Vendor Risk Management Financial Organizations



Similar documents
Remarks by. Thomas J. Curry. Comptroller of the Currency. Before the. Chicago. November 7, 2014

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

ICBA Summary of FFIEC Cybersecurity Assessment Tool

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Governance, Risk, and Compliance (GRC) White Paper

Information Technology

Bridging the HIPAA/HITECH Compliance Gap

Italy. EY s Global Information Security Survey 2013

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

White Paper on Financial Institution Vendor Management

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Cybersecurity: What CFO s Need to Know

IT Security & Compliance. On Time. On Budget. On Demand.

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

IT Security & Compliance Risk Assessment Capabilities

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

The Value of Vulnerability Management*

RISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA PHONE:

TESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY. Before the

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

NIST Cybersecurity Framework & A Tale of Two Criticalities

BIG SHIFT TO CLOUD-BASED SECURITY

Third Party Risk Management 12 April 2012

Identifying and Managing Third Party Data Security Risk

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

Click to edit Master title style

SECURITY. Risk & Compliance Services

Continuous Network Monitoring

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

Cybersecurity in the States 2012: Priorities, Issues and Trends

VENDOR MANAGEMENT. General Overview

NEC Managed Security Services

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

Any business relationship between a bank and another entity, by contract or otherwise

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

Firewall Administration and Management

2014 Vendor Risk Management Benchmark Study

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Enterprise Security Tactical Plan

How To Protect Yourself From A Hacker Attack

Regulatory Compliance Management for Energy and Utilities

STREAM Cyber Security

How To Improve Your Business

Top 10 Baseline Cybersecurity Controls Banks Aren't Doing

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Cybersecurity The role of Internal Audit

An Introduction to the Information Security Program Model (ISPM)

What Directors need to know about Cybersecurity?

SCAC Annual Conference. Cybersecurity Demystified

NASCIO 2014 State IT Recognition Awards

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

The Protection Mission a constant endeavor

Achieving Business Imperatives through IT Governance and Risk

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB Cyber Risk Management Guidance. Purpose

Cybersecurity Awareness. Part 2

Program Overview and 2015 Outlook

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma

Secure360. Measuring the Maturity of your Information Security Program Impossible? Presented by: Mark Carney, VP of Strategic Services

the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group

The NIST Cybersecurity Framework

Corporate Overview. MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA Office: Fax:

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

OCC 98-3 OCC BULLETIN

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Response to NIST: Developing a Framework to Improve Critical Infrastructure Cybersecurity

Vendor Management. Outsourcing Technology Services

Executive Management of Information Security

FINRA Publishes its 2015 Report on Cybersecurity Practices

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

F G F O A A N N U A L C O N F E R E N C E

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

Achieving Security through Compliance

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Transcription:

Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security

Bob Justus Chief Security Officer, Allgress Current As the director of the governance, risk and compliance services practice, our mission is to vigilantly protect our customer s business. Through partnership we achieve compliance and security program goals by administering a proven mix of automation, services and security reference architecture. Chief Information Security Officer 13 Years Responsible for all aspects of the corporate wide Information Security Program, including network wired & wireless, systems, applications, architecture, mobile devices, remote access, data at rest, in transit, in use, security awareness, risk assessment, mitigation, control design, monitoring, disaster recovery, litigation support, third party & vendor risk management and incident response. Established written, monitored and measured security policies based on ISO standards, risk management based on COSO and COBIT and overall program compliance with the Federal Financial Institutions Examination Council (FFIEC), National Institute of Standards & Technology (NIST), PCI, HIPAA, Sarbanes Oxley (SOX 302 & 404) and state privacy mandates. Chief Enterprise Architect 2 Years Established and published standards, assured architectural discipline, approved exceptions and kept projects on time and on budget. Oversaw the establishment of application automated build environment for all java based programs, published open source development policies, and maintained architecture according to The Open Group Architecture Framework (TOGAF). VP Technology Operations 5 Years Supported all enterprise applications on Unix systems including, email, DNS, load balancing, web servers, imaging, messaging, email, web, transaction processing, customer support, firewalls, IPS/IDS, proxy, remote access, FTP, sftp, Transmissions and SNA Terminal Servers. IS Audit Manager 6 Years Performed and led audit examinations for all business applications, operating systems, support systems and technology operations. Developed key findings and recommendations to manage risk and create operational integrity.

Randy Potts Randy has more than 25 years of information security experience. Prior to FishNet Security, Randy served as a Chief Information Security Officer, Cyber Crime Advisory Board, Homeland Security Commission Cyber Terrorism committee, and as a Public Information Officer for State and Federal agencies. Randy has provided both legislative support, established organizational and industrial standards and testified in matters pertaining to security, governance, risk and compliance. Most recently, Randy has been focused on the private sector advising organizations on the establishment and integration of international security governance and privacy regulations for Fortune 100 companies. Randy holds advanced degrees in Business Administration and Technology with specialization in Information Security. In addition, Randy is recognized as an industry leader with numerous security, privacy and disaster preparedness certifications.

Comptroller of the Currency Remarks by Thomas J. Curry, Comptroller of the Currency, before a Meeting at Consumer Electronics Show on April 16, 2014. Today, the global nature of the Internet means hackers can target bank systems from almost anywhere. That includes countries with regimes that, at a minimum, act as criminal havens by turning a blind eye toward illicit activities, and at their worst, sponsor attacks. As a result, financial institutions today face cyber threats not only from insiders and individuals acting alone, but from global networks of well organized nation states, criminals and so called hacktivists. Managing these vendor relationships is especially important in the realm of IT systems and information security, particularly with respect to smaller banks and thrifts. Third party relationships have been a significant area of concern for years, and not just in the area of cybersecurity. We ve unfortunately found it necessary to take serious enforcement actions against some of our large institutions for problems brought on by poorly managed third party relationships, from debt collection companies to telemarketers. I m not trying to discourage the use of third party vendors. They provide important services to both large and small banks, and community banks in particular often use outside contractors to leverage expertise and resources that they can t support internally. But we do expect the banks and thrifts we supervise to recognize that third party relationships also pose significant risks, and any institution that supplements its own resources with outside providers needs to have risk management practices in place that are commensurate with that risk.

FFIEC April 10 Financial Regulators Expect Firms to Address OpenSSL Heartbleed Vulnerability The Federal Financial Institutions Examination Council (FFIEC) members expect financial institutions to incorporate patches on systems and services, applications and appliances using OpenSSL and upgrade systems as soon as possible to address vulnerability. Financial institutions relying upon third-party service providers should ensure those providers are aware of the vulnerability and are taking appropriate mitigation action. Q1: How do you know which 3 rd Party Service to contact? Q2: How do make sure they are aware? Q3: How do you document appropriate action?

Enforcement Action MRA FundTech December 2013 VENDOR MANAGEMENT PROGRAM 5. (a) Within 30 days designate a Vendor Management Coordinator with an appropriate level of due diligence and vendor risk modeling experience shall be vested with sufficient executive authority to fulfill the duties shall report directly to the Board. (b) Within 45 days shall develop, adopt and implement a written vendor management program that meets the requirements and guidance of the FFIEC's IT Examination Handbook, Outsourcing Technology Services Booklet and provides a comprehensive inventory, assessment and ongoing evaluation of all key services providers. LETTER TO CLIENT BANKS - At the same time shall send a letter ( Letter ) to the TSP s client banks accurately detailing the actions the TSP has taken during the quarter to secure compliance with this ORDER. SHAREHOLDER DISCLOSURE - Within 30 days shall furnish a description of this ORDER which shall fully describe the ORDER in all material respects. Must include: Inventory Due Diligence Selecting Vendor Risk Assessment Model Risk Based Policies to control outsourcing actions Contract Negotiations Implementation SLA Procedures Monitoring that identifies and evaluates changes in Risk

Updated Guidance http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html http://sharedassessments.org/media/fed-reserve-outsourcing-risk-guidance.pdf OCC Fed Reserve Dec. 5, 2013 Guidance A bank should: Adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships. Ensure comprehensive risk management and oversight of third-party relationships involving critical activities. Effective risk management process throughout the life cycle of the relationship includes: Plans that outline the bank s strategy, identify the inherent risks of the activity and detail how the bank selects, assesses and oversees the third party. Proper due diligence in selecting a third party. Written contracts that outline the rights and responsibilities of all parties. Ongoing monitoring of the third party s activities and performance. Contingency plans for terminating the relationship in an effective manner. Clear roles and responsibilities for overseeing and managing the relationship and risk management process. Documentation and reporting that facilitates oversight, accountability, monitoring and risk management. Independent reviews that allow bank management to determine the bank s process aligns with its strategy and effectively manages risks. I. Purpose II. Risks from the Use of Service Providers III. Board of Directors and Senior Management Responsibilities IV. Service Provider Risk Management Programs A. Risk Assessments B. Due Diligence and Selection of Service Providers 1. Business Background, Reputation and Strategy 2. Financial Performance and Condition 3. Operations and Internal Controls C. Contract Provisions and Considerations D. Incentive Compensation Review E. Oversight and Monitoring of Service Providers F. Business Continuity and Contingency Considerations G. Additional Risk Considerations

Vendor Risk Management Streamlined processes Centralized repository Assess controls Identify and track remediation tasks through automated workflow. Multiple dashboards and metrics to better illustrate overall compliance posture. Mapping displays correspondence between standards and controls. Gap Analysis compares organization s actual performance with potential performance. Task Timeline depicts overall completion status of projects.

Modular Solution Vulnerability Analysis Security & Compliance Assessment Risk Analysis Incident Management Policy & Procedures Vendor Management Hosted SaaS or On-Premise

Why the Need? What are the top three barriers to achieving an organization s GRC-related goals? Lack of resources Lack of cooperation and collaboration Complexity of existing technologies Lack of clear leadership Organizational change Inability to set priorities Lack of C-level support Difficulty in hiring skilled personnel Inability to get started (inertia) Inadequacy of existing technologies Complexity of the program Lack of organizational maturity 4% 3% 3% 2% 20% 19% 19% 15% 11% 31% 44% 52% Source: Ponemon Research 2012 0% 10% 20% 30% 40% 50% 60%

GRC Product Innovations What We Offer: Allgress Professional Services for Tool & GRC Process Implementation: Multi week evaluation of GRC Use Cases Evaluate GRC business process maturity such as vendor risk program Recommend / Design / Implement Allgress solution and mature client business processes Develop Use Cases to determine business process matches for automation and to mature other related GRC processes Identify and Establish Program Priorities and Values Assessment Development / Dashboard Refinement Provide a prioritized and detailed Roadmap to mature and/or expand GRC tool usage

What Processes are Important 7 Value vs. Priority Map 9 2 1 3 1 2 GRC Solutions Reports & Dashboards Communication 6 4 3 4 Workflows Performance Measurement 8 5 5 Awareness Training 6 Change Control 7 Identity & Access Control Priority (Low to High) Staffing Methodology Technology 8 9 Data Integration SaaS / Cloud

Develop Processes and Workflow Vendor Risk Management Solution W1 2014 W2 2014 W3 2014 W4 2014 Planning & Analysis/Design Development Vm Testing & Implementation Loss Events Metrics Quarterly Risk Review Risk Register Engagements Remediation Plans Risk Assessments Question Library Vendor Profile Facilities Exception Requests Findings Vendor Risk Assessments Contacts Contracts Vendor Risk Management

Summary Together FishNet Security and Allgress enable enterprise risk, security and compliance professionals the ability to efficiently manage their risk posture. Reduces the complexity and cost of vendor risk management. Provides advanced visualization, automation, streamlined workflows and the integration of existing data feeds.

Bob Justus CSO Allgress Randy Potts Managing Director FishNet Security For more information: Randy Pringle Solutions Marketing FishNet Security randy.pringle@fishnetsecurity.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information