3 rd -party Security Risk Assessment

Similar documents
Privacy Governance and Compliance Framework Accountability

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

CFPB Readiness Series: Compliant Vendor Management Overview

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Third-Party Cybersecurity and Data Loss Prevention

Third Party Risk Management 12 April 2012

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

3 rd Party Vendor Risk Management

The Hidden Risks: Managing Risks in Outsourcing Relationships. Bruce Jones Global IT Security, Compliance & Risk Manager Eastman Kodak Company

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

Vendor Management Best Practices

Auditing Cloud Computing and Outsourced Operations

IDENTIFYING VENDOR RISK THE CRITICAL FIRST STEP IN CREATING AN EFFECTIVE VENDOR RISK MANAGEMENT PROGRAM

Key Considerations of Regulatory Compliance in the Public Cloud

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

IT Insights. Managing Third Party Technology Risk

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Cloud Computing An Auditor s Perspective

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

OUTSOURCING DUE DILIGENCE FORM

Vendor Management Panel Discussion. Managing 3 rd Party Risk

Allison Stanton, Director of E-Discovery U.S. Department of Justice, Civil Division. U.S. Department of Agriculture

Security and privacy standardization for the SME community

SECURITY RISK MANAGEMENT

Integrating Pandemic Readiness into Your Organization's Resiliency Model.

VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Bell. The company has mandated the Corporate Responsibility and Environment (CR&E) department to act as the focal point for all sustainability issues,

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

Risk & Control Considerations for Outsourced IT Operations

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

Services Providers. Ivan Soto

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

White Paper on Financial Institution Vendor Management

Eric Moriak - CISSP, CISM, CGEIT, CISA, CIA Program Manager - IT Audit Children s Medical Center Dallas. Dallas, Texas

Information Security Risk Management

Information Technology

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Question: 1 Which of the following should be the FIRST step in developing an information security plan?

Top Ten Technology Risks Facing Colleges and Universities

SECURITY AND EXTERNAL SERVICE PROVIDERS

Enterprise Risk Management Process Improvement. Secure Banking Solutions, LLC

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

Cloud Security and Managing Use Risks

Cloud Risk Management: How to Consolidate your CSP and Corporate Risk Profile

Vendor Management Best Practices

Navigating Vendor Management Issues in Today s Regulatory Environment

SSAE 16 Everything You Wanted To Know But Are Afraid To Ask. Kurt Hagerman CISA, CISSP, QSA Managing Director, Coalfire December 8, 2011

Cloud Computing Best Practices. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service

(a) the kind of data and the harm that could result if any of those things should occur;

Canadian ISO User Group Conference. Sun Life Financial s Experience with Security Governance & ISO 17799

CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison

Cybersecurity: What CFO s Need to Know

COBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.

Security Risk Management Strategy in a Mobile and Consumerised World

Effectively Assessing IT General Controls

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

2014 Vendor Risk Management Benchmark Study

IT Audit in the Cloud

Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

Vendor Management Compliance Top 10 Things Regulators Expect

Leveraging Regulatory Compliance to Improve Cyber Security

RISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA PHONE:

Law Firm Cyber Security & Compliance Risks

CLICK TO OPEN FOOD AUTHENTICITY FIVE STEPS TO HELP PROTECT YOUR BUSINESS FROM FOOD FRAUD

Information & Asset Protection with SIEM and DLP

Outsourcing Technology Services A Management Decision

Growing Vendor Management

14 October 2015 ISACA Curaçao Conference By: Paul Helmich

Identifying and Managing Third Party Data Security Risk

Cloud Computing Security Issues

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Clinical Trials in the Cloud: A New Paradigm?

Transcription:

3 rd -party Security Risk Assessment Understanding Supplier Chain Risks. Presented by: Nasser Fattah CISSP, CISM, CISA, CGEIT Email: nasser.fattah@gmail.com Linkedin: www.linkedin.com/in/nasserfattah April 14, 2015

Disclaimer The views, opinions, and material presented by Nasser Fattah at the New York Summit are solely based on his experience and opinions relating to 3 rd -party security risk assessments. Material included within does not necessarily reflect or represent MUFG Union Bank processes, practices, or actions.

Agenda 1. What are the benefits to outsource to a 3 rd -party? 2. When to outsource? 3. What are the risks associated with 3 rd -parties? 4. What is driving the need to review 3 rd -parties? 5. What is Vendor Risk Management? 6. Who is responsible for vendor risk management? 7. What we need to know about Vendor Risk Management? 8. Why implement Vendor Risk Management? 9. What are the key components of a Vendor Risk Management framework? 10. High-level processes for framework 11. Example of vendor categorization 12. What are examples of risk assessments? 13. What are examples of due diligence? 14. What are examples of contract provisions? 15. Key takeaways

What are the benefits to outsource to a 3 rd -party? 1 2 3 4 5 6 7 Reduce labor and operational costs Permit a company to focus on its core competency Access to special services Produce better product/service Faster turnaround time Competitive advantage Much more Remember: A business CAN T Outsource Responsibility or Liability!!!

When to outsource? Strategic Strategic Non-Strategic Non-Strategic Competitive Not Outsourced Grey Area Non-Competitive In House if Possible Outsource

What are the risks associated with 3 rd -parties? Types of Business Risks Strategic Reputational Compliance Example Vendor doesn t meet business goals, including expected return of investment Vendor doesn t meet expectations of business customers, or when the vendor is subjected to public scrutiny or experiences negative publicity. Vendor is not compliance with law or the business regulations and internal policies and procedures, and when audit and control features are weak or nonexistent. Transaction Vendor is unable to meet SLA or deliver its product or provide its service due to error, fraud, or technology failure. Ineffective business continuity planning increases transaction risk. Credit Vendor s failure to meet the terms of the contract, including cost, or otherwise to perform as agreed.

What is driving the need to review 3 rd -parties? Most industries (financial, healthcare, retail, etc.) have regulations that mandate vendor risk management. The same is true for industry standards and information security best practices.

What is Vendor Risk Management? Vendor risk management is the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance. * Gartner definition

What we need to know about Vendor Risk Management? The business objective with 3 rd -parties is to select the right vendor, for the right job and for the right price. However, business must still do the right risk assessment/due diligence, and have the right contract terms, including security, to best safeguard business from potential harm and liabilities

Who is responsible for risks associated with vendors? Business lines are ultimately responsible for risks associated with their vendors/partners. Here the business lines need to work with many subject matter experts (SMEs)/stakeholders for appropriate assessments (due diligence), selection and monitoring of vendors. InfoSec Procurement Legal Compliance Vendors Oversight Business Continuity Vendor Mgmt IT Business

What are examples of risk assessments? Security questionnaires that map to business and security controls Supporting evidence and documentation from vendor (pentests, DR results, etc.) Onsite review Independent reviews (SSAE 16) and industry certifications (ISO 27001, Sys Trust, etc.)

What are examples of contract provisions? Right to audit NDA Onsite visits Incident response Data destruction and retention Data center relocation Activities of 4 th -parties Timely breach notification

Questions for us, and some food for thought? What is a vendor? Software providers, SaaS, office cleaners, florists, affiliates, etc.? Know vendor definition as per regulations. What is a Critical vendor? Whose definition? Impact, and by which SME? Regulators expect more due diligence on critical vendors. Assess vendor or engagement? What happens when vendor provides more than one service? What type of Due diligence?: How do we scope due diligence for vendors same due diligence for all vendors? What is required, including documentation, to perform due diligence? Do all due diligence include onsite reviews? What triggers onsite review? How about 4 th -party reviews? What about ongoing monitoring? How do you monitor vendors, and how often? Which ops model to assess vendors? Internal SMEs, managed services, or a hybrid to conduct 3 rd -party risk assessments? What needs to go into a contract: Any standard security provisions in contracts based on vendor type?

Key takeaways Partner with business lines and other SMEs (procurement, privacy, legal, etc.) to review vendors Evaluate your vendors, and repeat based on risk posture (inherent, residual risk) Report and track risks associated with vendors Get security provisions into contracts

Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information