Top 10 Tips for Effectively Assessing Third-party Vendors

Similar documents
Developing and Maintaining a World-Class Third Party Risk Assessment Program

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Vendor Management Panel Discussion. Managing 3 rd Party Risk

SECURITY RISK MANAGEMENT

HITRUST CSF Assurance Program

Hans Bos Microsoft Nederland.

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

HIPAA and HITRUST - FAQ

Third-Party Cybersecurity and Data Loss Prevention

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Third Party Risk Management 12 April 2012

Practical Vendor Management to Minimize Compliance Risks November 12, 2015

Auditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP

Vendor Management Best Practices

IIA Conference. September 18, Paige Needling Director, Global Information Security Recall, Inc.

OC Chapter. Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes.

HIPAA SECURITY RISK ANALYSIS FORMAL RFP

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

Auditing Cloud Computing and Outsourced Operations

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

Guided HIPAA Compliance

SHARED ASSESSMENTS PROGRAM STANDARDIZED INFORMATION GATHERING (SIG) QUESTIONNAIRE

Cloud Security and Managing Use Risks

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

Well-Documented Controls Reduce Risk and Support Compliance Initiatives

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

Capabilities Overview

Bridging the HIPAA/HITECH Compliance Gap

FINRA Publishes its 2015 Report on Cybersecurity Practices

Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers

HOW SECURE IS YOUR PAYMENT CARD DATA?

PCI DSS READINESS AND RESPONSE

Developing National Frameworks & Engaging the Private Sector

Digital Healthcare: Author. A HIPAA compliant cloud strategy. Choosing a Cloud Service Provider. Alex Ginzburg

Consolidated Audit Program (CAP) A multi-compliance approach

What can HITRUST do for me?

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

{Are you protected?} Overview of Cybersecurity Services

Information Technology: This Year s Hot Issue - Cloud Computing

HITRUST. Assessment Methodology. Version 2.0

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

VENDOR MANAGEMENT. General Overview

University of Pittsburgh Security Assessment Questionnaire (v1.5)

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

Sample Statement of Work

IT Security & Compliance Risk Assessment Capabilities

Enabling Compliance Requirements using ISMS Framework (ISO27001)

Top Ten Technology Risks Facing Colleges and Universities

Strategies for Integra.ng the HIPAA Security Rule

CFPB Readiness Series: Compliant Vendor Management Overview

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

TOOLS and BEST PRACTICES

A CobiT Case Study. Drawing on CobiT for the implementation of an Enterprise Risk Management Framework. December 2008

Managing data security and privacy risk of third-party vendors

Business Continuity Planning. Presentation and. Direction

Data Breach and Senior Living Communities May 29, 2015

Risk Management: IT Vendor Management and Outsourcing

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Obtaining CSF Certification Lessons Learned and Why Do It

WHITE PAPER Third-Party Risk Management Lifecycle Guide

Nine Network Considerations in the New HIPAA Landscape

Transcription:

Top 10 Tips for Effectively Assessing Third-party Vendors Presented by: Tom Garrubba, Manager, Technical Assessments Group, CVS Caremark Web Hull, Senior Privacy & Compliance Specialist, Iron Mountain

Top 10 Tips 1. One size doesn t fit all and it isn t free

1. One size doesn t fit all and it isn t free! The Role Players Regulators & Standard Setters Customers The Corporation and the Business Units The Vendor Subcontractors/down stream vendors Who does the real work? Employees, 3 rd party, mix, other Program Initiation and Alignment Formula for Implementation Centralized Decentralized Who pays for it

Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment

2. Determine what data is in-scope for assessment Who? Regulators (FTC, Federal Reserve, HHS, FDIC, etc.) Industry (PCI) Customers Own criteria What Information? Customer Information Employee information Why? You are compelled to perform due diligence it by law, regulation, standard Your customers demand it as you are putting their info at risk by giving it to another company.

Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment 3. Accurately & thoroughly describe how the data will flow

3. Accurately & thoroughly describe how the data will flow Precisely and completely describe Services the vendor will provide; Customer, employee, & company data and information the vendor will collect and/or have access to What the vendor will do with this data and information. Where this data and information will be processed & stored How the data will get to the vendor Any subcontractors to be used

Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment 3. Accurately & thoroughly describe how the data will flow 4. Triage risk High, Medium, & Low

4. Triage Risk - High, Medium, & Low Why? Focus limited resources Reduce vendor s efforts How? Short questionnaire 10 + questions Who? Business owner & vendor Other benefits Shape/reduce longer assessment

Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment 3. Accurately & thoroughly describe how the data will flow 4. Triage risk High, Medium, & Low 5. Start with an assessment & data collection instrument

5. Start with an assessment and data collection instrument Assessment = A due diligence activity to gain a level of comfort with the overall security, privacy, data protection posture of the vendor Send a questionnaire to them and have it returned for analysis Use an existing questionnaire - SIG Standard Information Gathering - Industry standard questionnaire developed by members of the Shared Assessments (www.sharedassessments.org) program Covers all domains of ISO 27002 as well as HIPAA-HITRUST, PCS-DSS, CoBIT, NIST, GLBA, Privacy & Cloud Develop & send your own questionnaire Have qualified people assess their responses CISA, CRISC, CISSP, CIPP/US/G/C/IT/IT, Pre-Assessment Phase (i.e., Phase 1) of the VAP Lifecycle

5. Start with an assessment and data collection instrument VAP Phase 1: Pre-Assessment Obtain all information regarding the scope of work Find out the data that will be CSTUPD ed Collect Store Transmit Use Process Destroy Converse with the assigned BU and/or the vendor contacts to fully understand what, where, and how s If applicable, determine if the assessment will be handled by an internal or external assessor Send the vendor the questionnaire to be completed

5. Start with an assessment and data collection instrument Define Scope Define Data in use (CSTUPD) Distribute questionnaire Phase 1: Pre- Assessment Phase 2: Assessment Perform Kickoff Obtain BU and Vendor Docs Acquire SIG Responses Perform AUP Document CI s Phase 4: Re- Assessment Phase 3: Post- Assessment Reevaluate Data Type Reevaluate Location Risk Scoring Update BU and Vendor Management Track CI s File BU/Vendor Docs Remediate CI s

Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment 3. Accurately & thoroughly describe how the data will flow 4. Triage risk High, Medium, & Low? 5. Start with an assessment & data collection instrument 6. Trust but Verify - Collect evidence

6. Trust but Verify Collect evidence VAP Phase 2: Assessment Have a meeting with the BU and vendor to discuss contacts, deliverables, and timelines Request/Review pertinent documentation from: The BU - Contracts, SOW s, NDA s, BAA s The Vendor - SSAE-16 Type II documents; ISO 27001/2 cert, CMM level, NAID, Review the returned questionnaire responses Note contingent items (non-compliant items, findings, etc.) Update BU and Vendor Management Track Contingent Items Compose the assessment report File BU/Vendor Documents Track through remediation all contingent items

Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment 3. Accurately & thoroughly describe how the data will flow 4. Triage risk High, Medium, & Low? 5. Start with an assessment & data collection instrument 6. Trust but Verify - Collect evidence 7. Accept or remediate non-compliant findings

7. Accept or remediate non-compliant items Contingent Items (aka: issues, findings, observations, notable items, etc.) You can accept the risk associated with a particular item or You can require remediation of the item Require remediation by the vendor or business unit Risk-rate and prioritize as such Actively monitor until they are closed Escalate to appropriate levels of management if timelines are not met Adjust the timelines if the vendor cannot reasonably meet the target dates

7. Accept or remediate non-compliant items Contingent Items 3 Types of CI s Contractual Contracts, SOW s, NDA s, BAA s; Incomplete; Out of date HR-Related Drug testing; Background checks; Credit checks Technical/Operations Typical IT/operations-related issues/findings/observations

Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment 3. Accurately & thoroughly describe how the data will flow 4. Triage risk High, Medium, & Low? 5. Start with an assessment & data collection instrument 6. Trust but Verify - Collect evidence 7. Accept or remediate non-compliant findings 8. Identify & assess critical, downstream vendors/subcontractors

8. Identify & assess critical, downstream vendors/subcontractors Down Stream Vendors/Subcontractors If you have a contract with them See if you ve already assessed them; if not then assess them! Request the same documentation as if they were a primary vendor If you don t have a contract with them Work with the primary vendor to obtain documentation Have the primary vendor set up a call to see what the DSV/subcon is willing to provide Use the same assessor if possible (they know the scope of work)!

8. Identify & assess critical, downstream vendors/subcontractors Determine the risk of these downstream vendors High, Medium, Low Seek third party attestations and other evidence regarding vendor s high risk vendors. SSAE-16, AUP, ISO 27001/2, PCI cert, etc. Review attestations & make a decision Make sure that your contract contains relevant terms

Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment 3. Accurately & thoroughly describe how the data will flow 4. Triage risk High, Medium, & Low? 5. Start with an assessment & data collection instrument 6. Trust but Verify - Collect evidence 7. Accept or remediate non-compliant findings 8. Identify & assess critical, downstream vendors/subcontractors 9. Determine if/when an on-site review is necessary

9. Determine if/when an onsite review is necessary Have the Primary vendor identify its vendors that: Will process, have access to or potential access to, transport, store, protected data Are in another country Determine how the vendor assesses, contracts with, and monitors these vendors You might have to do some work here Conference call interview, other Q & As, Determine if your staff or External Assessors will be needed!

Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment 3. Accurately & thoroughly describe how the data will flow 4. Triage risk High, Medium, & Low? 5. Start with an assessment & data collection instrument 6. Trust but Verify - Collect evidence 7. Accept or remediate non-compliant findings 8. Identify & assess critical, downstream vendors/subcontractors 9. Determine if/when an on-site review is indicated 10. Determine when a reassessment should be performed

10. Determine when a reassessment should be performed VAP Phase 4: Re-assessment Start planning by determining what criteria? Based on type of data (PCI, PHI, etc.)? Suggestions include: PCI = Annual PHI, Sensitive PII = Annual Non-sensitive PII, Strategic, other proprietary =??? Based on the geographic location? Onshore Offshore Offshore but with safe harbor agreements Based via scoring system? Risk Rating SIG Other GRC tool In house tool Combination of the above?

Top 10 Tips But wait there s more!

Top 10 Tips 1. One size doesn t fit all and it isn t free 2. Determine what data is in-scope for assessment 3. Accurately & thoroughly describe how the data will flow 4. Triage risk High, Medium, & Low? 5. Start with an assessment & data collection instrument 6. Trust but Verify - Collect evidence 7. Accept or remediate non-compliant findings 8. Identify & assess critical, downstream vendors/subcontractors 9. Determine if/when an on-site review is indicated 10. Determine when a reassessment should be performed and 11. Retain all assessment data, decisions, & records

11. Retain all assessment data, decisions and records Why? You are going to need them later! Regulatory, internal or other audit Something goes wrong (e.g., negative assessment) Reassessment How? GRC system, SharePoint, or some other centralized system. Back It Up (Murphy s Law!)

Top 10 Tips And if you call right now!!!

BONUS #1 Manage Your External Assessors They are an extension of your VAP team and should be treated as such Discuss their progress at least weekly Ensure they pull you in when the assessment begins to look bad - no surprises! Participate in closing meetings for key/offshore vendors Make sure vendors will accept their NDA s Be prepared for the legal departments to red-line the document! Be prepared to adjust start/end dates

BONUS #2 Use Operational Metrics VRB status monitoring Assessments assigned to assessors Internal/external assessments open Pre-assessment review Stage gates monitoring Assessor kickoff How long it takes to get the questionnaire back How long it takes to resolve AUP items (questions, documentation) Assessments in management review Contingencies due in the past 30/60/90/>120 Days

Thank You! & Questions?

For More Information Thomas.garrubba@cvscaremark.com; (412)967-8196 Web.Hull@ironmountain.com; (617)535-2958 www.sharedassessments.org Resources FAQs and tips for getting started Case studies Enterprise Cloud Computing Guide Detailed comparisons with regulations and international standards (HIPAA/HITECH, PCI, ISO, COBIT, NIST) Members Partners HIPAA HITECH PCI

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information