Vendor Management Panel Discussion. Managing 3 rd Party Risk



Similar documents
KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

IT Security & Compliance Risk Assessment Capabilities

Vendor Management. Outsourcing Technology Services

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

The Hidden Risks: Managing Risks in Outsourcing Relationships. Bruce Jones Global IT Security, Compliance & Risk Manager Eastman Kodak Company

Cloud Security and Managing Use Risks

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

VENDOR MANAGEMENT. General Overview

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

igrc: Intelligent Governance, Risk, and Compliance White Paper

Third Party Risk Management 12 April 2012

Compliance Doesn t Mean Security Achieving Security and Compliance with the latest Regulations and Standards

CSR Breach Reporting Service Frequently Asked Questions

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

Outsourcing Technology Services A Management Decision

OC Chapter. Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes.

Top 10 Tips for Effectively Assessing Third-party Vendors

Plan Development Getting from Principles to Paper

Identifying and Managing Third Party Data Security Risk

Information Technology

Governance, Risk, and Compliance (GRC) White Paper

SECURITY. Risk & Compliance Services

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

Vendor Risk Management Financial Organizations

HIPAA and HITRUST - FAQ

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

BMC s Security Strategy for ITSM in the SaaS Environment

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Report Book: Retina Network Security Scanner Unlimited

An Introduction to the Information Security Program Model (ISPM)

How To Improve Your Business

Cybersecurity: What CFO s Need to Know

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Hans Bos Microsoft Nederland.

Property of CampusGuard. Compliance With The PCI DSS

Data Privacy, Security, and Risk Management in the Cloud

Cyber, Security and Privacy Questionnaire

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

RISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA PHONE:

ASSESSING VENDORS USING THE NIST CYBERSECURITY FRAMEWORK

Cloud Vendor Evaluation

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Cisco Cloud Assessments. Justin Tang

Protecting Your Customers' Card Data. Presented By: Oliver Pinson-Roxburgh

Vendor Management Best Practices

3 rd -party Security Risk Assessment

Governance Simplified

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Managing data security and privacy risk of third-party vendors

Department of Management Services. Request for Information

HITRUST CSF Assurance Program

Developing National Frameworks & Engaging the Private Sector

[Insert Company Logo]

PCI COMPLIANCE FOR HIGHER EDUCATION BEST PRACTICES CHECKLIST. Presented By: The Treasury Institute for Higher Education.

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

HOW SECURE IS YOUR PAYMENT CARD DATA?

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

Customer-Facing Information Security Policy

Security Controls What Works. Southside Virginia Community College: Security Awareness

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

Uncheck Yourself. by Karen Scarfone. Build a Security-First Approach to Avoid Checkbox Compliance. Principal Consultant Scarfone Cybersecurity

Cybersecurity Issues for Community Banks

CFPB Readiness Series: Compliant Vendor Management Overview

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

A Flexible and Comprehensive Approach to a Cloud Compliance Program

COMPLIANCE ALERT 10-12

2016 OCR AUDIT E-BOOK

Cloud models and compliance requirements which is right for you?

Transcription:

Vendor Management Panel Discussion Managing 3 rd Party Risk

Vendor Risk at its Finest Vendor Risk at its Finest CVS Care Mark Corporation announced that it had mistakenly sent letters to approximately 3,500 health care members providing them with other members personal medical information. This incident was caused by an unspecified program error by CVS error by CVS pharmacy benefits manager. pharmacy benefits manager St. Elizabeth s Medical Center in Massachusetts recently notified over 6,800 patients that their billing information, including credit card numbers and security codes may have been compromised when the hospital s documents were removed by a vendor from a building scheduled for demolition. demolition

Problem Statement While companies can realize real financial benefits from outsourcing operational processes to third parties, they must recognize that they cannot outsource their risks. In fact, due to the inherent lack of control companies maintain i over their hithird parties, they may even be introducing additional risks by outsourcing Fortunately, these risks can be managed

Regulations and Standards Numerous regulations and industry guidelines require management of vendors and 3rd parties GLBA ISO FCRA Red Flag NIST HIPAA HiTECH FFIEC Examiners Handbook PCI EU BSPR COBIT CERT RMM

Managing Your Risk Require IT Risk / Information Security Specific Contract Terms Right to Audit Need for documented and tested security program Like kind controls of 3rd parties Documented Service Level Agreements (SLAs), measurements to demonstrate compliance with SLAs, and documented penalties for failure to adhere to SLAs Requirements to comply with all applicable legal requirements such as GLBA, HIPAA Requirements to comply with all necessary industry requirements such as PCI Requirement to remediate adverse findings in a timely fashion Specific requirement for incident notification Indemnification against suits resulting from breach

Managing Your Risk Perform Due Diligence Onside audits Review of security program Review of security assessments and tests Review of control validations and industry certifications (e.g., PCI ROC, SSAE16, ISO 27001/27002) Request and track remediation of findings

Panel Discussion How does your company manage vendor risk? What does your vendor management organization look like, and who has responsibility for it? Contracting Financial Due Diligence Security Due Diligence BCP Due Diligence IT Due Diligence Does your company have staff dedicated to these tasks? Who brings it all together? Do you outsource any of these tasks? Do you use a GRC or other tool to manage your duediligence activities?

Panel Discussion What regulatory requirements mandate that you manage your 3 rd party risks? Describe how your company manages IT Risk and Information Security Due Diligence? Do you perform onsite assessments? Physical walkthroughs? Interviews? Do you use a security questionnaire? How many questions? Is it your own questionnaire i or do you use something like BITS? Do you review vendor documentation? Policies/Standards/Guidelines/Procedures? Network and Security Diagrams? 3 rd Party Contract Templates? Certifications and Assessments?» 3 rd Party Penetration Tests» ISO/IEC 27001/27002?» SSAE16/SAS70

Panel Discussion Do you roll up your due diligence into risk reports? How do you quantify vendor risk? ik? Can you explain what goes into it? Can you explain how you rate your vendors (by tier, by risk level)? Do you have one or more committees dedicated to vendor risk management? Do you carry cyber insurance to protect against third party breaches? How do you manage insertion of contract terms on your paper vs. theirs? Do you require specific terms in your vendor contracts? Do you get much pushback from your vendors on the terms? What would you say are your top 5 terms? Do you include a set of Third Party Security Standards in your vendor agreements? Do you get much pushback on that standard? How verbose/prescriptive is the standard? How many pages?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information