Vendor Security Risk Management



Similar documents
IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

Third-Party Cybersecurity and Data Loss Prevention

Business Process Management 100 Success Secrets

PwC Viewpoint on Third Party Risk Management

WHITE PAPER THIRD PARTY MANAGEMENT: FUNDAMENTALS

Chris Hodges, P.E., CFM, LEED AP, IFMA Fellow, FRICS

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Third Party Risk Management 12 April 2012

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Identity and Access Management Point of View

Any business relationship between a bank and another entity, by contract or otherwise

Enterprise Risk Management & Information Technology

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

Governance, Risk, and Compliance (GRC) White Paper

Vendor Risk Management Financial Organizations

The Role of Internal Audit In Business Continuity Planning

Identity & Access Management new complex so don t start?

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

Vendor Management Compliance Top 10 Things Regulators Expect

A Cautionary Tale Plus Cross-Channel Risk

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

Value-Driven Business Process Management Berlin, Germany/Orlando, FL USA

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

Cloud Computing Thunder and Lightning on Your Horizon?

White Paper on Financial Institution Vendor Management

ANITIAN INTELLIGENT INFORMATION SECURITY INTELLIGENT INFORMATION SECURITY

Salesforce Knowledge Base Sandbox Configuration Guide

14 October 2015 ISACA Curaçao Conference By: Paul Helmich

Vendor Management Compliance Top 10 Things Regulators Expect

NEW YORK STATE-WIDE PAYROLL CONFERENCE. Presented to:

Data Loss Prevention. Keeping sensitive data out of the wrong hands*

Information Obfuscation (Data Masking)

Impact of New Internal Control Frameworks

Internal audit value optimization for insurance organizations

Vendor Management. Outsourcing Technology Services

Compliance Risk Management Survey A Point of View

Outsourcing Technology Services A Management Decision

KPIs and Improving Profitability with Business Intelligence SCOTT RANDALL ADVANCED LEGAL

Ed McMurray, CISA, CISSP, CTGA CoNetrix

GOVERNANCE DEFINED. Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts

2014 ERP REPORT. A Panorama Consulting Solutions Research Report

ISE Northeast Executive Forum and Awards

Process Improvement. Process improvement. Process improvement stages. Understanding, Modelling and Improving the Software Process

Reducing Cost and Risk Through Software Asset Management

Quality Assurance Services

Improving Financial Performance, Governance and Compliance

Identifying Key Risk Indicator

Business Continuity Management 101. Patrick Potter, CBCP MHA Consulting ISACA November 19, 2009

CISM ITEM DEVELOPMENT GUIDE

PwC Health Industries Viewpoint on Third Party Risk Management

Click to edit Master title style

Enaxis Consulting Overview

Challenges & Trends. Differentiate & Innovate the Business Model. Optimize and streamline the Operations

Growing Vendor Management

Request for Proposal (RFP)

The rise of third party relationships means rise in risk and regulation. Non-compliance is risky business for financial institutions

Risk Management of Outsourced Technology Services. November 28, 2000

The Workplace of the Future and Mobile Device Risk ISACA Pittsburgh. May 20 th, 2013

3 rd Party Vendor Risk Management

How To Transform It Risk Management

Agenda. You are not in the business to manage records

Partnering for Success: Transitioning from Shared Services to Global Business Services

Risk & Control Considerations for Outsourced IT Operations

Outsourcing & Regulatory Compliance Risks

Data Governance and CA ERwin Active Model Templates

VENDOR MANAGEMENT. General Overview

2014 Vendor Risk Management Benchmark Study

Strategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA

Information Technology

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

What Should IS Majors Know About Regulatory Compliance?

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January kpmg.com

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

IBM 2010 校 园 蓝 色 加 油 站 之. 商 业 流 程 分 析 与 优 化 - Business Process Management and Optimization. Please input BU name. Hua Cheng chenghua@cn.ibm.

Shared Assessments Program Case Study

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

Transcription:

ISACA San Francisco Fall Conference 2007 Vendor Security Risk Management Dan Morrison September 17, 2007 <<Your name, company name / logo here >>

Topics of Discussion Context-Information, operations & organization challenges Vendor Security Risk within a System Lifecycle Changing Regulatory Expectations Example - FFIEC Vendor Management Requirements Vendor Related Risks - Information Security Key Elements of Vendor Relationship Maturity Model Managing Vendor Information Security Risks Sample Best Practices for Vendor Security Risk Management Final Thoughts Do s / Don ts / Remembers ISACA San Francisco Fall Conference 2007 Slide 2

Context: Information & operational challenges ISACA San Francisco Fall Conference 2007 Slide 3

Context: Organizational challenges ISACA San Francisco Fall Conference 2007 Slide 4

Vendor Security Risk within a System Lifecycle ISACA San Francisco Fall Conference 2007 Slide 5

Changing Regulatory Expectations Then GLBA Risk assessment completed Core processing system Contracts with third parties Now GLBA Risk assessment capability All data, all forms, all locations Oversight of vendors FFIEC Annual risk assessment Technology centric Vendors assessed separately FFIEC Enterprise risk assessment Information focus with increasing technology focus Vendors extension of enterprise Ability to demonstrate & communicate Risk Management ISACA San Francisco Fall Conference 2007 Slide 6

FFIEC Example Federal Financial Institutions Examination Council Vendor Management Requirements ISACA San Francisco Fall Conference 2007 Slide 7

Vendor Related Risks - Information Security Key Focus Areas Your Current Maturity Level Your Future State Level 1. Vendor Access to Data/Technology? TBD 2. Vendor Identity Management/Provisioning? TBD 3. Governance:- Contract Compliance (Metrics)? TBD 4. Vendor Compliance to Sub-Contracting? TBD 5. Business Continuity/DR Planning? TBD 6. Privacy: (GLBA, HIPAA, CA1386)? TBD 7. Industry Regulations: (Federal, OCC etc.)? TBD Business Impact Cost, Quality, Service, Reputation & Risk ISACA San Francisco Fall Conference 2007 Slide 8

Key Elements of Vendor Relationship Maturity Model 1. Management Structures 2. Vendor Rationalization 3. Vendor Selection 4. Vendor Relationships 5. Manage Costs 6. Manage Performance & Quality 7. Use of Technology 8. Manage Information Security Risk ISACA San Francisco Fall Conference 2007 Slide 9

MANAGING VENDOR INFORMATION SECURITY RISKS Within a Vendor Relationship Maturity Model EXAMPLE ONLY ISACA San Francisco Fall Conference 2007 Slide 10

Sample Best Practices for Vendor Security Risk Management Line of Business responsibility for vendor risk Standard repeatable processes for requirements gathering, risk assessment, controls validation, contracting, service level management, etc. Repository to support Vendor Security Management Tools that provide KPI data People Process Technology ISACA San Francisco Fall Conference 2007 Slide 11 Qualified and trained VRMs Support from centralized team Quality measures for process Alternative validation methods Define Key Process Indicators (KPIs) for vendor security risk Vendor security risk, assessment, monitoring and reporting tools

Final Thoughts Do s Know where your data is and who has access to it Work with stakeholders within your organization to understand what security risks are important and how they apply to your vendor community Collect as much supporting information as possible specific to your organization and your vendors Leverage existing vendor information if it is applicable Make sure the vendor information is Accurate ISACA San Francisco Fall Conference 2007 Slide 12

Final Thoughts Don ts Ignore vendor security risk management Outsource the issue, thinking it will go away Cut corners be smart by leveraging information, tools and processes, however, BE DILIGENT Over-survey stakeholders Believe everything you re told look for alternative validation methods ISACA San Francisco Fall Conference 2007 Slide 13

Final Thoughts Remember Outsourcing does not remove your Risk Management responsibilities Be able to defend your risk decisions with hard data through repeatable processes and standard tools Keep your information accurate and current, and your processes tuned Think ahead start collecting information now ISACA San Francisco Fall Conference 2007 Slide 14

Contact Information Dan Morrison (415) 498-7066 daniel.morrison@us.pwc.com ISACA San Francisco Fall Conference 2007 Slide 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information