• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence

3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Head of Corporate Privacy Office since 2006Previously head of The Hartford Life's Corporate Compliance Unit and the Group Benefits Legal TeamSpecialties: privacy law, insurance law, corporate compliance, social media legal and compliance issues.

3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence 3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence Presentation Transcript

  • 3rd Party Risk – Pt. 1Practical Considerations for Privacy &Security Due Diligence
  • Agenda• Introductions• 3rd Party Risk Due Diligence Best Practices • Questionnaires • On-Site Reviews• Q&A Page 2
  • Introductions: Today’s Speakers• Ted Julian, Chief Marketing Officer, Co3 Systems • Security / compliance entrepreneur • Security industry analyst• Deb Hampson, AVP & Assistant General Counsel, The Hartford • Head of Corporate Privacy Office since 2006 • Previously head of The Hartford Lifes Corporate Compliance Unit and the Group Benefits Legal Team • Specialties: privacy law, insurance law, corporate compliance, social media legal and compliance issues. Page 3
  • Co3 Automates Breach ManagementPREPARE ASSESSImprove Organizational Quantify Potential Impact,Readiness Support Privacy Impact• Assign response team Assessments• Describe environment • Track events• Simulate events and incidents • Scope regulatory requirements• Focus on organizational gaps • See $ exposure • Send notice to team • Generate Impact AssessmentsREPORT MANAGEDocument Results and Easily Generate DetailedTrack Performance Incident Response Plans• Document incident results • Escalate to complete IR plan• Track historical performance • Oversee the complete plan• Demonstrate organizational • Assign tasks: who/what/when preparedness • Notify regulators and clients• Generate audit/compliance reports • Monitor progress to completion Page 4
  • About The HartfordPersonal Middle Mutual Retirement Lines Market Funds Small Group IndividualSpecialty Annuities Commercial Benefits Life Page 5
  • Data Breaches and 3rd Party Leaks Internal/ Malicious Lost/Stolen 3rd Party Employee Cyber-Attacks Assets Leaks ActionsGlobal Community- Multi-Channel GovernmentConsumer Based Healthcare Marketing Service: Agency:Electronics Firm: Plan: Digital marketing Employee sentHackers stole Laptops with agency exposes CD-ROM withcustomer data, patient data stolen customer data of personal data onincluding credit by former dozens of clients registered advisorscard information employee Millions of 139,000100 million 208,000 records recordsrecords records The multitude of breach regulations don’t care how the data was lost. You are subject to the same requirements. Page 6
  • 3rd Party Privacy & Security Due Diligence Questionnaire On-Site Visits Certifications Annual Audits Page 8
  • POLL
  • Who Receives a Questionnaire? • Every vendor that handles customer data, employee data or company confidential data receives a questionnaire. • The questionnaire is developed using: • International standards: • ISO/IEC 27001 Information Management Systems • ISO/IEC 27002 Code of Practice for Information Security Management • the BITS Financial Institution Shared Asset Program and • internal Privacy and Information Protection Policies • Internal Privacy and Information Protection policies based on regulatory requirements. Page 10
  • What Areas Does the Questionnaire Address? Overview of services  Operations being provided Management Privacy and Security  Network Management Policies  Information Handling Organizational Structure  Access Control Personnel Security  Compliance Environmental  Business Continuity Security and Disaster Recovery Page 11
  • POLL
  • Who gets an On-Site Visit? Risk-Based Approach For Vendors Who: • Provide incomplete questionnaire responses • Provide unsatisfactory questionnaire responses • Handle contracts over a specified dollar amount • Handle information that is sensitive or confidential • Are located in a foreign country Page 13
  • Components Of An On-Site Review Process Address key privacy and security policies Meetings with vendor and procedures to ensure senior Senior management management buy in Allows assessors to obtain more Interviews with key personnel specific information on vendor’s controls Comprehensive Verify the existence of key document Review security documents Physical security Verify key physical security and inspection environmental controls in place Verify that security requirements Policy/Statement of work detailed in the Statement of Work are verification implemented. Page 14
  • Top Questions 1.Do comprehensive information security policies exist that all employees must read and accept? 2.Are all employees and contractors with access to Company data required to take information security awareness training? 3.Are there processes in place that ensure access to Company data is authorized and granted in the most restrictive manner possible and limited to those having a business need for such authorization? 4.Is access to Company data contingent on a thorough criminal background history investigation performed using an accredited personnel investigation agency? 5.Are physical security measures in place to control physical access to systems or output that contain Company data? Page 15
  • Top Questions (cont.) 6. Is all access to Company data logged and reviewed on a regular basis? 7. Is there a Security Incident Response Plan in place that contains procedures to be followed in the event of any actual, suspected, or threatened security breach, including unauthorized use, access, disclosure, theft, manipulation, or reproduction of Company data?d 8. Will the vendor submit to an annual Security Risk Assessment review based on ISO 27001, conducted by the Company (or its agent)? 9. Is there commercially reasonable and effective network intrusion prevention or detection, firewalls and anti-virus protection in place and functioning properly? 10. Are operating systems and applications associated with the Company appropriately patched after knowledge of any security vulnerabilities? 11. Are all sensitive or confidential data sent over public networks encrypted with at least 256-bit encryption? Page 16
  • Considerations For Foreign Service Providers  Scope of Services and Sensitivity of Data • Are the services contemplated to be performed temporarily or on an ongoing basis? • Do the services involve the handling, storage or transmission of sensitive data? • Can the company execute an exit strategy if services disrupted?  Geographic, Cultural, Social and Political Factors • How far away is the vendor? • What language barriers? • How often does the Company plan to review or audit the vendor? • Do on-site reviews need to be done? • What social or political factors are reasonably likely to affect the provider? • Can the Company monitor these factors?  Business Continuity and Disaster Recovery • Does the vendor have Business Continuity Plan? • Does the vendor have experience executing the plan? • Local Laws Regulating Privacy and Data Security Page 17
  • Considerations For Foreign Service Providers (cont.)  Local Laws Regulating Privacy and Data Security • Are there local laws that impose requirements on vendor with regard to data? • How do the local laws apply to the Company?  Legal/Compliance Risk • What contractual provisions required to ensure proper resolution of disputes? • If local laws create requirements are they consistent with the provisions the Company applies to its US based service providers? • What is the process under local laws for responding to access requests by individuals, subpoenas or other requests for disclosure from governmental agencies?  Security Controls • Can the vendor reasonably be expected to satisfy stricter or rapidly evolving standards for data security? • Is the vendor transferring data to other locations or countries? Page 18
  • How About When You Receive A Questionnaire? • What do you do when there are too many questions to answer? • How do you ensure consistent responses? • How do you respond to yes/no questions? • How do you manage the volume? • Whose Privacy and Security Policies and Procedures do you follow? Page 19
  • Next Webinar• Canadian Breach Regulations • Next Thursday, 10/25 @ 1 PM • Invites with more info and registration information in the next day or two Page 21
  • “Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICEOne Alewife Center, Suite 450 “Co3…defines what software packagesCambridge, MA 02140 for privacy look like.”PHONE 617.206.3900 GARTNERWWW.CO3SYS.COM “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE Deb Hampson Assistant VP & Assistant GC debra.hampson@thehartford.com www.thehartford.com