Looking at the Third Party Risk Assessment Lifecycle and where opportunities lay for improved efficiencies and scalability from the adoption of Managed Service offerings. What benefits can a Managed Service offering deliver to your Third Party risk Management program and process execution? Presented by Sean O'Brien, Director, DVV Solutions.

1. Third Party Risk Assessment Due Diligence:
Managed Service as Best Practice
Sean O’Brien, Director, DVV Solutions

2. 2 Private and Confidential © Copyright 2017
• Experts in Third Party Risk and IT Security
• Shared Assessments member – only UK-based Assessment Firm
• Prevalent EMEA Channel Partner – only EMEA-based Partner
• Certified Third Party Risk Professional accredited Risk Assessors
• Clients across legal, banking, insurance, retail, and public sectors
• SupplierAssess managed service - unique TPRM-as-a-service offering
outsourced risk assessment and analysis
Who We Are
Founded in 1999 | Headquartered in Cheshire, UK

3. 3 Private and Confidential © Copyright 2017
Q. Do you conduct supplier assessments as part of your supplier
onboarding?
Always completed prior to supplier contracts being executed
Completed as least 50% of the time before supplier contracts are executed
Completed less than 50% of the time before supplier contracts are executed
Are often completed (75% or more of the time) after supplier contracts are executed

4. 4 Private and Confidential © Copyright 2017
You’re Only As Strong As Your Weakest Link
• 26,000 website customer accounts exposed
• Third-Party service provider targeted to gain access to
customer payment details
• Attackers had access to the Third-Party’s internal systems
for more than six weeks
eCommerce provider
hacked, 2017
• Around 120,000 customer names and phone numbers,
postal, email and IP addresses exposed
• Hashed account passwords and partial payment card
numbers and expiry dates included
• IT supplier blamed via database backup on AA website
2017 Breach
sparks ICO probe
• Around 400,000 Italian bank accounts accessed in one of
Europe’s largest data breaches
• Unauthorized access through Italian third party provider to
Italian customer data was the cause of the breach
• Breaches occurred in September and October 2016 but
only uncovered in July 2017
2016 Breach
not identified until 2017
• 21,000 Customers compromised in 2014 by “unauthorised
and unlawful access” by staff at call centre in India
• Data gained used in phone scam to build Customer trust to
then release account and financial details
• Fined £100k in August 2017 after £400k fine for hack in 2015
Total of £500,000 fines
from the ICO

5. 5 Private and Confidential © Copyright 2017
2016 Ponemon Study – Third Party Risk Landscape
ONLY 26% of respondents say the process they use to assess
Third Party risk is effective
56% of respondents say they DO NOT KNOW what IP and
other high value “crown jewels” are in the hands of Third
Parties
75% of respondents consider Third Party risk serious and
increasing, while 70% say that Third Party Risk is
SIGNIFICANTLY INCREASING

6. 6 Private and Confidential © Copyright 2017
Third Party Risk Assessment Lifecycle*
• Define Risk Scope
• Define Test Procedures
• Define Data in Use
• Define Risk Tiers
• Review Contract
requirements
• Perform Kick-off
• Obtain Business Unit and
Supplier Documents
• Document Control Test Results
• “Exit” Interview with Supplier
• Analyse Results and Identity “Fails”
• Update Business Unit and Supplier
• Develop Remediation and Timeline
• Remediate Contingent Items (CI)
• Reporting
• Validate Supplier Rating
• Updates based on Change
in Services
• Risk Scoring
Phase 1
Pre-Assessment
Phase 2
Assessment
Phase 3
Post-Assessment
Phase 4
Evaluate the
Assessment
Process
*Copyright, Shared Assessments CTPRP

7. 7 Private and Confidential © Copyright 2017
Pre-Assessment – Which Suppliers Should Be Assessed?
Onboarding – Initial Supplier Assessment
• Based on Risk rating
• Alignment with ongoing assessment requirements
Ongoing – periodic assessments
• Based on Risk rating
• Frequency
• Events/incidents
• Validate Risk rating

8. 8 Private and Confidential © Copyright 2017
Pre-Assessment – What Are We To Assess?
Determine the scope of the assessment
• Risk rating
• Type of services provided
• Type of data
• Location
• Availability
• Periodic or event triggered
Determine appropriate assessment questionnaire(s) to be utilised

9. 9 Private and Confidential © Copyright 2017
Assessment – Supplier Assessment Process
Critical/High Risk supplier assessments must focus on
• Data access and location
• Systems access
• Availability
• Cloud and Application Security
Obtaining supplier information/documentation
• Extremely resource intensive
• Time consuming to compile accurate and complete information
• Manual processes make comprehensive risk reviews and reporting difficult
Unfortunately, lack of time and resources often compromise the scope of assessments
• Assessments aligned with resource availability and time rather than evaluation of IT security and data privacy controls

10. 10 Private and Confidential © Copyright 2017
Supplier Assessment Challenges
 Aligning supplier assessment due diligence with supplier Risk and corporate requirements
 Balancing the need for detailed risk control information with the time and cost of
performing assessments
 Compiling supplier due diligence in a manner it can be efficiently evaluated for additional
risk treatment
 Providing enterprise supplier risk views and effective supplier risk reporting
 Minimise investment in resources while still providing comprehensive supplier
assessments and management reporting
 Only provides a static point-in-time view. Ongoing risk information not obtained or
evaluated

11. 11 Private and Confidential © Copyright 2017
Q. Do you believe you have the resources necessary to initiate and
complete assessments on existing suppliers in a timely manner?
I am not sure what level of resources are required
We have resources to do some (less than 50%) but not all of the required annual assessments
We have resources to complete most (75% or greater) but not all of the required annual assessments
We are able to complete all required annual assessments

12. 12 Private and Confidential © Copyright 2017
Third Party Risk Assessment Lifecycle*
• Define Risk Scope
• Define Test Procedures
• Define Data in Use
• Define Risk Tiers
• Review Contract
requirements
• Perform Kick-off
• Obtain Business Unit and
Supplier Documents
• Document Control Test Results
• “Exit” Interview with Supplier
• Analyse Results and Identity “Fails”
• Update Business Unit and Supplier
• Develop Remediation and Timeline
• Remediate Contingent Items (CI)
• Reporting
• Validate Supplier Rating
• Updates based on Change
in Services
• Risk Scoring
Phase 1
Pre-Assessment
Phase 2
Assessment
Phase 3
Post-Assessment
Phase 4
Evaluate the
Assessment
Process
*Copyright, Shared Assessments CTPRP
Phases Best Suited for Outsourcing

13. 13 Private and Confidential © Copyright 2017
Managed Services for Supplier Assessments
Pre-Assessment
• Assist in the development and implementation of supplier risk ratings based on industry best
practices and corporate requirements
• Assist in the development of supplier questionnaires aligned with vendor risk ratings
• Develop company preferred responses and acceptable mitigation / remediation measures
• Map questionnaires to company and industry requirements
• Obtain information on external threats evaluated in addition to assessment due diligence
• External threat information includes: Breach incidents, Financial reporting, Phishing and Malware
attacks, Legal and Regulatory issues

14. 14 Private and Confidential © Copyright 2017
Managed Services for Supplier Assessments
Assessment
• Assessment evidence is reviewed and analysed. Security controls evaluated based on company requirements
• External threats evaluated in addition to assessment due diligence
• External threat information included in supplier risk scoring and analysis
• Assessment reports, including detailed findings, delivered based on company security and risk ranking criteria
• Assessment reports include risk mitigation / remediation recommendations
• Provide risk based reporting
• Type of service
• Risk classification
• Line of business

15. 15 Private and Confidential © Copyright 2017
Supplier Assessment Process Improvements
Substantial gains in resource capacity from managed services
 Resources traditionally spend 60% of assessment effort initiating assessments and collecting
assessment due diligence
 Additional improvement in resource utilisation from assessment recommendations
 Additional resource capacity translates into the ability to complete substantially more
assessments without increasing headcount
 Capacity receives even greater lift from assessment uniformity and best practices base
recommendations
 Less time needs to be allocated to completing assessment reports

16. 16 Private and Confidential © Copyright 2017
Benefits of Managed Services
 Supplier assessments conducted against specific risk rating and company requirements for controls
 Complete comprehensive supplier assessment and analysis while minimising staffing requirements.
Resources can concentrate on “value added work”
 Reviewing assessment finding and recommendations
 Conducting remediation
 Inclusion of external threats significantly expands the identification of supplier risks that exist outside of
contract based risk control assessment
 Comprehensive vendor risk reporting facilitated by details assessment reports
 Flexible processes and analysis systems provide the ability to smoothly transition to changing demands in
supplier risk management processes, while offering on-demand scalability

17. 17 Private and Confidential © Copyright 2017
Introducing SupplierAssess
Taking the Pain Out of Supplier Risk Management
• Third Party Supplier Assessment Managed Service
• Experienced and qualified team of certified professional assessors
(CTPRP Certified and ISO 27001 Lead Auditors)
• Supplier Risk Manager Service provides automation, workflow, and
a central repository for all assessment information
• Supplier Threat Monitor Service provides real-time Third Party
risk monitoring
• Commitment to providing “information anywhere, security
everywhere” through established processes and service delivery
methodologies

18. 18 Private and Confidential © Copyright 2017
So What Does It Do?
TPRA delivered to your desk
Remote & On Site Assessment
Reporting & Recommendations
Continuous Threat Monitoring
• Ranks suppliers, collects evidence for the review
workflow, and performs risk assessments on each
Third Party supplier
• Ongoing tracking of risk factors between assessments
including Data, Operational, Financial, Brand,
Regulatory events and other Geographical issues
• Supplier Assessment dashboard and detailed
supplier assessment reports that include findings
and mitigation recommendations

19. 19 Private and Confidential © Copyright 2017
How can we help?
xx
Séan O’Brien
DVV Solutions Limited
Grosvenor House, St. Thomas’s Place
Stockport, Cheshire, SK1 3TZ
United Kingdom
www.dvvs.co.uk
Follow us at LinkedIn.com/company/dvv-solutions
Sean M. O’Brien
Director
DDI: +44 (0) 161 476 8702
M: +44 (0) 7973 295 997
E: sobrien@dvvs.co.uk

20. 20 Private and Confidential © Copyright 2017