By Marty Puzio. Overview  How/why this process was developed  Laying the groundwork  Using a checklist  Solidifying the deal  Living with it.

Slides:

Advertisements

Similar presentations

ENGAGE IN A CAREER IN BUSINESS 8/2/2011. ENGAGE IN A CAREER IN BUSINESS Some Job Descriptions Include: Operations Technology Finance Investment Management.

Advertisements

BalaBit Shell Control Box

A Consultative Approach to Auditing

Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Core principles in the ASX CGC document. Which one do you think is the most important and least important? Presented by Casey Chan Ethics Governance &

© 2005 Morrison & Foerster LLP All Rights Reserved How to Launch a Successful IPO Avoiding Disappointment and Unnecessary Costs Bruce Alan Mann Partner,

Areti Moularas, Senior Manager

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Staff Timesheets 2014 Project Director Training & Annual Meeting1.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

Keeping contracts digital Ken Moyle Vice President and Deputy General Counsel DocuSign, Inc.

Self Service Connection Users Guide

SAS 70 (Statement on Auditing Standards No. 70) Kelley Piner Charles Roberts Ashley Walker.

ISO 9000 Introduction Imran Hussain.

IP Asset Management: IP Audit and IP Due Diligence Doha, Qatar 12 April 2011 Najmia Rahimi Senior Program Officer, Small and Medium-Sized Enterprises Division.

Internal Auditing and Outsourcing

SecureAware Building an Information Security Management System.

NEW SEC AUDITOR INDEPENDENCE REQUIREMENTS Financial Executives International Janet Luallen Director - Technical Activities.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

1 Status Report: Task Force on FAMU Finance and Operational Control Issues Derry Harper, Inspector General & Director of Compliance December 6, 2007.

© 2014 McGladrey LLP. All Rights Reserved. GASB 67 & 68 - Pension Standards Employer Responsibilities Audio Dial-In Information Toll Free Number - 1 (866)

ISO27001 Introduction to Information Security. Who has day-to-day responsibility? All of us! Why Information Security? Control risk, limit liability What.

Please use the following two slides as a template for your presentation at NES. Internal Audits: How to Plan and Perform Roy De Lauder, CPPM, CF Property.

People © 2013 The Sleeter Group All rights reserved. Intuit, the Intuit logo and QuickBooks, among others, are registered trademarks of Intuit Inc. Other.

Quicken Health Expense Tracker SM August Confidential, unpublished property of CIGNA. Do not duplicate or distribute. Use and distribution limited.

Financial Accounting and Its Environment Chapter 1.

August 15 & 16, 2012 FFY2013 EAP Annual Training FFY2013 EAP Annual Training Part 8: EAP/WAP Internal Controls Assessment; Local Plan; Grant Contract;

2015 BAW Conference GASB 68 Implementation: Are we there yet? Ashley Brindle.

1 This Presentation is printed on recycled materials.

Audit Committee Roles & Responsibilities Audit Committee July 20, 2004.

Brette Kaplan, Esq. Erin Auerbach, Esq. Brustein & Manasevit, PLLC Spring Forum 2013

World Intellectual Property Organization DCPPS 1 presented by Mr. Vladimir Yossifov WIPO NATIONAL WORKSHOP ON INNOVATION SUPPORT SERVICES AND THEIR MANAGEMENT.

By MURUGAN MALLIKA. 2  Financial management system:  Information system that tracks financial events and summarizes information  supports adequate.

Authenticity of Electronic Records in XBRL Lucas Cardholm, LL.M. Working Group Authenticity and Security, XBRL Sweden

© 2014 Cengage Learning. All Rights Reserved. Learning Objectives © 2014 Cengage Learning. All Rights Reserved. LO6 Prepare a payroll register. LO7 Prepare.

Paradise Valley Unified School District November 1, 2012.

CALDICOTT PRESENTATION. History Caldicott report published in 1997 and implemented in 1999 Inquiry chaired by Dame Fiona Caldicott.

Brokers Inc CEO: Adam Ruff CFO: Tyler Zarndt CIO: Steve Johnson.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.

Luke Montoya. Vendor Services Agreement Description and Structure Agreement for vendor to provide services (and often deliverables) (e.g., maintain website,

Chapter 8 Auditing in an E-commerce Environment

1 This Presentation is printed on recycled materials.

Purchasing Cards. What is a Purchasing Card? It is a type of commercial credit card, used by organizations for payment of goods and services. This tool.

Board Financial Oversight Governing Board Online Training Module.

STARR Companies: Human Resources Portal Overview WELCOME to STARR Companies’ Human Resources Portal! This presentation will provide first time users of.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

222 About RPost Leader in security since 2000 Endorsed by more than 20 major bar/law associations Used by U.S. Government Used by insurance carriers.

Examples of Proof of Payment - Personnel. Example of Direct Deposit 1- from a full service payroll company such as ADP, Paycheck, etc. For personnel where.

Audit Committee 1 June 2005 Overview of the Audit Function in the Council and Role of Audit Committee.

ASH ACC 410 Week 1 DQ 1 Internal vs. External Audit Staffs Check this A+ tutorial guideline at

Examples of Proof of Payment - Personnel

PowerPoint to accompany:

Third Party Risk Governance in a Diverse Environment

Session 11 Other Assurance Services

Internal and Governmental Financial Auditing and Operational Auditing

How Mutual Funds Work.

CONTRACT MANAGEMENT CORPORATE.

Legislative-Citizen Commission on Minnesota Resources July 18, 2018

Health Care: Privacy in a Digital Age

Are we ready to move to the Operation Phase?

Celebrating 26 years of service to the Collegiate Travel Marketplace

Chapter 8 Developing an Effective Ethics Program

HOSPITALITY HUMAN RESOURCES MANAGEMENT AND SUPERVISION.

CONVERCENT INCIDENT REPORTING Employee Training

Schoolnet Data Protection Policies

Presentation transcript:

By Marty Puzio

Overview  How/why this process was developed  Laying the groundwork  Using a checklist  Solidifying the deal  Living with it

Creating The Process  Frustrated with “on the fly” reviews  Questions are basically the same for all vendors  Questions differ for application type  Externally developed, externally hosted (i.e. ASP)  Externally developed, internally hosted  Confidential vs. public data  Standardization is necessary

Lay The Groundwork  Build the relationship with the business and IT  Earn their trust – this process will ensure their success  Start the process as early as possible  Require this process – not optional

Use a Detailed Checklist  Start with a general list, then tailor it  Task vendor with first round  Require security equal to your own policy  Make questions open ended  Test the answers  Access the site  Get an account  Change a password

Reviewing the outcome  Review with vendor techies  Implement compensating controls where needed  Make a decision/recommendation to the business

Potential Deal Breakers  No encryption  Poor authentication  Refusal to answer questions  Poor security for data transfers It’s all based on your information security standards

Solidify The Deal  Have Legal add it to the contract  Make it binding  Include non-compliance clause

Living With it – Auditing  Audit the vendor annually  Ask to see proof  Printed policies  Employee handouts  Physical controls  External audit results  Visit the vendor if necessary

Track Record  Used with IP management firms, payroll companies, healthcare benefits, expense reporting, etc.  Benefits  Meets most requirements for due diligence  Assurance to senior management  Auditors will be satisfied  Simply a good practice  Many, many others

Questions?