OC Chapter. Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes.



Similar documents
Vendor Management Panel Discussion. Managing 3 rd Party Risk

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

Identifying and Managing Third Party Data Security Risk

Vendor Management. Outsourcing Technology Services

VENDOR MANAGEMENT. General Overview

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

The ABC s of BCP. Jeremy Sucharski Governance Risk and Compliance G31

WHITE PAPER Third-Party Risk Management Lifecycle Guide

Vendor Risk Management Financial Organizations

Governance, Risk and Compliance Update & Hot Topics Pittsburgh Chapter IIA December 3, 2012

The Role of Internal Audit In Business Continuity Planning

SHARED ASSESSMENTS PROGRAM STANDARDIZED INFORMATION GATHERING (SIG) QUESTIONNAIRE

Hans Bos Microsoft Nederland.

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

SUPPLY CHAIN ASSURANCE FRAMEWORK: THE SUPPLY CHAIN STANDARDS TRANSLATOR

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

CISM ITEM DEVELOPMENT GUIDE

Certified Information Systems Auditor (CISA)

Information Security Program

Third Party Risk Management 12 April 2012

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

Third Party Security Guidelines. e-governance

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

SECURITY. Risk & Compliance Services

A Flexible and Comprehensive Approach to a Cloud Compliance Program

MHA Consulting. Business Continuity Management 101

Effectively Assessing IT General Controls

Microsoft s Compliance Framework for Online Services

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Appendix J: Strengthening the Resilience of Outsourced Technology Services

Business Continuity and Disaster Recovery Planning

Cloud Computing What Auditors need to know

Top Ten Technology Risks Facing Colleges and Universities

Bank of Papua New Guinea Prudential Standard BPS251: Business Continuity Management

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

BCP and DR. P K Patel AGM, MoF

Protecting your Enterprise

Prudential Standard CPS 232 Business Continuity Management

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

NSW Government Digital Information Security Policy

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

Your Guide to Developing a Disaster Recovery Plan

Sound Transit Internal Audit Report - No

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

Compliance Doesn t Mean Security Achieving Security and Compliance with the latest Regulations and Standards

CORL Dodging Breaches from Dodgy Vendors

Vendor Management Best Practices

Virginia Commonwealth University School of Medicine Information Security Standard

Data Privacy, Security, and Risk Management in the Cloud

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

Business Continuity Management

Business Continuity Planning and Disaster Recovery Planning

Risky Business. Is Your Cybersecurity in Cruise Control? ISACA Austin Chapter Meeting May 5, 2015

Top 10 Tips for Effectively Assessing Third-party Vendors

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

Business Continuity Management 101. Patrick Potter, CBCP MHA Consulting ISACA November 19, 2009

Cybersecurity The role of Internal Audit

Contingency Plan for HIPAA

Business Continuity Management

The PNC Financial Services Group, Inc. Business Continuity Program

2014 NABRICO Conference

Information Security Policies. Version 6.1

Developing National Frameworks & Engaging the Private Sector

Regulatory Requirements for Disaster Recovery/Business Continuity Programs

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Four

Introduction to Vendor Management

How to ensure control and security when moving to SaaS/cloud applications

SECURITY RISK MANAGEMENT

2014 Vendor Risk Management Benchmark Study

Altius IT Policy Collection Compliance and Standards Matrix

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

Version Copyright Janco Associates, Inc. - Page 1

Domain 3 Business Continuity and Disaster Recovery Planning

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Certified Information Security Manager (CISM)

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

The Business Continuity Maturity Continuum

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?

Department of Public Utilities Customer Information System (BANNER)

Business Continuity Plan

Practical Guidance for Auditing IT General Controls. September 2, 2009

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

Business Continuity Planning. Description and Framework. White Paper. Preface. Contents

Transcription:

OC Chapter Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes.

2 Why Assess a Vendor? You don t want to be a Target for hackers via your vendors weak IT controls You may have to comply with various ever increasing regulatory and other compliance frameworks HIPAA PCI FFIEC Many others

3 FFIEC Announcement The appendix highlights that a financial institution s reliance on third-party service providers to perform or support critical operations does not relieve a financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner. An effective third-party management program should provide the framework for financial institution management to identify, measure, monitor, and mitigate the risks associated with outsourcing. Specifically, a financial institution should ensure that its third-party service providers do not negatively affect its ability to appropriately recover IT systems and return critical functions to normal operations in a timely manner: Third-Party Management Third-Party Capacity Testing with Third-Party Technology Service Providers Cyber Resilience

4 Assessment Approch B U S I N E S S C O N T I N U I T Y P L A N N I N G (BCP) CONTROL EVALUATION Other Audit Previous Audit Remediation Documentation Control Assessment Recommendations Recommendation Used? Based on inquiry, and review of company documentation, it PaceMaker Initial Screen.pdf N Based on the information None None appears that: provided, this control Claims BCP.pdf appears to be at CobiT 1a) Current Business Continuity Plans are maintained and Maturity Model Level 4 saved on an internal portal - PaceMaker (PaceMaker Initial Financial Reporting BCP.pdf Managed and Measurable. Screen.pdf). They cover both business and technical/it aspects of disaster recovery and business continuity. The IT BCP General.pdf samples selected (Claims, IT, and Financial Reporting) include sections for Maintenance Phase - Mandatory Update As IT BCP Hot-Site Required, Quarterly & Semi-Annual Review of Critical Implementation Team.pdf Information, Testing, Recovery Phase - Pre-Activation, Activation, Critical Operations, Full Recovery, Post Recovery IT BCP Alternative Office and Reference Attachments for applicable locations. (Claims Support Team.pdf BCP.pdf, Financial Reporting BCP.pdf, IT BCP General.pdf, IT BCP Hot-Site Implementation Team.pdf, IT BCP Alternative IT BCP Telecommunication Office Support Team.pdf, IT BCP Telecommunication Recovery Recovery Team.pdf Team.pdf) A Confidential Crisis Management Plan also exists and was examined with management. Hard-copy binders BCP System Recovery are kept by key executives at off site locations. The IT Procedures.Sharepoint department also maintains BCPs for significant Folder.pdf systems/applications and databases on the company's Sharepoint portal (BCP System Recovery BCP Zeus Recovery Procedures.Sharepoint Folder.pdf, BCP Zeus Recovery Procedures Folder.pdf Procedures Folder.pdf, BCP Oracle Financials Recovery Procedures Folder.pdf). The system BCPs outline specific BCP Oracle Financials procedures for recovering the system after a disaster (Control Recovery Procedures Procedures IT - BRP Zeus Checks.doc, DBA BCP Folder.pdf Procedures.doc, Forms_10_BCP_Documentation-v3.doc, R12 OAP BCP Process.doc). 1b) Management indicates that a comprehensive business Control Procedures IT - BRP impact analysis (BIA) has been performed for significant Zeus Checks.doc business areas and are maintained and saved to Pacemaker (PaceMaker Initial Screen.pdf). The documented BIA examins DBA BCP Procedures.doc areas such as: Background Information - General, Process Description, Operating Locations, Peak Operating Times & Forms_10_BCP_Documentati Cycle Time, Annualized Return, Annualized production Output; on-v3.doc Resource Requirements - General Resource Requirements, Notes, Key Records, Data, Intellectual Property & R12 OAP BCP Process.doc Documentation and Records Management Process, Disaster Preparedness/Work From Home Capabilities, Dependencies - PaceMaker Initial Screen.pdf Key Customers, Service Level Agreements w/ Customers, Process Dependencies, Product Dependencies, Technology Claims BIA.pdf Dependencies, Vendor/External Dependencies, Regulatory Requirements - Regulatory Considerations, Reporting Financial Reporting BIA.pdf Requirements and BIA - Recovery Objectives, Reputation Impairment - Customer and Stakeholder Considerations, Claims BIA.pdf Employees, Cash Flow Interruption, Financial Control and Reporting Exposure and Contractual Noncompliance (Claims Financial Reporting BIA.pdf BIA.pdf, Financial Reporting BIA.pdf). BCP-System RTOs.xls documents the Recovery Time Objectives for IT Supported Business Applications per Department/Functional area. CONTROL FINDINGS DOI Questionnaire Ref # DOI Questionnaire Question Management Response Is the business contingency plan a) current, b) based on a business impact analysis, c) has it been tested, and d) address all significant business activities, including financial functions, telecommunication services, data processing services and network services? Y Control Activity Findings Supporting Evidence Three Key Types of Assessment Approach E1 1. Spreadsheets and Word Documents 2. GRC (tools such as Evantix, Archer, MetricStream) 3. Onsite Interview and Observation MANAGEMENT RESPONSE Comments Evaluation of Response

5 Frameworks and Standards Ques NumSIG Question Text Response Additional Information SIG Lite A. Risk Assessment and Treatment Is there a risk assessment program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the SL.1 program? B. Security Policy Is there an information security policy that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the SL.2 policy? ISO Version 2013 COBIT 4.0 Relevan ce A.1 IT & Infrastructure Risk Governance and 5.1 Context 6.1.2 Leadership & Commitment, Information Security Risk Assessment B.1 Information Security Policy Content & Maintenance Policies for information security 5.1.1 PCI 3.0 FFIEC NIST SL.3 SL.4 PCI Version 3.1 SL.5 Have the policies been reviewed in the last 12 months? Is there a vendor management program? C. Organizational Security Is there a respondent information security function responsible for security initiatives? Do external parties have access to Scoped Systems and Data or processing facilities? D. Asset Management Is there an asset management policy or program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy? B.1 Procedure: d 5.1.2 C.3 Security Organization Roles/Responsibiliti es 6.1.1 PO6.1 IT policy and control environment 5.4, 12.1 IS.1.4.1 Review of the policies for information security PO3.1 Information Security Roles and Responsibilities PO3.3 Technological direction planning 12.2.b IS.1.4.2.7 12.8 Monitoring of future trends and regulations 15Supplier relationships Shared Assessment SL.8 Are information assets classified? E. Human Resource Security Are security roles and responsibilities of constituents defined and documented in accordance with the respondent s information security policy? Licensed version 2015 SL.9 D. Assessment Management 8.2.1 8.1Responsibility For Assets Classification of Information PO2.3 C.3 Security Organization Roles/Responsibiliti es 6.1.1 Information security roles and responsibilities PO4.6 D.1.c.6 Data classification scheme 9.6.1 Roles and responsibilities PO6.1, PO6.2, PO6.3, PO6.5, DS5.2, DS5.3, ME2.1 PO3.1, PO5.3, PO5.4, PO6.3, PO9.4, DS5.2, DS5.3, ME2.2, ME2.5, ME2.7, ME4.7 PO3.3, PO3.5, PO4.3, PO4.4, PO4.5, PO4.8, IS.1.7.4 PO6.3, PO6.4, 12.5MGMT.1.6.1.6 PO6.5, DS5.1 PO6.4, DS5.5, ME2.2, ME2.5, 12.8 ME4.7 HIPAA update 2014 SL.7 COBIT 4.1 Relevance IS.1.3.1 BCP.1.2.1 BCP.1.3.5 MGMT.1.6.1.1 12.2OPS.1.3 PO9.4 Not a Assessment tool more a ISMS but some have changed it to fit VRM SL.6 AUP 2015 Relevance ISO 27002:2 013 Relevan ce PO4.14, PO6.4, PO8.3, AI5.2, DS2.2, DS2.3, DS2.4, DS5.1, ME2.6 PO2, AI2, DS9 PO4.6, PO4.8, IS.2.M.15.1 PO6.3, PO7.1, MGMT.1.6.1.2 PO7.2, PO7.3, 12.1WPS.2.2.1.3.1 DS5.4 Shared Assessments Program Cloud Comput Paper Description

6 Value of a Remote Assessment Audit Trail Delegation Functionally Sales or CSO completing the assessment Vendors Vendor! Procurement Contract RFI Provides Attachments Questions Scored Questions and Sections Weighted Cheaper to perform over 100s of Vendors

7 Onsite Assessment Interview Observation Data collection Immediate Remediation suggestions Ability to gage the honesty of the Vendor management Overall Risk Assessment more accurate Why note do both! Remote followed by Onsite for sub set of overall Vendor pool A bit less of Him! And more of this!

8 VRM Assessment Process Relationship Assessment Profile Assessment Control Assessment

9 Relationship Assessment High Risk Med Risk Low Risk

10 Source Profile Assessment D&B Experian Thompson Reuters Value RFP Selector Fraud Indicator Result Go No-Go Onsite Reserves against loses

11 Control Assessment SaaS Assessment Assess ISO Onsite Assessment Result Low Risk Score Interview and Observation Move to Annual Assessment Status Med Risk Score Move to Remediation Status Remediation Opt for 30 / 60 / 90 day plan for remediation of gaps Re-Assess

12 Assessment Frequency Annual Assessment First Year Small number of Vendors Assessing High Risk Vendors only 2 and 3 Year Rotational Plan Med and Low Risk Vendors To many Vendors to Assess Vendor change is service and or supply type

13 VRM Team ITS or Security Team VRM (Vendor Risk Management) Team Procurement Out Sourced Professional Services Internal Audit Independent Review of VRM Results CPA Firms FDIC

14 Vendors Risks Don t be a Target No Contract over your Vendors Vendors IP Customer DB Employee DB Out Sourced IT GEO FCPA Bankruptcy No longer able to support your need Disappearing hardware and IP Risk Reputational Financial Regulatory

15 Questions

16 Regents & Park VRM Blog LinkedIn Blog on VRM www.linkedin.com/in/jasonnjames https://www.linkedin.com/today/author/381038

17 Regents & Park Jason James President +1 (949) 903-2524 Jason.james@regentsandpark.com LinkedIn Blog on VRM www.linkedin.com/in/jasonnjames https://www.linkedin.com/today/author/381038

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information