The NYS Forum, Inc. Third Party Risk Management

Slides:

Advertisements

Similar presentations

1 COPING WITH UNCERTAIN TIMES Lisa Sciarrino UniCredit Group Jim Certoma CPE Ed Tracy The Tracy Group, Inc. Paul Katzer Pfizer.

Advertisements

IMFO Audit & Risk Indaba June 2012

“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”

Introduction to Enterprise Risk Management (ERM)

Security Controls – What Works

NAIC Review of ERM & Internal Controls David Altmaier Florida Office of Insurance Regulation.

Who is FCm? FCm Global Network (Equity & Partner Countries) Total 75+ Countries Network - $4.67b EMEA - $2.51b APAC - $1.25b Americas - $914m Offices.

3rd Party Risk Categorization Process

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

Enterprise Risk Management at Your School: Getting Started Constance Neary, VP for Risk Management, United Educators Debra Wilson, Legal Counsel, National.

Information Security Risk Management

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.

Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter 1 Assurance Services. Need for Assurance Why do you need assurance? Potential bias in providing information. Remoteness between a user and the.

Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.

OUTSOURCING PLANNING. Group Members Sumeet Rao 39 Aastha Salaskar 59 Krunal Madia 58 Dhanashree Kalamkar 18 Ritesh Karunakar 19.

Microsoft Belgium Security Summit Georges Ataya S olvay B usiness S chool, ISACA Belux Detlef Eckert Microsoft EMEA.

NEACS: CRO Perspective William Feher Vice President, Internal Audit and Chief Risk Officer October 27, 2015.

Service Organization Controls (SOC) Overview Shared Assessment Member Forum Presentation April 10, 2012.

Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.

Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.

Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc

Managing Uncertainty, Creating Opportunity Enterprise Risk Management J. Brown, CEO.

Vendor Risk Management for Law Firms Key Questions You Should Be Asking.

Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.

Dolly Dhamodiwala CEO, Business Beacon Management Consultants

Business Continuity Awareness Steve Lambert Biscon Planning Ltd.

COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.

Business Continuity Planning 101

USDA 2016 Financial Management Training Transforming Shared Services

1© Copyright 2016 EMC Corporation. All rights reserved. VIEWTRUST SOFTWARE OVERVIEW RISK MANAGEMENT AND COMPLIANCE MONITORING.

Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.

JMFIP Financial Management Conference

Cybersecurity as a Business Differentiator

What Is Vendor Management And Why Is It Important To You?

IS YOUR ORGANISATION’S INFORMATION SECURE?

An Overview on Risk Management

Chris Lintern Co-operative Financial Services

John Deere Supply Chain Risk Management

What Is ISO ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS It is intended.

Approaches to Defining Risk

ENTERPRISE RISK MANAGEMENT IN THE CASE OF THE FINANCIAL SERVICE SECTOR

Response to disruptive events at INEGI - Mexico City Office

Regulatory Compliance

Integrated Management System and Certification

The NYS Forum, Inc. Third Party Risk Management

Current ‘Hot Topics’ in Information Security Governance Auditing

Service Organization Control (SOC)

Paul Woods Chair, MITIGATION: Ensuring we procure cloud services taking into account of the risks involved Paul Woods Chair, ISNorthEast.

San Francisco IIA Fall Seminar

Establish Process Governance

Systems analysis and design, 6th edition Dennis, wixom, and roth

Systems analysis and design, 6th edition Dennis, wixom, and roth

John Carlson Senior Director, BITS

Cyber Risk & Cyber Insurance - Overview

Business Continuity Plan

Nero Blanco Service Offering – Disaster Recovery as a Service

IS Risk Management Framework Overview

Cloud Services - A Framework for Adoption in the Regulated Life Sciences Industry Status November 2018.

Cyber Security: What the Head & Board Need to Know

GRC - A Strategic Approach

University of Maryland Robert H. Smith School of Business

What is IT audit? An examination of how IT systems where implemented to ensure that they meet the organization’s business needs without compromising.

Session 8: Innovative Uses of Captives: Cyber and Beyond

Information Security Breach definitions

Presentation transcript:

The NYS Forum, Inc. Third Party Risk Management John Verry, Managing Partner john.verry @pivotpointsecurity.com 2016 NYSICA Annual Conference

Startling Statistics 74% think that 3rd Parties will provide highly important or critical services in the next year 26% have suffered reputational damage due to a third party security incident in the last year 87% of organizations have been impacted by a third party security incident n the last year 2016 NYSICA Annual Conference

Startling Statistics 74% think that 3rd Parties will provide highly important or critical services in the next year 26% have suffered reputational damage due to a third party security incident in the last year 87% of organizations have been impacted by a third party security incident in the last year Only one problem, they are not “real”, :>) 2016 NYSICA Annual Conference

Knowing Where We Are And Where We Are Going … Cost & complexity drive cloud & outsourcing Evolving threat vectors result in events Events result in regulations Regulations drive changes in practices and the development of technology solutions (see step 1) Repeat steps 1 – 4 2016 NYSICA Annual Conference

Events Regulations Changes You’re Fired … 2016 NYSICA Annual Conference

Knowing Where We Are And Where We Are Going … Greater understanding of Third Party/Vendor Risk Including Shadow IT Greater expectation of managing Third Party/Vendor Risk You end up at a NYSICA event listening to me drone on … 2016 NYSICA Annual Conference

For Today, Two Overlapping Audiences Risk Officers need to understand and analyze Third Party Risk and insure that it is being managed in accordance with the entity’s risk appetite Auditors need to assess the effectiveness of the design and operation of the Third Party Risk Management Program 2016 NYSICA Annual Conference

Tomorrow, Six+ Overlapping Participants TPRM (often procurement) operates the program Information Security which may/should play some role Enterprise Risk Management which may/should play some role Auditors which may/should play some role Third Parties Vendors Other Agencies Regulators Insurers Fourth Parties (Third Parties to your Third Party

2016 NYSICA Annual Conference

Risk Realization IT/Infosec Confidentiality Integrity TPRM Availability Breach Reputational Impact Financial 2016 NYSICA Annual Conference

2016 NYSICA Annual Conference Common Data & Risk Classification & Appetite (ERM, ISMS, TPRM) Internal Risks Inform Third Party Risk Consideration CLI Informs ISMS & TPRM TPRM Informs CLI Selection Threat/Risk Monitoring? Geo-political? Weather? Incidents? Viability? Incident Response -> Crisis Incident Response Plan (3rd Party Integration) Vendor’s TPRM PSPs Inform TPRM Your & Their BIAs Inform TPRM (DRBCP Testing?) 2016 NYSICA Annual Conference

Risk Officers Normalize risk identification, analysis, and acceptable risk across IT/InfoSec TPRM ERM Impact criteria and probability are key Insure TPRM & Info Sec Risks inform Enterprise Risk and vice versa 2016 NYSICA Annual Conference

Auditors Need to identify a suitable standard for Design audits: ISO-27001/2 provides limited guidance Shared Assessments VRMM is great if you are a member OCC:2013:29 can be used as a framework Key Areas include: Governance, PSP’s, Contract, Vendor Risk(4th Party & Resilience), Skill/ Expertise, Reporting, Tool Use, Ongoing Monitoring 2016 NYSICA Annual Conference

If You Are Green - Fielding 2016 NYSICA Annual Conference

Tidbits & Gotchas Prevailing “Good Practice” on TPRM (10% H, 40% M, 50% L) Build your program before you buy your tools Capabilities, Process, Pricing, Population, and Staffing all impact choice Some TP Risks are more challenging to identify and/or monitor Concentration risk – What if the wrong combination of suppliers use AWS, a particular ISP, or Florida? Geographic risk – Does your supplier move data geographically for BC? Are the wrong combinations of vendors subject to political/geographic turmoil? TP Exit Strategy is critical Address time-frames, data “recovery,” and transition support Include T&Cs that trigger Exit (breach, business conditions, etc.) 2016 NYSICA Annual Conference

Questions & Additional Help https://sharedassessments.org/ Packaged VRM (SIG, AUP, VRMMM) Certified Third Party Risk Professional Certification http://www.occ.gov/news- issuances/bulletins/2013/bulletin-2013-29.html 2016 NYSICA Annual Conference

John Verry Pivot Point Security 888.PIVOTPOINT john.verry@pivotpointsecurity.com 2016 NYSICA Annual Conference