MAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS. Nick Harrahill PayPal Global Security Operations

Similar documents
Third-Party Access and Management Policy

PAYMENT CARD PROCESSING

Third Party Risk Management 12 April 2012

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

Platform as a Service and PCI

Services Providers. Ivan Soto

FREQUENTLY ASKED QUESTIONS The MasterCard Site Data Protection (SDP) Program

SAS No. 70, Service Organizations

3 rd Party Vendor Risk Management

HITRUST CSF Assurance Program

Key USP s. Multiple PCI level GRC tool

Vendor Management Best Practices

SHARED ASSESSMENTS PROGRAM STANDARDIZED INFORMATION GATHERING (SIG) QUESTIONNAIRE

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

Vendor Management Compliance Top 10 Things Regulators Expect

Third-Party Cybersecurity and Data Loss Prevention

Internal Audit Activity Update

3 rd -party Security Risk Assessment

SERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

VENDOR MANAGEMENT An Update & Discussion

Feature. Vendor Due Diligence

PACB One-Day Cybersecurity Workshop

Taking Information Security Risk Management Beyond Smoke & Mirrors

Technical breakout session

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers

OUTSOURCING DUE DILIGENCE FORM

Validation of PCI Compliance Requirements NC Office of the State Controller June 23, 2015

How To Protect Your Credit Card Information From Being Stolen

Shared Assessments Program Case Study

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Request for Proposal For: PCD-DSS Level 1 Service Provider St. Andrew's Parish Parks & Playground Commission Bid Deadline: August 17, 2015 at 12 Noon

IIA Conference. September 18, Paige Needling Director, Global Information Security Recall, Inc.

How To Write A Pca Dss Compliance Solution For Gameplan Group Ltd

Property of CampusGuard. Compliance With The PCI DSS

PCI Compliance Just the Facts. Rick Dakin President ext. 7001

The Seven Elements of a Vendor Oversight Program

PCI DSS 3.0 Changes & Challenges P R E S I D E N T/ C O - F O U N D E R F R S EC U R E

Cybersecurity y Managing g the Risks

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

Vendor Management Compliance Top 10 Things Regulators Expect

Three Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010

PCI on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for PCI on AWS

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

IT Governance Regulatory. P.K.Patel AGM, MoF

How To Be A Successful Compliance Officer

PCI DATA SECURITY STANDARD OVERVIEW

Identifying and Managing Third Party Data Security Risk

Our Commitment to Information Security

Infrastructure Information Security Assurance (ISA) Process

SECURITY AND EXTERNAL SERVICE PROVIDERS


Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

GOVERNANCE AND SECURITY BEST PRACTICES FOR PAYMENT PROCESSORS

PCI DSS. Payment Card Industry Data Security Standard.

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Music Recording Studio Security Program Security Assessment Version 1.1

Intelligent Vendor Risk Management

IT Governance. What is it and how to audit it. 21 April 2009

Online Compliance Program for PCI

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Publication 805-A Revision: Certification and Accreditation

White Paper on Financial Institution Vendor Management

Program Overview. CDP is a registered certification designed and administered by Identity Management Institute (IMI).

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Payment Card Industry Data Security Standard (PCI DSS)

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Third Party Assurance

2.1.2 CARDHOLDER DATA SECURITY

OC Chapter. Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PCI Compliance. Top 10 Questions & Answers

Ayla Networks, Inc. SOC 3 SysTrust 2015

PAYMENT CARD PROCESSING

COMPLIANCE OVERVIEW: PCI DSS Edition. Complimentary. Preview

Anypoint Platform Cloud Security and Compliance. Whitepaper

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

CFPB Readiness Series: Compliant Vendor Management Overview

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

PCI Compliance Overview

How To Protect Your Business From A Hacker Attack

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

Hosting Services VITA Contract VA AISN (Statewide contract available to any public entity in the Commonwealth)

ACI ON DEMAND DELIVERS PEACE OF MIND

Spokane Airport Board (Spokane International Airport, Airport Business Park, Felts Field) Addendum #1 - Q&A

How To Ensure Account Information Security

Transcription:

MAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS Nick Harrahill PayPal Global Security Operations

AGENDA Inception of an engagement The legal agreement Assessing the risk Customer call center use case Best practices and lessons learned Questions and answers 2 Confidential and Proprietary

INCEPTION OF AN ENGAGEMENT Understanding the relationship What is the external party doing on our behalf? Access to data Access to systems Providing development Collecting data on our behalf Anything that could impact customers, company or brand Relationships Change- Ensure the business keeps you appraised of changes that impact risk. 3 Confidential and Proprietary

INCEPTION OF AN ENGAGEMENT Relationships Change- Ensure the business keeps you appraised of changes that impact risk. Sensitivity of data processed Change in importance of vendor-are all of our eggs in one basket? A shift towards more dynamic processing like offline storage of data Incidents at external party Downstream outsourcing the external party introducing their vendors to our process or data 4 Confidential and Proprietary

CRITICAL PARTNERSHIPS Business Unit Relationship Manager (BURM) Procurement Legal Team and Privacy Information Security, Compliance and related SME s Your counterparts in Legal, Information Security, Compliance and other areas at external party Procurement and Legal are effective traffic cops in ensuring projects get routed for assessment. Partner with Legal, Info Sec and Compliance partners at external party. Help them understand your expectations, learn their processes, and how you will best work together. 5 Confidential and Proprietary

CRITICAL PARTNERSHIPS Procurement and Legal as traffic cops Follow the money Pursue integrated processes and repositories for all parties supporting the vendor life cycle Partner with Legal, Info Sec and Compliance Counterparts at External Party Understand where there are gaps and opportunities for compensating controls Avoid contentious relationships and emphasize our shared interests in compliant processes 6 Confidential and Proprietary

THE LEGAL AGREEMENT Ensure responsibilities are understood Escalation processes should an incident occur. Identify POC s and critical support lines. Downstream outsourcing intentions or other external party relationships that impact our data and processes. Audit and/or annual collection of compliance documentation. Changes that impact their localized industry compliance status. Notification of significant changes to security program that impact our process. 7 Confidential and Proprietary

ASSESSING THE RISK Access to data Access to systems Providing development Collecting data on our behalf Anything that could impact customers, company or brand Regulatory considerations Business continuity Customer data: confidential, restricted or designated sensitive data. Legal obligations based on the residency of data where the customer resides and where our external partner does. Customer privacy agreements should be kept in sync. What is the impact to our business if services at the vendor are down for hours, days, weeks or longer? 8 Confidential and Proprietary

ASSESSING THE RISK Customer privacy agreements should be kept in sync Does this impact our customer privacy agreement? Global Privacy counterparts should be engaged for review of more sensitive data flows. What is the impact to our business if vendor services are down? Does it impact our internal SLA s? Do we have redundancy for what the external party provides? 9 Confidential and Proprietary

RISK ASSESSMENTS Assess according to vendor risk tier & type High Risk SIG + targeted assessment based on type of vendor Applicable artifacts PCI documentation, vulnerability management, SDLC documentation Vulnerability scanning On-site audits Annual reassessment Medium Risk SIG or SIG lite Vulnerability scanning Assess as needed or with changes to relationship Low Risk SIG lite Assess as needed or with changes to relationship 10 Confidential and Proprietary

COMMON INDUSTRY FRAMEWORKS Standard Information Gathering (SIG) Questionnaire Consistent service provider evaluation process offered by Shared Assessments www.sharedassessments.org Several sections, including Risk Management, Security Policy, Asset Management, HR, and Privacy Full SIG version and SIG Lite SSAE Auditing Standard (formerly SAS70) www.ssae-16.com Done via a third party auditor to demonstrate adequate controls and safeguards Shared upon execution of NDA s One size does not fit all utilizing a target assessment based on the type of external partner is best. The external partner population can contain Data Centers, Payment Processors, Marketing companies, small development teams, and other examples that have varied risk factors. 11 Confidential and Proprietary

THE CUSTOMER CALL CENTER USE CASE Maintaining oversight Initial assessment Annual on-site assessments Quarterly self assessments Setting expectations up front on audit and assessment obligations is essential to a congenial working relationship. Annual on-site assessments Provide standard check of control base that is consistent across external call center sites Test controls that the external party is responsible for. Report to Management, determine appropriate risk mitigation with needed. Quarterly self-assessments Light-weight version of audit that can be done by layperson. Partner with external party in questions and issues. Report to Management, determine appropriate risk mitigation with needed. 12 Confidential and Proprietary

THE CUSTOMER CALL CENTER USE CASE Provide concise, meaningful reporting for business stakeholders on individual reviews and performance across the population. Partner Physical Security Logical Security Administrative Controls Resiliency & Performance Partner A 85 88 79 80 83 Partner B 88 90 91 82 87 Partner C 78 85 93 90 86 Partner D 77 80 96 90 85 Partner E 90 90 92 92 91 Average 13 Confidential and Proprietary

OTHER BEST PRACTICES AND LESSONS LEARNED Partner with Business counterparts to build compliance processes into initial RFP flows. For large external entities, assess at the project level vs entity level to determine specifics on the use case. Maintain an accountable process with responsibilities of each party clear (Business Unit-External Party-Legal-etc) Review your process on an annual basis-risks evolve, the business changes, and we must adapt with that. Evangelize your processes internally both to demonstrate the requirement and its value proposition. Develop a platform repository that supports all ends of the process (several GRC solutions in the industry). 14 Confidential and Proprietary

SUMMARY Managing effective oversight over outsourced processes and services requires several key points: Understanding the nature of the engagement at its inception. Maintaining critical partnerships internally and at the external party. Keeping Legal Agreements in sync with your requirements and regulatory obligations. Assessing the risk and applying a commensurate auditing structure. 15 Confidential and Proprietary

QUESTIONS

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information