Details on how to conduct third party risk management, how to understand the target system, what are the regulatory compliance requirements, such as OCC 2013-29, etc. , what to do in case of breach, how to do conduct assessments, case study, what are the tools, Risk Capability Maturity Model, and other references.
Here is a brief description of third-party risk management (TPRM), how to onboard third-party vendors, and what the role of a CISO is in this process. To know more about TPRM and information security management, click here: https://www.eccouncil.org/information-security-management/
On average organizations spend $10M+ responding to third-party security breaches each year. Third-Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your organization by outsourcing to third-party service providers (TPSP). TPSP relationships can introduce strategic, financial, operational, regulatory, and reputational risks.
For example, some TPSPs are involved in the storage, processing, and/or transmission of cardholder data (CHD), while others are involved in securing cardholder data, or securing the cardholder data environment (CDE).
Digital relationships with third-party providers increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said they had experienced a data breach caused by one of their third-party providers (up 12% since 2016).
Learn more about:
• TPSP lifecycle,
• The effects of due diligence,
• The five critical control objectives, and
• How to build an effective risk assessment questionnaire.
To learn more, visit: https://bit.ly/3vQ4DjC
Third-Party Risk Management: Implementing a StrategyNICSA
Two Part Series: Part I of II
Third-Party Risk Management: Implementing a Strategy
Sleep Better at Night: Learn techniques to manage risks associated with third-party relationships.
With the rise of cloud computing and outsourced services, data security has become the #1 issue for companies who put their data in the hands of others. John Verry (CISA), Principal Consultant and ISO 27001 Certified Lead Auditor with Pivot Point Security recently addressed this issue - Third Party Vendor Risk Management – and brought his unique “simplified” approach to the problem.
View the presentation at http://www.pivotpointsecurity.com/third-party-vendor-risk-management-presentation/
Here is a brief description of third-party risk management (TPRM), how to onboard third-party vendors, and what the role of a CISO is in this process. To know more about TPRM and information security management, click here: https://www.eccouncil.org/information-security-management/
On average organizations spend $10M+ responding to third-party security breaches each year. Third-Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your organization by outsourcing to third-party service providers (TPSP). TPSP relationships can introduce strategic, financial, operational, regulatory, and reputational risks.
For example, some TPSPs are involved in the storage, processing, and/or transmission of cardholder data (CHD), while others are involved in securing cardholder data, or securing the cardholder data environment (CDE).
Digital relationships with third-party providers increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said they had experienced a data breach caused by one of their third-party providers (up 12% since 2016).
Learn more about:
• TPSP lifecycle,
• The effects of due diligence,
• The five critical control objectives, and
• How to build an effective risk assessment questionnaire.
To learn more, visit: https://bit.ly/3vQ4DjC
Third-Party Risk Management: Implementing a StrategyNICSA
Two Part Series: Part I of II
Third-Party Risk Management: Implementing a Strategy
Sleep Better at Night: Learn techniques to manage risks associated with third-party relationships.
With the rise of cloud computing and outsourced services, data security has become the #1 issue for companies who put their data in the hands of others. John Verry (CISA), Principal Consultant and ISO 27001 Certified Lead Auditor with Pivot Point Security recently addressed this issue - Third Party Vendor Risk Management – and brought his unique “simplified” approach to the problem.
View the presentation at http://www.pivotpointsecurity.com/third-party-vendor-risk-management-presentation/
Almost every business decision requires executives and managers to balance risk and reward, and efficiency in that process is essential to an enterprise’s success. Too often though, IT risk (business risk related to the use of IT) is overlooked.
While other business risks such as market, credit and operational risks have long been incorporated into the decision-making processes, IT risk has usually been relegated to technical specialists outside the boardroom, despite falling under the same risk category as other business risks: failure to achieve strategic objectives.
This session intends to address business risks related to the use of IT, looking at industry standards, frameworks and best practices, as well as focusing on real world examples and specific plans on how to implement IT Risk Management on every level of your company.
Basics in IT Audit and Application Control Testing Dinesh O Bareja
IT Audit and Application Control Testing are large and complex activities in themselves, and it is my presentation to share the basics here, based on my own experience and using guidance from IIA GTAGs.
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Resolver Inc.
Did you know that 63% of data breaches are linked to third party access, and this number is on the rise? This presentation explores the increasing priority of Third Party Risk Management (TPRM) in today’s marketplace. Learn why TPRM should play a critical role in your overall Corporate Risk Management Strategy and best practices for how to implement a successful TPRM program in your own organization.
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Mastering Information Technology Risk ManagementGoutama Bachtiar
This is the presentation slide as part of the courseware utilized when delivering Information Technology Risk Management training - workshop on May 2013.
What is GRC – Governance, Risk and Compliance BOC Group
A simple guide to learn what Governance, Risk and Compliance (GRC) is all about, why it’s important and how you can use it to help drive enterprise objectives.
For more information visit: https://www.boc-group.com/governance-risk-and-compliance/
PART 1 – CISA Domain 3 – Information Systems Acquisition, development and implementation
Overall understanding of Domain 3
What is benefits realization?
What is portfolio management?
https://www.infosectrain.com/blog/cisa-domain-3-information-systems-acquisition-development-and-implementation-part1/
This talk was presented in NULL Delhi chapter meet in 2014, as an insight into the world of PCI (Payment Card Industry) and the 12 requirements of PCI DSS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
ISACA IS Audit and Assurance Standards, Guidelines, and Tools & Techniques, Code of Professional Ethics & other applicable standard.
https://www.infosectrain.com/blog/cisa-domain-1-part-3-the-process-on-auditing-information-systems/
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
Almost every business decision requires executives and managers to balance risk and reward, and efficiency in that process is essential to an enterprise’s success. Too often though, IT risk (business risk related to the use of IT) is overlooked.
While other business risks such as market, credit and operational risks have long been incorporated into the decision-making processes, IT risk has usually been relegated to technical specialists outside the boardroom, despite falling under the same risk category as other business risks: failure to achieve strategic objectives.
This session intends to address business risks related to the use of IT, looking at industry standards, frameworks and best practices, as well as focusing on real world examples and specific plans on how to implement IT Risk Management on every level of your company.
Basics in IT Audit and Application Control Testing Dinesh O Bareja
IT Audit and Application Control Testing are large and complex activities in themselves, and it is my presentation to share the basics here, based on my own experience and using guidance from IIA GTAGs.
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...Resolver Inc.
Did you know that 63% of data breaches are linked to third party access, and this number is on the rise? This presentation explores the increasing priority of Third Party Risk Management (TPRM) in today’s marketplace. Learn why TPRM should play a critical role in your overall Corporate Risk Management Strategy and best practices for how to implement a successful TPRM program in your own organization.
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Mastering Information Technology Risk ManagementGoutama Bachtiar
This is the presentation slide as part of the courseware utilized when delivering Information Technology Risk Management training - workshop on May 2013.
What is GRC – Governance, Risk and Compliance BOC Group
A simple guide to learn what Governance, Risk and Compliance (GRC) is all about, why it’s important and how you can use it to help drive enterprise objectives.
For more information visit: https://www.boc-group.com/governance-risk-and-compliance/
PART 1 – CISA Domain 3 – Information Systems Acquisition, development and implementation
Overall understanding of Domain 3
What is benefits realization?
What is portfolio management?
https://www.infosectrain.com/blog/cisa-domain-3-information-systems-acquisition-development-and-implementation-part1/
This talk was presented in NULL Delhi chapter meet in 2014, as an insight into the world of PCI (Payment Card Industry) and the 12 requirements of PCI DSS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
ISACA IS Audit and Assurance Standards, Guidelines, and Tools & Techniques, Code of Professional Ethics & other applicable standard.
https://www.infosectrain.com/blog/cisa-domain-1-part-3-the-process-on-auditing-information-systems/
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
Risk & Advisory Services: Quarterly Risk Advisor Nov. 2015CBIZ, Inc.
In this issue: The Top 4 Risks Facing Your Company, Enhance your Organization's Cybersecurity Strategy and 5 Mistakes to Avoid When Business Continuity Planning.
Presentation to the Texas Bar CLE program on Contract Drafting, Review and Negotiation on December 5, 2017 in Austin, Texas, by Cybersecurity & Data Privacy Attorney Shawn Tuma, on October 19, 2017. For more information visit www.businesscyberrisk.com
Privacy & Security Controls In Vendor Management Al Raymondspencerharry
Discussion of controls in place at vendors both locally and remotely to ensure that privacy and confidentiality of customer data is given top priority.
Discussion of the audit and oversight program in place to ensure above
#IBMInsight session presentation "Mitigate Risk, Combat Fraud and Financial Crimes"
The Issue of fraud, challenges, fighting fraud as an enterprise endeavor, IBM Smarter counter fraud framework and IBM Counter Fraud business services
More at ibm.biz/BdEPRH
New Ohio Cybersecurity Law RequirementsSkoda Minotti
Skoda Minotti’s Risk Advisory Services Group and Insurance Services Group are working closely with insurance industry licensees to meet the considerable requirements under the Ohio cybersecurity law. This presentation provides more detailed information about the law, and assists you with your understanding and implementation of the requirements.
Presented by Dr Sam De Silva, partner at Nabarro to over 100 CEOs and Executives in London.
Explains what leaders should do immediately after becoming aware of a cyber attack, from a legal perspective.
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
Security professionals often struggle with the ‘double intangibility’ of security - the intangibility of risk and intangibility of protection.
Changes hearts and minds often requires legislation and new compliance frameworks to motivate investment.
New Zealand's new Privacy Act comes into play on 1st December 2020 and there are ways security professionals can leverage new aspects including mandatory breach notifications to focus efforts on securing personal information and preventing privacy harms.
Overcoming Hidden Risks in a Shared Security ModelOnRamp
Risk management, compliance, and security are a shared burden between your organization and your vendors. Standards such as NIST (Publication 500-292) and regulations like HIPAA and PCI-DSS provide considerations for compliance and security but do not account for the nuances of your unique business or your infrastructure. Guidelines are written as though one party is responsible for compliance and security, but you rely on multiple vendors. Outsourcing can lead to ambiguous delegation of compliance responsibilities, lack of data governance and security practices, and difficulty in achieving data protection—ultimately risking non-compliance and leaving your infrastructure vulnerable.
Join our expert panel as they share insights into closing the gap on who’s responsible for what in data security and best practices for improving your security posture.
Takeaways:
Who owns the responsibility of compliance and security?
How to find and mitigate hidden risks in a 3rd party ecosystem
How to map your requirements to owners, policies, and controls
Expert recommendations for PCI, HIPAA, FERPA, FISMA and more.
Artificial intelligence (AI) offers new opportunities to radically reinvent the way we do business. This study explores how CEOs and top decision makers around the world are responding to the transformative potential of AI.
The case study discusses the potential of drone delivery and the challenges that need to be addressed before it becomes widespread.
Key takeaways:
Drone delivery is in its early stages: Amazon's trial in the UK demonstrates the potential for faster deliveries, but it's still limited by regulations and technology.
Regulations are a major hurdle: Safety concerns around drone collisions with airplanes and people have led to restrictions on flight height and location.
Other challenges exist: Who will use drone delivery the most? Is it cost-effective compared to traditional delivery trucks?
Discussion questions:
Managerial challenges: Integrating drones requires planning for new infrastructure, training staff, and navigating regulations. There are also marketing and recruitment considerations specific to this technology.
External forces vary by country: Regulations, consumer acceptance, and infrastructure all differ between countries.
Demographics matter: Younger generations might be more receptive to drone delivery, while older populations might have concerns.
Stakeholders for Amazon: Customers, regulators, aviation authorities, and competitors are all stakeholders. Regulators likely hold the greatest influence as they determine the feasibility of drone delivery.
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...CIOWomenMagazine
This person is none other than Oprah Winfrey, a highly influential figure whose impact extends beyond television. This article will delve into the remarkable life and lasting legacy of Oprah. Her story serves as a reminder of the importance of perseverance, compassion, and firm determination.
The Team Member and Guest Experience - Lead and Take Care of your restaurant team. They are the people closest to and delivering Hospitality to your paying Guests!
Make the call, and we can assist you.
408-784-7371
Foodservice Consulting + Design
Senior Project and Engineering Leader Jim Smith.pdfJim Smith
I am a Project and Engineering Leader with extensive experience as a Business Operations Leader, Technical Project Manager, Engineering Manager and Operations Experience for Domestic and International companies such as Electrolux, Carrier, and Deutz. I have developed new products using Stage Gate development/MS Project/JIRA, for the pro-duction of Medical Equipment, Large Commercial Refrigeration Systems, Appliances, HVAC, and Diesel engines.
My experience includes:
Managed customized engineered refrigeration system projects with high voltage power panels from quote to ship, coordinating actions between electrical engineering, mechanical design and application engineering, purchasing, production, test, quality assurance and field installation. Managed projects $25k to $1M per project; 4-8 per month. (Hussmann refrigeration)
Successfully developed the $15-20M yearly corporate capital strategy for manufacturing, with the Executive Team and key stakeholders. Created project scope and specifications, business case, ROI, managed project plans with key personnel for nine consumer product manufacturing and distribution sites; to support the company’s strategic sales plan.
Over 15 years of experience managing and developing cost improvement projects with key Stakeholders, site Manufacturing Engineers, Mechanical Engineers, Maintenance, and facility support personnel to optimize pro-duction operations, safety, EHS, and new product development. (BioLab, Deutz, Caire)
Experience working as a Technical Manager developing new products with chemical engineers and packaging engineers to enhance and reduce the cost of retail products. I have led the activities of multiple engineering groups with diverse backgrounds.
Great experience managing the product development of products which utilize complex electrical controls, high voltage power panels, product testing, and commissioning.
Created project scope, business case, ROI for multiple capital projects to support electrotechnical assembly and CPG goods. Identified project cost, risk, success criteria, and performed equipment qualifications. (Carrier, Electrolux, Biolab, Price, Hussmann)
Created detailed projects plans using MS Project, Gant charts in excel, and updated new product development in Jira for stakeholders and project team members including critical path.
Great knowledge of ISO9001, NFPA, OSHA regulations.
User level knowledge of MRP/SAP, MS Project, Powerpoint, Visio, Mastercontrol, JIRA, Power BI and Tableau.
I appreciate your consideration, and look forward to discussing this role with you, and how I can lead your company’s growth and profitability. I can be contacted via LinkedIn via phone or E Mail.
Jim Smith
678-993-7195
jimsmith30024@gmail.com
2. Your company spends millions of dollars on IT security – systems,
technologies, appliances
• InfoSec professionals
• Internal Audit professionals
• External Auditors
• Processes, technologies, systems
Then some manager in marketing dumps your client data to an Excel
spreadsheet, and emails it to a direct mail firm in Omaha.
Perhaps even worse – Usually not random. Usually not one vendor. Often
thousands of vendors.
Third Party Risk Management
3. 1. What it is
2. Business value and justification
• Two main regulatory drivers: HIPAA & OCC 2013-29
3. What it looks like
• Case study
Information Security focus, but many additional
areas of risk
Overview –Third Party Risk Management
4. Fazio Mechanical Data Breach
Fazio Mechanical is a 100-staff, $12M revenue HVAC
company
Perhaps better known as the $250,000,000Target data
breach
Full analysis of the breach is beyond the scope of today’s
presentation, and much of what is described below is
unconfirmed.
Vendor Breach Background
5. Fazio Mechanical was vendor for Target for HVAC services
Started with Fazio being targeted by typical phishing attack
Fazio connected to Target’s internal systems for billing, contract
management and contract submission via vendor portal called “Ariba”
Vendor Breach Background
8. 40,000,000 - Number of credit and debit numbers stolen
70,000,000 - Number of non-credit-card PII records stolen
November 27 to December 15, 2013 – Duration of theft
46% - The percentage drop in profits for 4th quarter 2013 from the year
before
$250,000,000 - Total estimated costs as of August 2014
$90,000,000 - Amount paid by Target’s insurers (maxed out)
$54,000,000 - Estimated amount generated from sale of cards stolen
0 – Number of CIOs and CEOs who kept their jobs
Target by the Numbers
9. • 41% to 63% of breaches involved third parties
• Per-record costs of a 3rd party breach higher - $231 vs. $188
• 71% of companies failed to adequately manage risk of third parties
• 92% of companies planned to expand their use of vendors in 2013
• 90% of anti-corruption actions by DOJ involved 3rd parties
Third Party Breach Numbers
11. Third Party Risk Management (TPRM) is the process of analyzing and
controlling risks presented to your company, your data, your
operations and your finances by parties OTHER than your own
company.
Due Diligence is the investigative process by which a company or
other third party is reviewed to determine its suitability for a given
task. Due diligence is an ongoing activity, including review,
monitoring, and management communication over the entire vendor
lifecycle.
No universally-accepted framework like CObIT or COSO
TPRM –What It Is
14. Reduce likelihood of data breach costs
Reduce likelihood of costly operational failures
Reduce likelihood of vendor bankruptcy
Regulatory mandates may require it
Prudent due diligence – ethical obligation
Audit where the risk is
Enterprise risk portfolio may expose the organization to most risk here
Business Justifications
15. Office of the Comptroller of the Currency (OCC)
US Department of Health & Human Services
(HHS)
State data breach laws
Regulatory Guidance
16. Strongest language so far is for financial institutions regulated by the Office
of the Comptroller of the Currency
If precedents hold true, this will likely “migrate” to other financial entities,
healthcare entities, and government contractors
Consumer Financial Protection Bureau (CFPB)
Since 2012, imposed over $1 billion USD in fines
Was partially in response to 2008 financial crisis. Banks did not manage risk
well.
Regulatory Requirements
17. Very comprehensive guidance requiring banks to proactively evaluate ALL
risks associated with ALL third parties
Issued in October, 2013, governing all financial institutions regulated by the
OCC
Closest thing we currently have to a generally accepted framework
“…. A third-party relationship is any business arrangement between a bank
and another entity, by contract or otherwise”
“The Office of the Comptroller of the Currency (OCC) expects a bank to
practice effective risk management regardless of whether the bank performs
the activity internally or through a third party. A bank’s use of third parties
does not diminish the responsibility of its board of directors and senior
management to ensure that the activity is performed in a safe and sound
manner and in compliance with applicable laws.”
OCC 2013-29
18. An effective risk management process throughout the life
cycle of the relationship includes:
• Plans that outline the bank’s strategy, identify the inherent risks of the
activity, and detail how the bank selects, assesses, and oversees the third
party.
• Proper due diligence in selecting a third party.
• Written contracts that outline the rights and responsibilities of all parties.
• Ongoing monitoring of the third party’s activities and performance.
• Clear roles and responsibilities for overseeing and managing the
relationship and risk management process.
• Documentation and reporting that facilitates oversight, accountability,
monitoring, and risk management.
• Independent reviews that allow bank management to determine that
the bank’s process aligns with its strategy and effectively manages risks.
OCC 2013-29
19. In 2009, the HITECH Act extended compliance requirements explicitly to
“Business Associates”
Business Associates are persons or entities using PHI to perform services for
a covered entity.
PHI – Medical-related PII
Many third parties in healthcare have access – very difficult to perform
substantive activities without access to PHI
Can impose fines on Covered Entity (insurer, hospital, etc.) for actions of a
delegate
HIPAA - HITECH
20. Massachusetts General Employee – took some work home
Accidentally left 192 patient billing records on subway
HHS imposed $1,000,000 fine
HHS imposed three-year corrective action plan
What would have happened had this been vendor?
• Would there be a difference depending on due diligence?
• Fines seem to be directly related to how lackadaisical oversight was
HIPAA Example
21. Many different laws
Almost all laws have provisions requiring notification within certain period
after detection
Detection by whom?
Most appear to make no distinction between losses caused by an entity and
losses caused by an entity’s vendor
Penalties
• Up to $500,000 in civil penalties per breach for failure to notify timely
(Florida)
• $5,000 “per violation” if not received within 10 days. Every subsequent
day “not received” is a separate violation (Louisiana)
State Data Breach Laws
22. What Does It Look Like?
Third Party Risk Management
23. 1. Initial Risk Review
1. Based on risk tier
2. Documentation review
3. On-site review
4. Business process documentation
5. Inherent risk/residual risk
6. Remediation plan
2. Ongoing Monitoring
1. Both for changed risks and for changes at vendor
3. Recurring Reviews
1. Based on risk tier
WhatTPRM Looks Like - Process
24. “The Four RMs”
1. Risk Measurement
1. Linked to ERM
2. Measures the risk of both the activity itself and of the vendor in particular
2. Risk Management
1. Standard mechanisms for dealing with risk: accept, decline, transfer, modify
3. Risk Monitoring
1. New/evolving risks
2. Vendor changes
4. Response Management
1. Incident response, both on your part and the vendor’s
WhatTPRM Looks Like - Elements
25. Using OCC 2013-29 as framework – “Banks should consider the following:”
Legal and regulatory compliance
Financial condition
Qualifications, backgrounds and reputations of company principals
Risk management
Information security and management (including physical and logical
security)
Incident reporting and management
Reliance on subcontractors
Contract language, including right to audit and metrics
WhatTPRM Looks Like - Assessment
26. RandomCo – 300 employee, midsized, technology-oriented company
Specialized in document management and OCR
Being considered for an engagement that required high levels of data
security, operational reliability, and performance
Would be subject to HIPAA requirements
Case Study
27. Reviewed SAS 70 (Type 1)
Reviewed architectural documentation
Reviewed online reputation
Reviewed legal entanglements
Reviewed summary financials
Nothing significantly negative was found
Stage I – Case Study
28. Glass-sided stand-alone office building, surrounded by
public, ungated parking lot
Scanned for wireless networks.They had
“RandomCoProd” SSID
• WEP encryption
Unlocked front door
No security cameras
“Netgear” wireless router bolted to wall in stairwell
Unlocked server room and networking closet
RandomCo– Case Study
29. Data center served by single internet feed
“Some” systems were RAID 5
Some “servers” were recycled desktops running Linux
Disaster Recovery Plan never tested
Backup Plan
• Network admin drove to data center
• Network admin took tapes out of servers
• Network admin threw the tapes in his trunk
• Network admin drove tapes home
RandomCo – Case Study
30. Not because particularly bad
• In fact, not the worst
Many smaller vendors lack controls
• Many vendors will be 25-200 person companies (28M small bus.)
• No full-time IT, let alone IT Security
Never would have known without on-site
“Vendor Development”
Why this story?
31. Vendor tiering or stratification
Tier 1 – Critical vendors (10%) – PII + critical systems
Tier 2 – Major vendors (40%) – PII OR critical systems
Tier 3 – Vendors (50%) – commodities/low risk purchases
Workflow tools
Capability Maturity Model
Vendor scorecards (maintained by business owner of vendor)
Tools
32. Shared Assessment Group (Santa Fe Group) – Shared Information Gathering
Tool (SIG)
Current version costs $5000
Version 6.0 freely available, but dated
Lite and full versions – provides flexibility
Vendor research tools
Dunn & Bradstreet Supplier Risk Manager
Lexis Nexis
Research and monitoring tools
Variety of checklists available online
Contracting language – right to audit, required reporting, standards
Tools
33. Level 0
•No processes
exist
Level 1
Initial
•Processes exist, but are ad hoc
and unpredictable
Level 2
Managed
•Processes are reactive,
“hero driven” and project
specific
Level 3
Defined
Level 4
Quantitative
Level 5
Optimized
Risk Capability Maturity Model
• Processes are organized,
formalized and
documented
• Processes are formalized,
measured empirically and
controlled
• Processes are highly
mature, and emphasize
system feedback and
improvement
Are the vendor’s risk
management processes:
• Defined?
• Comprehensive?
• Repeatable?
• Measured?
• Reliable?
34. Very cost-effective way to manage risk
One day on-site often is all that is required
Complete review (including on-site) can cost less than $1,000
Lots of “low-hanging fruit”
Emphasis area: Test data
Emphasis area: Data retention & lifespan management
Emphasis area: Physical security
Emphasis area: Cloud reliance and architecture
Often you get more pushback from internal parties. Many vendors
appreciate the “free consulting”
Personal Observations
35. 70% of companies do not adequately do this now, yet over 90% say they will
INCREASE their use of third parties.
Data breaches caused by third parties cost $43 per record more than other
breaches, yet account for over 40% of all breaches.
EffectiveTPRM involves combination of oversight and review of the external
partner AND implementation of internal controls and processes.
Given the risk exposure and costs involved,TPRM can be the single most
cost-effective risk management program that a company can implement,
and Internal Audit and InfoSec can contribute in many significant ways.
Summary
36. Third-party risk management failures contributed to attacks
Vendor used FREE Malwarebytes Anti-Malware software
The free version is only an on-demand scanner. No real-time scanning.
Target did not require vendors to use multi-factor authentication
If vendor used free anti-malware, what is probability that it required users to
take security training? Or implement enterprise email system that might
have caught phishing attack?
But Target also left vast amounts of sensitive data about vendors on
unsecured systems. This is also about vendor management.
Ariba is vendor too. Was testing/scanning for SQL injection and architecture
reviewed?
How was Ariba monitoring for unusual activity?
Target Breach -TPRM