Third-Party Cybersecurity and Data Loss Prevention



Similar documents
2014 Vendor Risk Management Benchmark Study

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

Third Party Risk Management 12 April 2012

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Identifying and Managing Third Party Data Security Risk

Is Your Company Ready for a Big Data Breach?

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

3 rd -party Security Risk Assessment

DATASHEET CONTROL COMPLIANCE SUITE VENDOR RISK MANAGER 11.1

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

Vendor Risk Management Financial Organizations

Building Best Practices for Effective Monitoring of a Third Party s Incident Event Management Program. A Shared Assessments Briefing Paper

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

How to Protect Sensitive Corporate Data against Security Vulnerabilities of Your Vendors

OCC 98-3 OCC BULLETIN

Don t Get Left in the Dust: How to Evolve from CISO to CIRO

Shared Assessments Program Case Study

NetIQ FISMA Compliance & Risk Management Solutions

White Paper on Financial Institution Vendor Management

MAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS. Nick Harrahill PayPal Global Security Operations

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

The Legal Pitfalls of Failing to Develop Secure Cloud Services

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

Developing and Maintaining a World-Class Third Party Risk Assessment Program

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Implementing Information Governance: A Best Practice Approach to Enable Compliance and Reduce Costs & Risks

Developing National Frameworks & Engaging the Private Sector

Outsourcing Technology Services A Management Decision

Cyber Security key emerging risk Q3 2015

Privacy Risk Assessments

FinTech Webinar Series: Vendor Management Principles

2015 Vendor Risk Management Benchmark Study. The Shared Assessments Program and Protiviti Examine the Maturity of Vendor Risk Management

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

Cybersecurity The role of Internal Audit

14 October 2015 ISACA Curaçao Conference By: Paul Helmich

Past vs. Present: Third Party Risk

Cyber Security From The Front Lines

Combating Cyber Risk in the Supply Chain

Best Practices in Data Protection Survey of U.S. IT & IT Security Practitioners

RSA Archer Risk Intelligence

Cyber security in healthcare

Cybersecurity in the States 2012: Priorities, Issues and Trends

WHITE PAPER THIRD PARTY MANAGEMENT: FUNDAMENTALS

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

Implementing Practical Information Security Programs

SHARED ASSESSMENTS PROGRAM STANDARDIZED INFORMATION GATHERING (SIG) QUESTIONNAIRE

Cyber and Data Risk What Keeps You Up at Night?

Practical Vendor Management to Minimize Compliance Risks November 12, 2015

State Governments at Risk: The Data Breach Reality

Risk Considerations for Internal Audit

Address C-level Cybersecurity issues to enable and secure Digital transformation

THIRD PARTY. T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s

Cyber Risks in the Boardroom

Jefferson Glassie, FASAE Whiteford, Taylor & Preston

FFIEC Cybersecurity Assessment Tool

Third Party Security Guidelines. e-governance

NIST Cybersecurity Framework & A Tale of Two Criticalities

Putting the Management Back in Vendor Management February 20, 2014

INFOCUS. Five Questions to Guide Cybersecurity Risk Management BY EARL CRANE

The NIST Cybersecurity Framework

Cybersecurity in the US Oil and Gas Industry Connected Oilfields Could Open a Pandora s Box

IT Insights. Managing Third Party Technology Risk

the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group

Cybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015

CYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES

Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World

THIRD PARTY SUPPLIER RISK MANAGEMENT. Meeting Emerging Financial Services Regulatory Requirements. By Joseph Yacura, ISG Director.

The Shared Assessments Program - All Rights Reserved 2

Key Trends, Issues and Best Practices in Compliance 2014

Cyber, Security and Privacy Questionnaire

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

CYBERSECURITY: Is Your Business Ready?

Outsourcing in the Financial Services Industry: Finding Opportunities and Managing Risk. New York. OCC and FRB Guidance on Managing Third-Party Risk

Achieving Data Privacy in the Cloud

Ayla Networks, Inc. SOC 3 SysTrust 2015

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Cloud Risk Management: How to Consolidate your CSP and Corporate Risk Profile

Data Breach and Senior Living Communities May 29, 2015

How to Define SIEM Strategy, Management and Success in the Enterprise

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Data Analytics: The Next Wave in Health IT. Big Data Conference June 17, Robert Wah, MD. Global Chief Medical Officer CSC

Vendor Security Risk Management

ISE Northeast Executive Forum and Awards

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

How To Write An Impactful Audit Report

4th Annual ISACA Kettle Moraine Spring Symposium

Distributor Liability Contract Risk Management THOMAS DOUGLASS APRIL 15, 2015

Enterprise Risk Management & Information Technology

Determining Data Equity: Capture and Calculate Valuation at Risk

CORL Dodging Breaches from Dodgy Vendors

DATA BREACH: hy you should care!

Considerations for Outsourcing Records Storage to the Cloud

Governance, Risk, and Compliance (GRC) White Paper

Cyber Insurance as one element of the Cyber risk management strategy

Transcription:

Third-Party Cybersecurity and Data Loss Prevention SESSION ID: DSP-W04A Brad Keller Sr. Vice President Santa Fe Group Jonathan Dambrot, CISSP CEO, Co-Founder Prevalent Networks

3rd Party Risk Management is a Hot Topic Third-Party Risk is one of the largest drivers of data If not managed effectively, the use of service providers may expose financial institutions to regulatory action, financial loss, litigation, and loss of reputation. Federal Reserve WSJ 12/6/13 Institutions under the jurisdiction of the CFPB will have to evaluate the risk profile of vendors and retain evidence of risk & compliance activities of those 3 rd parties, Risk & Compliance Journal 12/2/13 The Office of the Comptroller of Currency (OCC) issued new standards and requirements for banks regarding the upfront and ongoing management of third party risk October 2013 Improving vendor mgmt is a top security priority for institutions in 2014 Third-party relationships are becoming more complex as more functions are outsourced to the cloud Bank Info Security 11/2013 2

The Data Supply Chain 3 rd Party Vendor Downstream Vendor 3 rd Your Party Business Vendor Downstream Vendor 3 rd Party Vendor 3

Who Moved My Data? (based on a true story) 4

The Vendor Risk Management Problem 5

Interesting Statistics Only 24% of respondents require thirdparty suppliers or partners to comply with baseline security procedures PWC Third Party Risk Management April 2012 76% of data breaches analyzed by TrustWave resulted from a third-party which introduced the security deficiencies that were ultimately exploited. Trustwave 2012 Global Security Report 6

3rd Party Error and Data Loss Cost As shown in Figure 9, a strong security posture, incident response planning CISO appointments and consulting support decreases the per capita cost of data breach (shown as negative numbers). Third party errors, lost or stolen devices and quick notifications increases the per capita cost of data breach (shown in positive numbers). Figure 9. Impact of seven factors on the per capita cost of data breach Consolidated view (n=277). Measured in US$ Source: 2013 Cost Data Breach Study; Ponemon Institute; May 2013 7

3rd Party Error and Data Loss Cost Figure 11a, 11b and 11c show the factors that increased the cost of data breach, On average, third party errors increased the cost of data breach by as much as $43 per record in the US. In the case of Brazil and India, such incidents increased the cost by only $10 and $6, respectively. Figure 11a. Third Party Error (US$) Source: 2013 Cost Data Breach Study; Ponemon Institute; May 2013 8

Recommendations Assess before you buy! Understand and improve program maturity. Standardize your content. Automate wherever possible. Align with the business and other stakeholders. Get audit rights in contract. Move away from single, point-in-time assessment. Monitor regularly. 9

The SIG Standardized Information Gathering Questionnaire Replaces proprietary outsourcer questionnaires (1000s to 1) Complete picture of service provider controls NEW for 2014 - an entirely new section for assessing a vendor s software security development lifecycle, and the expansion of questions related to service provider outsourcing (fourth-party risks). 10

Shared Assessments Tools and Other Considerations The Agreed Upon Procedures (AUP) Used by companies to evaluate the controls their service providers have in place for information data security, privacy and business continuity. New for 2014 - a new AUP Report Template allows users of the AUP to track the results of an AUP assessment and generate a clear and concise report of assessment results. The Vendor Risk Management Maturity Model (VRMMM) Incorporates vendor risk management best practices into a usable model, which can be used to assess the current and desired future state New for 2014 - New enhancements to the VRMMM include the ability to score program components to indicate those areas that are currently under development and provide tracking of program improvements over time. The Model now includes a dashboard that displays scores for each component; each foundational program area; and, an overall maturity score for the program. 11

Vendor Risk Management Maturity Model (VRMMM) Monitor & Review Tools, Measurement & Analysis Communication and Information Sharing Skills and Expertise Vendor Risk Identification and Analysis Contracts Policies, Standards, Procedures Program Governance 12

The Future of 3rd Party Risk Vendor Risk to 3rd Party Oversight Security + Operational Risk + SLA Management Big Data Analytics and Continuous Monitoring Application Security In The Spotlight Additional Regulatory and Privacy Coverage Additional Sharing Among Peers AUP Pilots ISACs 13

Thank you! Come Visit Us at Booth #1038

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information