www.pwc.com Third Party Risk Management 12 April 2012

Similar documents
Forensic Services. Third Party Risks. March 2013

Vendor Management Best Practices

HITRUST CSF Assurance Program

Risk Management: IT Vendor Management and Outsourcing

VENDOR MANAGEMENT. General Overview

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Credit Union Liability with Third-Party Processors

Developing National Frameworks & Engaging the Private Sector

Risk Management of Outsourced Technology Services. November 28, 2000

Microsoft s Compliance Framework for Online Services

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Any business relationship between a bank and another entity, by contract or otherwise

Information for Management of a Service Organization

Risk Considerations for Internal Audit

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

OCC 98-3 OCC BULLETIN

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

Cybersecurity The role of Internal Audit

THIRD PARTY. T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s

Information Security Management System for Microsoft s Cloud Infrastructure

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

Impact of New Internal Control Frameworks

OUTSOURCING DUE DILIGENCE FORM

Third-Party Cybersecurity and Data Loss Prevention

Consolidated Audit Program (CAP) A multi-compliance approach

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Vendor Risk Management Financial Organizations

SOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

3 rd Party Vendor Risk Management

PCI Compliance for Cloud Applications

Statement of Guidance: Outsourcing All Regulated Entities

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Services Providers. Ivan Soto

VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data

Outsourcing Technology Services A Management Decision

How To Ensure Financial Compliance

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

Sample Financial institution Risk Management Policy 2011

Vendor Management Compliance Top 10 Things Regulators Expect

IDENTIFYING VENDOR RISK THE CRITICAL FIRST STEP IN CREATING AN EFFECTIVE VENDOR RISK MANAGEMENT PROGRAM

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Managing data security and privacy risk of third-party vendors

Sound Practices for the Management of Operational Risk

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Governance, Risk and Compliance Update & Hot Topics Pittsburgh Chapter IIA December 3, 2012

IT Insights. Managing Third Party Technology Risk

HIPAA and HITECH Compliance for Cloud Applications

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

Moving Forward with IT Governance and COBIT

Information security controls. Briefing for clients on Experian information security controls

Information Security Managing The Risk

WHITE PAPER Leveraging GRC for PCI DSS Compliance. By: Chris Goodwin, Co-founder and CTO, LockPath

Information Technology

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

fs viewpoint

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

WHITE PAPER Third-Party Risk Management Lifecycle Guide

Third Party Relationships

SECURITY RISK MANAGEMENT

Vendor Risk Management in the New Regulatory Environment. kpmg.com

The Value of Vulnerability Management*

Cloud Computing: Legal Risks and Best Practices

Cybersecurity and Privacy Hot Topics 2015

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape

Cloud Security Trust Cisco to Protect Your Data

RISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA PHONE:

CORL Dodging Breaches from Dodgy Vendors

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Third-Party Risk Management for Life Sciences Companies

Whitepaper: 7 Steps to Developing a Cloud Security Plan

Italy. EY s Global Information Security Survey 2013

How To Improve Your Business

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

GUIDANCE NOTE ON OUTSOURCING

Best Practices for Protecting Sensitive Data in an Oracle Applications Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

Information Security Program Management Standard

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

6/8/2016 OVERVIEW. Page 1 of 9

Transcription:

www.pwc.com Third Party Risk Management 12 April 2012

Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6. Third Party Monitoring 7. Technology Enablers 8. Service Organization Reports and Standards

Globalization and business partnerships are increasingly being leveraged as strategic enablers According to s 14 th Annual Global CEO Survey: Companies are reshaping strategies and operating models focusing on innovation, collaboration, and talent to find new sources of revenue growth and competitive advantage Partnerships will be key - 40% of CEOs expect the majority of innovations over the next three years to be co-developed with partners - 50% said their companies will enter into a strategic alliance or JV in the coming year Roughly a third of CEOs indicated their companies plan to complete a cross-border merger or acquisition, or outsource a business process or function in the next year As organizational models shift and risk profiles evolve, executives and Boards seek greater transparency and increased assurance that the company s most significant risks are appropriately mitigated Slide 3

Some additional data points on third-parties and security 39% have established security baselines for partners/customers/vendors. Taking this one step further, only 23.6% of respondents stated they have security procedures partners/suppliers must comply with. 69% of respondents said somewhat to very confident when asked how confident they are in partners'/suppliers' information security. 35% of the time, respondents state their organizations were informed of security breaches by customers or suppliers, government officials, the media or perpetrator. What is the greatest security risk to your cloud computing strategy? Uncertain ability to enforce provider site security policies - 31.8% Questionable privileged access control at provider site - 14.7% Proximity of your data to someone else's - 11.0% Uncertain ability to recover data - 9.0% Uncertain continued existence of provider - 3.7% Uncertain provider regulatory compliance - 3.5% Uncertain ability to audit provider - 2.8% Access across an untrusted network - 4.1% Slide 4

Managing security-related risks associated with business partners has always been an issue; however, it s getting worse Over the past 24 months, the number of security incidents attributed to customers, partners, and suppliers has nearly doubled. Customer 10% 12% 17% 2009 Partner or supplier 8% 11% 15% 2010 2011 0% 5% 10% 15% 20% Source: 2012 Global State of Information Security Survey. Question 22: Estimated likely source of incident. (Not all factors shown. Totals do not add up to 100%.) Slide 5

While risks associated with third parties continue to increase, many companies are less prepared to defend their data Over the past two years, organizations have allowed data privacy safeguards to degrade, exposing the enterprise to potential compromise. (Source: 2012 Global Information Security Survey) GISS Survey results Due diligence of third parties handling personal data 35% 32% 29% Inventory of all third parties handling personal data Require third parties to comply with our policies 29% 28% 24% 29% 34% 39% 2009 2010 2011 Incident response process to report and handle breaches 30% 27% 35% 0% 10% 20% 30% 40% 50% 60% Question 15: Which data privacy safeguards does your organization have in place? Question 16: What information security safeguards related to people does your organization currently have in place? Not all factors shown. Totals do not add up to 100%. Slide 6

Level-setting: definitions Third-party defined: For our purposes, we define a third-party as any entity not under direct business control of a given organization. Many people equate thirdparties with vendors, but that s not always the case; consider: Vendors / suppliers of products or services Business partners (JV partners, alliances, etc.) Marketing partners Strategic consultants Government agencies Regulatory bodies Customers Third-party risk management encompasses vendor risk management, but is more broadly focused on gaining a understanding of organizational risks and understanding which of those risks may be either positively or negatively affected by third-parties that the company does business with. Third-party risk assessment is the process determining the risk associated to a specific third party. Results of risk assessment are used to determine if a review is required. Third-party review is the process of evaluating third parties control environment. These may be performed on-site or remotely. How do you define third-party risk? Slide 7

Example third party risk management governance Enterprise Risk Committee Governance Critical Third Party Oversight Committee Third Party Management Office Third Party Relationship Officer Management & Oversight Business Unit Operational Risk Oversight Third Party Risk Manager (High & Critical Risk Services) Procurement Sourcing Contracts Management InfoSec TBD Subject Matter Specialists PhySec TBD Financial Due Diligence Reputational Due Diligence BCM TBD Legal & Compliance Internal Audit Vendors Slide 8

Governance Organization 1. Who leads IT control assessments of third-parties at your organization? 2. How does internal audit play a role? 3. How formal is your third-party security assessment function? Slide 9

Third Party Risk Management Information Technology Contracts Management Legal Information Security Business & Operations Privacy Business Continuity Compliance Vendor Risk Assessment Risk Prioritized Planning Process Determine risk factors Survey relationships Leverage internal stakeholder knowledge Develop prioritized assessment schedule Pre-visit activities Communicate review process, goals, and methodologies to third-party Prepare/process paperwork Survey third-party Arrange site visit schedule Reporting Document reviews Communicate findings with internal stakeholders Develop plan of action to address significant deficiencies Plan re-testing Site visit Meet third-party Review survey responses Physical walkthrough Contracts, policy, configuration examination Solution Delivery Foundation Risk-prioritized selection approach Third-Party Surveys Physical Security Walkthrough Policy & procedure Reviews Technical configuration validation Third-Party Sub-contract Review Reporting and Ranking Follow-up with Internal Customers Slide 10

Landscape of third party risk Focus on third parties that: Perform functions on behalf of the Company Provide products and services that the Company does not originate Franchise the Company s attributes (Brand) Risks to be managed when using third parties Reputation Technology Strategic Supply Chain Security Credit Compliance Privacy Other (liquidity, price, Fx, country) Transactional Operations Due Diligence Experience Audited financial statements Reputation, complaints, litigation Qualifications Internal controls Adequacy of MIS BCP/DR Cost of development, implementation and support Use of third parties Supply Chain Transparency Insurance Risk Assessment Integration with strategic objectives Expertise to oversee and manage activity Cost/Benefit Customer expectations Contract Scope of arrangement Performance measures Responsibility for management information reports Right to audit Cost and compensation Ownership and license Confidentiality and security Business resumption Indemnification Insurance Dispute resolution Limits on liability Default and termination Customer complaints Ongoing Oversight Financial condition Financial statements Supplier s obligations to sub-suppliers Insurance coverage Monitor controls Audit reports Supplier policies On-site visits Compliance risks BC/DR plans and test results Quality of service and support SLA reporting Problem management Alignment with organization s strategy Customer complaints Customer satisfaction survey Periodic performance meetings Expected documentation List of suppliers - valid, current and complete contracts Business plans identifying management s planning process, decisions and due diligence Evidence the firm evaluated supplier s controls and monitors supplier s performance Regular reports to board, or delegated committee, of the results of ongoing oversight activity Slide 11

Types of risk to consider Operational Risk Risk that arises from the potential that inadequate internal controls, operational problems, breaches in internal controls, unforeseen catastrophes, or decentralized operations could result in unexpected losses, the inability to maintain a competitive position, or the inability to maintain a well controlled IT processing environment. Associated with: Business locations Business units Business process Transaction processing Unauthorized activities Cost efficiencies Intellectual property Functionality Security Business continuity IT change management Compliance & Regulatory Risk Risk arising from the potential that unenforceable contracts, lawsuits, or adverse judgments can disrupt or otherwise negatively affect the operations of client and adverse consequences from nonconformance with rules and regulations. Associated with: HIPAA HITECH PCI Sarbanes-Oxley Litigation Human resource regulation Contracts Privacy laws and regulations Developing e-business laws and regulations (local, state, national, international) State laws Financial Risk Technology Risk Strategic Risk Risk arising from the potential that incomplete, inaccurate, or unauthorized transactions, fraud, or inadequate internal controls could affect the integrity of information regarding the financial condition of client. Associated with: Sarbanes-Oxley Transaction processing Unauthorized activities SEC and accounting governance standards Fair disclosure IT change management Security Interface Consolidations Data integrity Data sensitivity Risk arising from the potential that new systems, technologies, inter- and intra -connectivity, third-party connectivity, changes, and security threats could adversely affect the integrity and confidentially of client data and transactions, as well as the efficiency, effectiveness, and availability of the IT processing environment. Associated with: IT change management Operating platforms Databases Web-based applications Network connectivity Electronic communications and data transfers Security IT outsourcing / cloud Risk arising from the potential for negative publicity around client s business practices, adverse business decisions, or lack of responsiveness to changed business conditions that will cause a decline in the customer base, costly litigation, or revenue reductions. Associated with: Security or internal control breaches Intellectual property Fraud Competition Business development New products and markets Alliances Brand value Ethics and governance Third-party connections Slide 12

Profiling third party risk 1. Profile Third Party Data Collection Business Sponsor Previous Assessments Third party contacts Contracts Preliminary Entity Profiling Preliminary Service Profiling Preliminary Third Party Rating Output: Assessment Type Assessment Scope 2. Assess Technical Security Assessment Third Party Processes and Controls Periodic Review 3. Review and Decide Residual Risk Rating and Score Business Action: Accept Share / Transfer Reduce Remediation and Reassessment Assessment Report Third Party Report Risk Rating and Score Slide 13

Components of the third party risk profile Third Party Risk Profile Entity Profile (Max Score 100) Service Profile Experience & size etc. (10%) Familiarity to Company (Includes contract status) (35%) Prior Reviews (55%) Service Operation Data & Information Regulatory & Legal Depicts Category Weighting Service Scope (15%) Service Type (25%) Data Access (5%) Data Sensitivity (25%) Availability Impact (5%) Uptime Req. (5%) SOX GxP PCI PII HIPAA (2o%) Slide 14

Profile output (example) Slide 15 Slide 15

GRC & Third Party Risk Management Governance, Risk and Compliance (GRC) is an organization s response to integrated risk management Risk is managed throughout the business to better prepare the organization to be aware of and respond to risks should they materialize Common components of an operational GRC program are provided in the graphic below 3 rd party management is a key element in any formal GRC program Threat & Vulnerability Management Risk & Compliance Management Incident Management & Business Continuity Governance Third Party Management 3 rd party management is the active monitoring and evaluation of risk that pertains to the population of vendors that an organization chooses to conduct business with Risk elements specific to 3 rd party management can include such topics as: Data exchange, processing, sharing and storing A vendor s ability to recover from an incident or a disastrous event Types of data a 3 rd party manages on behalf of a company they do business with Slide 16

Using Technology to Improve Processes Technology solutions exist to support vendor management and the corresponding risks associated with contracted vendors Vendor management solutions can provide numerous features that allow an organization strategic advantages, as well as process efficiencies. Some of these key features include: Automated workflow routing processes such as review and approval using integrated e-mail functionality Central repository for all vendor management data a single repository containing all vendor management data allowing for consistency of data captured as well as a single data store for reports to query Ad-hoc, dashboard and schedule reporting multiple types of reports providing flexibility to look at specific vendor data details by different internal audiences Access control capabilities to control who can see what types of data and how can create, read, update or delete content records Vendor assessment the ability to create tailored questionnaires based on specific risk profiles allows an organization to gather the information they need to actively manage vendor relationships Offshoring Centers of Excellence - This support leverages an offshore model and can offload data entry, data aggregation, initial risk ranking/scoring exercises, and desktop reviews to lower costs amongst over services. Slide 17

Assessing third-parties: other forms of assurance Forms of assurance users may receive include: Payment Card Industry (PCI) Report of Compliance (ROC) ISO certification Safe Harbor Certification Opinions issued by CPAs under AT101 Organizations that operate information systems and provide services often provide assurance on the design and operating effectiveness via reporting under AICPA Attestation Standard No. 101. These providers typically collect, process, transmit, store, organize, maintain, or dispose of information for other entities. The AICPA recently clarified guidance under AT101 by describing three types of Service Organization Controls (SOC) reporting that may be relevant to user needs. Slide 18

Summary of Service Organization Control Reports SOC1 Reports SSAE No. 16, Reporting on Controls at a Service Organization establishes the requirements and guidance for a CPA examining and reporting on a service organization's description of its system and its controls that are likely to be relevant to user entities' internal control over financial reporting. SOC1 reports are needed by the auditors of the user entities' financial statements to obtain information about controls at the service organization that may affect assertions in the user entities' financial statements. SOC 1 reports are intended solely for the information and use of existing user entities, their financial statement auditors and management of the service organization. SOC 2 Reports Under AT 101 and the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy An examination engagement to report on controls at a service organization intended to mitigate risks related to security, availability, processing integrity, confidentiality, or privacy (trust services principles). Contains a detailed description of the service auditor's tests of the operating effectiveness of controls and the results of those tests, which may be necessary for a particular user to determine how it is affected by those controls. SOC 3 Reports Under AT101 following Trust Services Principles for Security, Availability, Processing Integrity, Confidentiality, or Privacy A practitioner may report on one or more of the five trust services principles. In the examination report, the opinion concludes whether the service organization maintained effective controls over its system, based on relevant TSP criteria. Slide 19

Questions? Rob Stouder rob.stouder@us.pwc.com (317) 940-7501 2012. All rights reserved. In this document, "" refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. This document is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information