Managing Third Party Risk In a world fraught w/Risk Trust In the Cloud How are you Protecting Customer Data? February 26, 2014 Case Study Vincent Campitelli – McKesson Corporation

Vendor Management Life Cycle IT Vendors serving McKesson 2. Analyze Determine the level of risk posed by each third party relationship using a risk model. 3. Evaluate Implement due diligence activities commensurate with the risk rating. 4. Mitigate Design appropriate risk mitigation plans to manage the residual risk of the relationship. 5. Monitor Design ongoing monitoring programs to identify events/activities that alter risk profile. 2

How are they identified ? Spend Analysis Corporate Procurement IT Procurement Legal /contracting Compliance Officers Business Unit managers 3

Assess inherent Risk Service description Contract Review R. A. questionnaire Risk Rating 4

Conduct Due Diligence Contract    Security Exhibits    BAA    Validation procedures   On-going monitoring   LOW RISK High RISK Moderate RISK Inherent Risk Residual Risk 5

Apply Risk Mitigation Contracts  Company paper  Right to audit  SLA’s Conditional Acceptance Third party reports Annual requirement Scope adjustment Corrective Action plans Corrective action plans 6

Monitoring Geopolitical events Environmental events Business events Contract events SLA performance Mergers/acquisitions/Ownership Fines/penalties/violations Audit failures 7

“Going to the Cloud” Lack of visibility Lack of control Contractual limitations Right to audit SLA limitations Exit strategy Data retention/location/return/use Reliance on 3 rd party reporting New Requirements Monitoring Oversight 8

How are they identified ? Spend Analysis Corporate Procurement IT Procurement Legal /contracting Compliance Officers Business Unit managers CLOUD BASED 9

Assess inherent Risk Service description Contract Review R. A. questionnaire Risk Rating Tailored for CSP’s : CSA CAIQ CCM v3.0 Star Registry Response indices Yes No AI 10

Conduct Due Diligence Contract    Security Exhibits    BAA    Validation procedures   On-going monitoring   LOW RISK High RISK Moderate RISK Inherent Risk Residual Risk 11

Cloud Services – Responsibility/Accountability 12

Control Responsibilities by Service Model 13

CSA CCM controls – Key Controls 14

CSA based Control Requirements 15

Apply Risk Mitigation Contracts  Company paper  Right to audit  SLA’s  Security SLA’s Conditional Acceptance Third party reports – SOC 2 Annual requirement Scope adjustment Corrective Action plans Corrective action plans 16