Feb20 Webinar - Managing Risk and Pain of Vendor Management

© 2019 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES
Winter / Spring 2019 Webinar Program
Managing Risk & Easing the Pain of
Vendor Management
February 20, 2019

© 2019 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries
Thank you for joining the webinar “Managing
Risk & Easing the Pain of Vendor Management”
• We will be starting a couple minutes after the hour
• This webinar will be recorded and the recording
and slides sent out later today
• Please use the GotoWebinar control panel on the
right hand side to submit any questions for the
speakers
1

Today’s Speakers
Shankar Chebrolu
Enterprise Security Architect
Red Hat
Paul Iagnocco
Director Consulting, East
TrustArc
2
2

Today’s Agenda
• Regulatory Context
• Processes & Tools
• Managing Third- Party Risk at Red Hat
• Privacy & Security Vendor Management Best
Practices
• Demonstrating Your Own Compliance
• Key Take-Aways
• Questions
3

Regulatory Context
EU GDPR and CCPA
2

Regulations and Vendor Management
• Requires that organizations pass on the same privacy and
security responsibilities to their vendors and sub-processors.
• Relationship between controller and processor and sub-
processors governed by written agreement.
EU GDPR
• Limited in application of same privacy and security
responsibilities to their vendors (e.g., security, retention,
disclosure, use).
• Relationship between business entity and service provider
governed by written agreement.
CCPA
• Accountability for Onward Transfer: Organizations must enter
into a contract with the third-party controller that provides that
such data may only be processed for limited and specified
purposes …provide the same level of protection as the
Principles and will notify the organization if it makes a
determination that it can no longer meet this obligation.
Privacy
Shield
• Organization should process its protected health information
(PHI) to vendors who demonstrate willingness and/or ability to
apply appropriate safeguards as called for in the Security Rule
and the applicable portions of the Privacy Rule.
HIPAA
4

Common Vendor Management Provisions
Provisions Description
Definitions Section to include personal data, consent, sensitive data (if appropriate),
data owner, data processor/service provider
Documented Instructions:
purpose, duration, parties
Clarity around what the work is and NOT. Only execute what is
documented.
Processor Tech &
Organizational Measures
Implement technical and organizational measures appropriate to the risk;
includes privacy program management
Confidentiality Processor agrees to terms of limited accessibility
Disclosure Disclose personal data ONLY for the specific purpose of performing the
services specified in the contract.
Right to Audit Right of data owner to conduct reasonable audits, systems, protocols,
etc.
Processor Assistance to
Data Owner
Processor will provide assistance for individual rights, breach, etc.
Data Retention & Disposal Processor will return or delate data based of terms of agreement
5

Processes & Tools
2

Identify Key Players in VM
Common Players
• IT
• Finance
• Legal
• Procurement
• Business Owner
• Corp Risk
Management
• Information Security
Priority 1:
Build a relationship with
Information Security team
Priority 2:
With all players:
• Educate – develop a common
language to act
• Common Interest – save them
time or money
• Evangelists – cultivate support
6

Identify Existing VM Approach
Identification
Screening
Risk
Analysis
Risk
Mitigation
Continuous
Monitoring
Storage
Repository
Identification: Find vendor that
meets our needs
Screening: Review references,
conduct business review, deliver
on requirements
Risk Analysis: Viability and
capability of vendor, review
operations
Risk Mitigation: Reduce
exposure, guarantees if things
go wrong
Continuous Monitoring:
Delivering according to agreement
Storage Repository: Maintain
common place for access and
review
7

Expand VM When Necessary to Include Privacy & Security
Identification
Screening
Risk
Analysis
Risk
Mitigation
Continuous
Monitoring
Storage
Repository
Process Step Common VM Plus Privacy &
Security VM
Identification Find vendor that meets our
needs…
…AND demonstrates
privacy and data protection
awareness
Screening Review references, conduct
business review, deliver on
requirements…
…AND completes
appropriate assessments
to either comply with
external regulatory and/or
internal privacy and security
governance
Risk Analysis Viability and capability of
vendor, review operations…
…AND scores favorable
compliance with external
regulatory and/or internal
privacy and security
governance
Risk
Mitigation
Reduce exposure,
guarantees
if things go wrong…
…AND implements Data
Processing Agreement
(DPA) and specifics around
security
Continuous
Monitoring
Delivering according to
agreement…
…AND maintaining terms
of DPA
Storage
Repository
Maintain common place for
access and review…
…AND is classified as a
low, moderate or high risk
which requires specific
rigors for each
Existing
VM
Approach
8

Tools to Manage Vendor
Management

What tools to consider?
Low-Tech or High-Tech Tools to
Manage Vendor Management
Regulations
Volume
Support
Objective:
What type of tools should I consider
to manage my Vendor Management
function in a sustainable way?
What support do we have?
• Appropriate head-count
• Limited head-count
What’s the volume activity
(e.g., assessments, contract changes)
through our function?
• High and growing
• Low and infrequent
Is my business heavily regulated?
Is there constant change to manage
and implement throughout business?
Can you draw conclusions from your
activities to invest in head-count and/or
technology?
9

Low-Tech Tools
If you answered that:
– Vendor management is manageable
– Limited regulations
– Appropriate processes in place
10

High-Tech Tools
If you answered that:
– Growing regulations
– Too much to track
– Vendor management is
constantly in flux
11

Additional Tool Considerations
Process Step Common Instruments Tool Considerations
Screening Privacy: Privacy Threshold Analysis (PTA);
Privacy Impact Assessment (PIA); (GDPR
only) Data Protection Impact Assessment
(DPIA); Security: Security Assessments on
security procedures and practices;
Automated or spreadsheet assessments
• Ease of distribution
• Ease of collection
• Consistency of content
• Ease for vendor completion
Risk Analysis Privacy & Security: Leverage same tools
above with mapping to regulations of
desired outcomes.
• Ease of review
• Ease of scoring of risks
• Updating to reflect changing regulations
Risk Mitigation Privacy & Security: Written contract (DPA)
that outlines specifics of services, and
mitigates vendor shortfalls
• Ability to demonstrate risk conclusions
v. standard
• Ease ability to draft specific mitigations in
DPA
Continuous
Monitoring
Privacy & Security: Automated contract
databases or spreadsheets with reminders
• Ease of re-evaluation when vendor
changes or terms of services change
Storage Repository Privacy & Security: Shared storage
repository for artifacts (e.g., completed
assessments, GDPR reports, etc.)
• Efficiently find vendor assessment upon
request
• Maintain and demonstrate audit trail
• Simple re-send for contract renewals
12

Managing Third-Party Risk
at Red Hat
2

Background
▪ Disparate systems for vendor risk assessments until
2016
– Documents and information collected via email, google forms &
ticketing system
– Home grown survey questions
▪ Vendor risk assessments 2.0 - Feb 2017
– No change in assessment initiation step
– Documents and information collected via TrustArc’s Assessment
Manager (AM) SaaS tool
– Out of box assessment / communication templates with little
customization
13

Vendor Risk Assessment 2.0 in a Nutshell
14

Vendor Risk Assessment 2.0 - Detailed
15

Other Use Cases of TrustArc AM in Red Hat
▪ Self-assessments by IT / business teams
– Security: Custom template from scratch using AM against
Enterprise Security Standard
– Privacy: Out-of-box Privacy Impact Assessments (PIA) with little
customization
▪ Privacy Shield: Annual self-assessments by
Legal department
16

Privacy & Security Vendor
Management Best Practices
2

Best Practices to Address Vendors “Processing” Personal Data
• Build internal relationships with key
players
• Augment existing internal vendor
process; use PTA to determine need to
be involved
• Establish minimum data protection
qualifications
• Privacy and security qualifications
should at a minimum reflect the internal
company
• Conduct privacy assessments (e.g.,
PTA, PIA and if necessary, DPIA) that
addresses vendor’s overall privacy
program appropriate to the nature of the
information
• Conduct security assessments that
address vendor’s overall security
procedures and practices appropriate to
the nature of the information
• Maintain evidence of the due diligence
• Define “personal Information”
• Limit access to sensitive data
• Require vendor to implement
appropriate administrative, technical
and physical safeguards to protect data
and comply with all applicable laws
• Require vendor to enforce appropriate
privacy and security provisions to entire
workforce
• Require vendor to notify internal
company of suspected or actual
incident involving internal company data
• Require vendor to stipulate data
retention, destruction or return of
company personal data at end of
engagement
• Outline expectation of vendor to
address regulatory requests or data
subject requests
Risk
Mitigation
Screening
Risk
Analysis
19

Demonstrating Your
Own Compliance
2

Demonstrating Compliance to Your Customers
GDPR
Many customers are asking their vendors if they are “GDPR Compliant.”
In the absence of authorized GDPR codes of conduct and certifications, some have
suggested that companies pursue alternative codes of conduct and certifications to fill the
GDPR gap:
• ISO/IEC 27001 certification
• EU-US Privacy Shield Verification
• APEC Cross-Border Privacy Rules (CBPR)
While these accreditations can move a company closer to being able to demonstrate
GDPR compliance, they do not represent complete solutions (falling nearly 50% short
of GDPR expectations.)
20

TrustArc’s GDPR Validation and Benefits
The Program:
• GDPR Validation is not a certification (since the official certification standards and
program have not been issued yet)
• Company completes GDPR Validation Assessment
• TrustArc provides GDPR Validation Findings Letter and GDPR Validation Report,
summarizing compliance status
The Benefits:
• Provides companies with an independent confirmation of their GDPR compliance
efforts and status that can be shared with both internal and external stakeholders
• Use Letter and Validation Report as supplemental information for your responses to
vendor assessment forms
• Post the GDPR Validation Summary on your website as evidence of your good
faith efforts to become GDPR-compliant
• GDPR Validation in 2 scopes:
– Program Validation (for a company-wide program)
– Practices Validations (for specific processes or products)
21

Key Take-Aways
2

Recommendations and Next Steps
• Identify key players and build relationships – especially with Legal and Information
Security
• Educate key players – recruit evangelists about data protection
• Augment existing vendor management process with privacy and security due diligence
– implement hooks and separate workflow
• Identify tools to manage vendor due diligence
• manual, low-tech
• technology platform approach
• long-term v. short-term sustainability
• Be prepared to demonstrate due diligence – reporting and individual rights
management
• Determine appropriate times to revaluate vendor relationship – changes in terms,
regulations, contract renewal
• Common repository for all vendor management and data protection initiatives
• What opportunities exist to demonstrate to your customers your commitment to
compliance? How can you leverage this as a positive point of differentiation?
22

Questions?
2

Contacts
Shankar Chebrolu schebrol@redhat.com
Paul Iagnocco piagnocco@trustarc.com
Eleanor Treharne-Jones eleanor@trustarc.com
2

Thank You!
Register now for the next webinar in our 2019 Winter / Spring
Webinar Series “Solutions for Universal Consent Management”
on March 20, 2019.
See http://www.trustarc.com/insightseries for the 2019
Privacy Insight Series and past webinar recordings.
2

Feb20 Webinar - Managing Risk and Pain of Vendor Management

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Feb20 Webinar - Managing Risk and Pain of Vendor Management

Similar to Feb20 Webinar - Managing Risk and Pain of Vendor Management (20)

More from TrustArc

More from TrustArc (20)

Recently uploaded

Recently uploaded (20)

Feb20 Webinar - Managing Risk and Pain of Vendor Management