cybersecurity practices Boards and senior management involvement in the risk reporting process Proprietary methods for information gathering and assessments are inefficient, costly and lack standardization Risk areas continue to evolve and expand Threats are becoming increasingly more sophisticated 18
19 What Constitutes a Robust Vendor Management Program? Evaluate, track, and measure third party risk over a number of domain areas It must align, such as software application security, cloud, mobile, resiliency, privacy, access control, physical security Comply to regulations, standards, and guidelines Consistent, robust, and repeatable process Monitor throughout the vendor management lifecycle 19
20 The Problem Lack of standardized risk assessment processes by outsourcers Each outsourcer performing similar due diligence activities Varying interpretation of regulations and differing risk appetites Regulators historically reluctant to commit to a standardized approach Service providers resources strained by outsourcers Need to respond to diverse client information requests Time and resource intensive onsite visits 20
21 The Solution The Collaborative Onsite Assessment Top-tier US-based financial institutions risk managers working collaboratively to improve the third party risk environment Leverage the collective intelligence to improve current standards for IT, privacy, business resiliency and data security controls Shared Assessments Agreed Upon Procedures (AUP) Service Organization Control (SOC) 2 NIST Cyber Security Framework Utilize industry associations to foster collaboration and provide project management Shared Assessments Program Securities Industry and Financial Markets Association (SIFMA) 21
22 Project Goals Creating Efficiencies Collaborate on Onsite Assessments of Key Third Parties To the extent that common services are offered to multiple organizations in the financial services industry, evaluate the associated risk in a consistent, uniform manner Leverage the Shared Assessments Agreed Upon Procedures (AUP), standardized testing procedures for onsite assessments, as the common risk assessment methodology Reduce the time and expense of conducting multiple onsite vendor assessments Ensure a standardized, robust, consistent, and repeatable evaluation of a vendor s risk posture Share the Assessment report with multiple clients 22
23 Project Goals Improve the Framework Top tier financial institutions worked collaboratively to develop: A Superset Shared Assessments AUP framework for onsite assessments Development of a SOC 2 Plus (SIFMA) Both projects hold the same common goals the development of a more robust and scalable risk assessment process that injects speed, efficiency and cost savings into the third party risk assessment process 23
24 Project Pilot Collaborative Onsite Assessments Performed Participants piloted the process of working collaboratively to assess key third parties for whom they share common shared services: Pilot 1: Iron Mountain + 3 financial institutions Pilot 2: Early Warning Services, LLC + 5 financial institutions Pilot 3: Small Business Financial Exchange (SBFE) Superset AUP now meets all internal corporate requirements for many U.S. financial institutions, including key pilot participants: JPMorgan Chase, Citigroup, Capital One, US Bank, Morgan Stanley, Northern Trust 24
25 Benefits Summary Increased rigor, consistency, efficiency and cost savings in the control assessment process for both the outsourcing organizations and the service provider Larger Tier 1 and 2 service providers would benefit most immediately from participating in collaborative assessments For mid- and small size institutions who cannot necessarily dedicate a high level of resources to meet the changing regulatory and evolving risk environment, there exist tangible cost savings and personnel efficiencies benefits through use of a standardized, consistent, repeatable tool More robust control sets developed through collective intelligence and expected to drive improvements in service provider programs 25
26 Continuous Efforts and Improvements Next Steps: Ongoing development and refinement of the Superset AUP to ensure additional robustness by expanding the collective intelligence to include additional financial institutions Develop and broaden the collaborative onsite assessment program including project management services Release the enhanced Superset AUP Program Tool Promote adoption of the Program s Superset AUP as a best practice standard for each industry or sector as they are developed 26
27 Apply What You Heard Today Understand that third party management is not a competitive issue Form cooperative relationships and open the lines of communication with your counterparts at other organizations Get involved in industry associations and public-private partnerships Adopt a standardized framework to keep current with new regulatory requirements and changing risk control areas Outsourcers: Consider working collaboratively with other companies to perform collaborative onsite assessments Service Providers: Understand what organizations share common services and encourage them to perform a collaborative onsite assessment 27
28 Questions? v 28
29 Contacts Ray Everett TRUSTe Charlie Miller, CIPP CTPRP The Santa Fe Group v 29
30 Appendix The Shared Assessments Program Tool Alignment to Standards and Regulations Charlie Miller, SVP, Shared Assessments v 30
31 Shared Assessments Program Tool Alignment US Regulations, Standards & Guidelines Financial Services Regulatory Guidances and Standards FFIEC Appendix J OCC ; Merchant Processing Handbook Healthcare Regulatory Guidances and Standards HIPAA Incident Response Reporting Procedures Governmental Guidances & Standards (All Industries) NIST Cyber Security Framework (CSF); Computer Security Incident Handling Guide (NIST.SP r2) Title 21 of the Code of Federal Regulations (CFR) Part 11 Section 11.1 (a) 31
32 Shared Assessments Program Tool Alignment US Regulations, Standards & Guidelines Governmental Guidance & Standards (Federal and/or State Agencies) DOJ Breach Procedures US CERT Federal Incident Notification Guidelines US-Based National Standards AICPA Incident Response Procedures COBIT US-Based International Standards Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) ISO 27001, PCI-DSS v Privacy Insight Series 32
33 Shared Assessments Program Tool Alignment EU Regulations, Standards & Guidelines UK Cyber Essentials Scheme EU Data Protection Directive 33
34 International Regulations & Standards Under Development Asia Pacific Japan (APJ) Asia-Pacific Economic Cooperation (APEC) Association of Banks in Singapore Outsourced Service Provider (OSP) Standardized Guidelines Australian Prudential Regulatory Authority (APRA) Hong Kong Monetary Authority (HKMA) Monitory Authority of Singapore (MAS) Europe EU European Central Bank (ECB) Europe Germany Bundesbank/Central Bank of Germany (BuBA) German Federal Financial Supervisory Authority (BaFIN) v Privacy Insight Series 34
35 International Regulations & Standards Under Development Europe Luxembourg Commission de Surveillance du Secteur Financier (CSSF) Europe Switzerland Financial Market Supervision Act (FINMA) Europe UK Financial Conduct Authority (FCA) Financial Services Authority (FSA) Prudential Regulation Authority (PRA) Rulebook 35
36 Thank You! Don t miss the next webinar in the Series Solutions for Cross-Border Data Transfers: APEC CBPRs, BCRs and Global Interoperability on December 9th See for details of future webinars and recordings. v 36
Shared Assessments Program Case Study
Shared Assessments Program Case Study A Collaborative Approach to Onsite Assessments Using the Shared Assessments AUP, the Standardized Testing Procedures for Onsite Assessments April 2015 Background About
More information2014 Vendor Risk Management Benchmark Study
2014 Vendor Risk Management Benchmark Study Introduction/Executive Summary You can have all the security in the world inside your company s four walls, but all it takes is a compromise at one third-party
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationGlobal Statement of Business Continuity
Business Continuity Management Version 1.0-2014 Date October 18, 2014 Status Author Business Continuity Management (BCM) Page 1 of 8 Table of Contents 1. Credit Suisse Business Continuity Statement 3 2.
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationThird-Party Cybersecurity and Data Loss Prevention
Third-Party Cybersecurity and Data Loss Prevention SESSION ID: DSP-W04A Brad Keller Sr. Vice President Santa Fe Group Jonathan Dambrot, CISSP CEO, Co-Founder Prevalent Networks 3rd Party Risk Management
More informationIdentifying and Managing Third Party Data Security Risk
Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:
More informationPrivacy and Data Protection
Hewlett-Packard Company 3000 Hanover Street Palo Alto, CA 94304 hp.com HP Policy Position Privacy and Data Protection Current Global State of Privacy and Data Protection The rapid expansion and pervasiveness
More informationA Flexible and Comprehensive Approach to a Cloud Compliance Program
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
More informationWhite Paper on Financial Industry Regulatory Climate
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
More informationWorking Group on. First Working Group Meeting 29.5.2012
Working Group on Cloud Security and Privacy (WGCSP) First Working Group Meeting 29.5.2012 1 Review of fexisting i Standards d and Best Practices on Cloud Security Security Standards and Status List of
More informationCYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES
POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response
More informationThe Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
More informationHow to ensure control and security when moving to SaaS/cloud applications
How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk
More information2015 Vendor Risk Management Benchmark Study. The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management
2015 Vendor Risk Management Benchmark Study The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management INTRODUCTION/EXECUTIVE SUMMARY MANY ORGANIZATIONS ARE NOT PREPARED
More informationwww.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14
www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the
More informationCloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015
Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015 2015 CloudeAssurance Page 1 Table of Contents Copyright and Disclaimer... 3 Appendix A: Introduction... 4 Appendix
More informationVendor Risk Management Financial Organizations
Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationEd McMurray, CISA, CISSP, CTGA CoNetrix
Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats
More informationLogging In: Auditing Cybersecurity in an Unsecure World
About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that
More informationIT AUDIT WHO WE ARE. Current Trends and Top Risks of 2015 10/9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski
IT AUDIT Current Trends and Top Risks of 2015 2 02 Eric Vyverberg WHO WE ARE David Kupinski Randy Armknecht Associate Director Internal Audit Protiviti 317.510.4661 eric.vyverberg@protiviti.com Managing
More informationUsing AWS in the context of Australian Privacy Considerations October 2015
Using AWS in the context of Australian Privacy Considerations October 2015 (Please consult https://aws.amazon.com/compliance/aws-whitepapers/for the latest version of this paper) Page 1 of 13 Overview
More informationCYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES
CYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES How can you better prepare and respond to cyber risks? ACE developed Loss Mitigation Services to help policyholders understand and gauge various areas
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationCloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World
Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World July 30, 2015 Sutherland Webinar Michael Steinig 202.383.0804 Michael.Steinig@sutherland.com
More informationInformation Security ISO Standards. Feb 11, 2015. Glen Bruce Director, Enterprise Risk Security & Privacy
Information Security ISO Standards Feb 11, 2015 Glen Bruce Director, Enterprise Risk Security & Privacy Agenda 1. Introduction Information security risks and requirements 2. Information Security Management
More informationCloud Security Benchmark Webinar. January 7, 2015 11:00 AM ET
Cloud Security Benchmark Webinar Top 10 Cloud Service Providers: Q4 2014 January 7, 2015 11:00 AM ET Disclaimer NO WARRANTY. CloudeAssurance makes this presentahon available AS- IS, and makes no warranty
More informationNIST Cybersecurity Framework & A Tale of Two Criticalities
NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented
More informationWHITE PAPER THIRD PARTY MANAGEMENT: FUNDAMENTALS
THIRD PARTY MANAGEMENT: FUNDAMENTALS by Linda Tuck Chapman Sponsored by Third Party Management Fundamentals Third Party Management isn t new, but its importance is growing in every industry and the financial
More informationProtec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli
Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli Vice President, IT Risk Management McKesson Corpora-on What is Your Business Model? Economic Moats In business, I look
More informationVendor Management Panel Discussion. Managing 3 rd Party Risk
Vendor Management Panel Discussion Managing 3 rd Party Risk Vendor Risk at its Finest Vendor Risk at its Finest CVS Care Mark Corporation announced that it had mistakenly sent letters to approximately
More informationInformation Security, Privacy and Compliance Convergence
Information Security, Privacy and Compliance Convergence Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI Rebecca Herold & Associates, LLC April 2009 Agenda Information lifecycles Security and privacy challenges
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationAddress C-level Cybersecurity issues to enable and secure Digital transformation
Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,
More informationSecurity & IT Governance: Strategies to Building a Sustainable Model for Your Organization
Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization Outside View of Increased Regulatory Requirements Regulatory compliance is often seen as sand in the gears requirements
More informationInformation Technology
Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level
More informationPACB One-Day Cybersecurity Workshop
PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance
More informationCORL Dodging Breaches from Dodgy Vendors
CORL Dodging Breaches from Dodgy Vendors Tackling Vendor Security Risk Management in Healthcare Introductions Cliff Baker 20 Years of Healthcare Security experience PricewaterhouseCoopers, HITRUST, Meditology
More informationCyber Risks in the Boardroom
Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing
More informationRisk Management: IT Vendor Management and Outsourcing
www.pwc.com Risk Management: IT Vendor Management and Outsourcing Definitions Third Party is any entity not under direct business control of a given organization. Many people equate third parties with
More informationKLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT
1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT About Kyle Lai 2 Kyle Lai, CIPP/G/US, CISSP, CISA, CSSLP, BSI Cert. ISO 27001 LA President of KLC Consulting, Inc. Over 20 years in IT and Security Security
More informationHIPAA and HITRUST - FAQ
A COALFIRE WHITE PAPER HIPAA and HITRUST - FAQ by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead Coalfire February 2013 Introduction Organizations are
More informationCloud Channel Summit 2015 @rhipecloud #RCCS15
Cloud Channel Summit 2015 @rhipecloud #RCCS15 About the Cloud Security Alliance Global, not-for-profit organisation 300 member driven organization with over 56,000 individual members in 65 chapters worldwide
More informationIT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014
IT Cloud / Data Security Vendor Risk Management Associated with Data Security September 9, 2014 Speakers Brian Thomas, CISA, CISSP In charge of Weaver s IT Advisory Services, broad focus on IT risk, security
More informationFEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05. Cyber Risk Management Guidance. Purpose
FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05 Cyber Risk Management Guidance Purpose This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance on cyber risk management.
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationDeveloping National Frameworks & Engaging the Private Sector
www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationCloud Computing An Auditor s Perspective
Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,
More informationThe Cloud Security Alliance
The Cloud Security Alliance Daniele Catteddu, Managing Director EMEA & OCF-STAR Program Director Cloud Security Alliance ABOUT THE CLOUD SECURITY ALLIANCE To promote the use of best practices for providing
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationFrequently Asked Questions about the HITRUST Risk Management Framework
Frequently Asked Questions about the HITRUST Risk Management Framework Addressing common questions and misconceptions about the HITRUST CSF, CSF Assurance Program and supporting methods and tools, and
More informationThe NIST Cybersecurity Framework
View the online version at http://us.practicallaw.com/5-599-6825 The NIST Cybersecurity Framework RICHARD RAYSMAN, HOLLAND & KNIGHT LLP AND JOHN ROGERS, BOOZ ALLEN HAMILTON A Practice Note discussing the
More informationProposed guidance for firms outsourcing to the cloud and other third-party IT services
Guidance consultation 15/6 Proposed guidance for firms outsourcing to the cloud and other third-party IT services November 2015 1. Introduction and consultation 1.1 The purpose of this draft guidance is
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool
ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary
More informationTop 10 Tips for Effectively Assessing Third-party Vendors
Top 10 Tips for Effectively Assessing Third-party Vendors Presented by: Tom Garrubba, Manager, Technical Assessments Group, CVS Caremark Web Hull, Senior Privacy & Compliance Specialist, Iron Mountain
More informationHow To Write An Article On The European Cyberspace Policy And Security Strategy
EU Cybersecurity Policy & Legislation ENISA s Contribution Steve Purser Head of Core Operations Oslo 26 May 2015 European Union Agency for Network and Information Security Agenda 01 Introduction to ENISA
More informationTOOLS and BEST PRACTICES
TOOLS and BEST PRACTICES Daniele Catteddu Managing Director EMEA, Cloud Security Alliance ABOUT THE CLOUD SECURITY ALLIANCE To promote the use of best practices for providing security assurance within
More informationCyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015
Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015 Topics Introduction Cyber Security Auditing Program Discuss an effective and compliant Cyber Security Auditing Program from
More informationAsia Policy Partners LLC 2015
MoDev Hong Kong FinTech Seminar April 11 Hong Kong Cyberport Mr. Michael Mudd Secretary - General,Asia Pacific and MEA, The Open Computing Alliance Health check: Customers demands are changing Developing
More informationIT Insights. Managing Third Party Technology Risk
IT Insights Managing Third Party Technology Risk According to a recent study by the Institute of Internal Auditors, more than 65 percent of organizations rely heavily on third parties, yet most allocate
More informationKey Considerations of Regulatory Compliance in the Public Cloud
Key Considerations of Regulatory Compliance in the Public Cloud W. Noel Haskins-Hafer CRMA, CISA, CISM, CFE, CGEIT, CRISC 10 April, 2013 w_haskins-hafer@intuit.com Disclaimer Unless otherwise specified,
More informationDodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare
Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Strengthening Cybersecurity Defenders #ISC2Congress Healthcare and Security "Information Security is simply a personal
More informationRemarks by. Thomas J. Curry. Comptroller of the Currency. Before the. Chicago. November 7, 2014
Remarks by Thomas J. Curry Comptroller of the Currency Before the 10 th Annual Community Bankers Symposium Chicago November 7, 2014 Good morning, it s a pleasure to be here today and to have this opportunity
More informationHans Bos Microsoft Nederland. hans.bos@microsoft.com
Hans Bos Microsoft Nederland Email: Twitter: hans.bos@microsoft.com @hansbos Microsoft s Cloud Environment Consumer and Small Business Services Software as a Service (SaaS) Enterprise Services Third-party
More informationWho s next after TalkTalk?
Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many
More informationCopyright 2014 Nymity Inc. All Rights Reserved.
This sample Benchmarks Report represents a real-world example of Your Privacy Management Status Report based on a mature privacy program in a non-north American organization within the public sector. Copyright
More informationPerspectives on Navigating the Challenges of Cybersecurity in Healthcare
Perspectives on Navigating the Challenges of Cybersecurity in Healthcare May 2015 1 Agenda 1. Why the Healthcare Industry Established HITRUST 2. What We Are and What We Do 3. How We Can Help Health Plans
More informationIntel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security
Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security David Brezinski, Professional Services, Enterprise Security Architect Agenda Overview
More informationHarnessing The Cloud: Managing Risks and Governance in a Cloud Environment Russell G. Weiss November 9, 2011
2011 Morrison & Foerster LLP All Rights Reserved mofo.com Harnessing The Cloud: Managing Risks and Governance in a Cloud Environment Russell G. Weiss November 9, 2011 Presenter Russell Rusty Weiss Partner
More informationUnder control 2015 Hot topics for IT internal audit in financial services. An Internal Audit viewpoint
Under control 2015 Hot topics for IT internal audit in financial services An Internal Audit viewpoint Introduction Welcome to our fourth annual review of the IT hot topics for IT internal audit in financial
More informationContinuous Third-Party Security Monitoring Powers Business Objectives And Vendor Accountability
A Custom Technology Adoption Profile Commissioned By BitSight Technologies Continuous Third-Party Security Monitoring Powers Business Objectives And Vendor Accountability Introduction As concerns around
More informationCloud Computing in a Regulated Environment
Computing in a Regulated Environment White Paper by David Stephenson CTG Regulatory Compliance Subject Matter Expert February 2014 CTG (UK) Limited, 11 Beacontree Plaza, Gillette Way, READING, Berks RG2
More informationClick to edit Master title style
EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity
More informationOUTSOURCING REGULATIONS IN THE BANKING AND INSURANCE INDUSTRIES IN ASIA PACIFIC
OUTSOURCING REGULATIONS IN THE BANKING AND INSURANCE INDUSTRIES IN ASIA PACIFIC Bridging Borders Webinar Series 1 Welcome Welcome You are on mute A link to a recording of the webinar will be available
More informationTrust in the Cloud Legal and Regulatory Framework
Trust in the Cloud Legal and Regulatory Framework Cloud Security Alliance San Francisco, CA February 26, 2014 Francoise Gilbert, JD, CIPP Managing Director IT Law Group 2014 IT Law Group All Rights Reserved
More informationSATURDAY, FEBRUARY 28, 2015 CLE 10 (Ethics) 9:30 a.m. 10:30 a.m. Moving to the Cloud - Identifying & Managing Legal, Ethical and Compliance Risks
SATURDAY, FEBRUARY 28, 2015 CLE 10 (Ethics) 9:30 a.m. 10:30 a.m. Moving to the Cloud - Identifying & Managing Legal, Ethical and Compliance Risks Moving to the Cloud - Identifying & Managing Legal, Ethical
More informationOpen Certification Framework. Vision Statement
Open Certification Framework Vision Statement Jim Reavis and Daniele Catteddu August 2012 BACKGROUND The Cloud Security Alliance has identified gaps within the IT ecosystem that are inhibiting market adoption
More informationSecuring The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master
Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is
More informationSHARED ASSESSMENTS PROGRAM STANDARDIZED INFORMATION GATHERING (SIG) QUESTIONNAIRE
SHARED ASSESSMENTS PROGRAM STANDARDIZED INFORMATION GATHERING (SIG) QUESTIONNAIRE The Shared Assessments Trust, But Verify Model The Shared Assessments Program Tools are used for managing the vendor risk
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationWhy & How Cloud computing is enabling the digital transformation of financial services institutions
Why & How Cloud computing is enabling the digital transformation of financial services institutions There s no one billion customer bank yet, because there s no way to do it without cloud. Next generation
More informationGovernance, Risk, and Compliance (GRC) White Paper
Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:
More informationExecutive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014
Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationThe New Third-Party Oversight Framework: Trust but Verify kpmg.com
Financial Services Regulatory Point of View The New Third-Party Oversight Framework: Trust but Verify kpmg.com The New Third-Party Oversight Framework: Trust but Verify 1 Financial services regulatory
More informationWhite Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA
White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial
More informationCyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?
Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks? August 27, 2014 Presented by: Terry Ammons, Partner, Porter Keadle Moore Tim Davis, Senior,
More informationOutsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP
Outsourced Third Party Relationship Management/ Vendor Management TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP 1 Risk Management Guidance 2 3 Appendix J: 4 - Key Elements Third Party Management
More informationLaw Firm Cyber Security & Compliance Risks
ALA WEBINAR Law Firm Cyber Security & Compliance Risks James Harrison CEO, INVISUS Breach Risks & Trends 27.5% increase in breaches in 2014 (ITRC) Over 500 million personal records lost or stolen in 2014
More informationStrategies for Integra.ng the HIPAA Security Rule
Strategies for Integra.ng the HIPAA Rule Kaiser Permanente: Charles Kreling, Execu.ve Director Sherrie Osborne, Director Paulina Fraser, Director Professional Strategies S21 2013 Fall Conference Sail to
More informationCybersecurity. Are you prepared?
Cybersecurity Are you prepared? First Cash, then your customer, now YOU! What is Cybersecurity? The body of technologies, processes, practices designed to protect networks, computers, programs, and data
More informationCloud Computing What Auditors need to know
Cloud Computing What Auditors need to know This presentation is provided solely for educational purposes and, in developing and presenting these materials, Deloitte is not providing accounting, business,
More informationCloud Security and Managing Use Risks
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
More informationGlobal Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister
2011 Morrison & Foerster LLP All Rights Reserved mofo.com Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister Presenter Miriam Wugmeister Morrison & Foerster LLP New York
More informationCyber Security From The Front Lines
Cyber Security From The Front Lines Glenn A Siriano October 2015 Agenda Setting the Context Business Considerations The Path Forward Q&A Cyber Security Context Cyber Has Become a Boardroom Conversation
More informationCloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter
Cloud Security considerations for business adoption Ricci IEONG CSA-HK&M Chapter What is Cloud Computing? Slide 2 What is Cloud Computing? My Cloud @ Internet Pogoplug What is Cloud Computing? Compute
More informationENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE
ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE JANUARY 2015 U.S. DEPARTMENT OF ENERGY OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY Energy Sector Cybersecurity Framework Implementation
More information