Jeff Miller Tamra Pawloski. 2014 IT Procurement Summit headline news…

Slides:



Advertisements
Similar presentations
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Advertisements

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works
Information Security Policies and Standards
Developing a Records & Information Retention & Disposition Program:
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
First Practice - Information Security Management System Implementation and ISO Certification.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies
Website Hardening HUIT IT Security | Sep
New Data Regulation Law 201 CMR TJX Video.
Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or
Consultancy.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
No one questions that Microsoft can write great software. Customers want to know if we can be innovative, scalable, reliable in the cloud. (1996) 450M+
SEC835 Database and Web application security Information Security Architecture.
A NASSCOM ® Initiative DSCI-KPMG Survey 2010 State Of Data Security and Privacy in the Indian Banking Industry Vinayak Godse Director- Data Protection,
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.
David N. Wozei Systems Administrator, IT Auditor.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Security considerations for mobile devices in GoRTT
September 14, David A. Reed Attorney at Law Reed & Jolly, PLLC (703)
Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA Phone: (703) | FAX: (703) Best.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Looking beyond the obvious!! HOW SECURE IS BANKS’ CORE DATA? Prashant Pande Head Professional Services IDBI Intech Ltd.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Everyone’s Been Hacked Now What?. OakRidge What happened?
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Emerging Security Trends & Technologies Presented by Santhosh Koratt Head Consulting & Compliance SecureSynergy Pvt.Ltd.
Chapter 11: Policies and Procedures Security+ Guide to Network Security Fundamentals Second Edition.
Introduction to Information Security
Enterprise Cybersecurity Strategy
Policies and Procedures Security+ Guide to Network Security Fundamentals Chapter 11.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Chapter 8 Auditing in an E-commerce Environment
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Strategic Agenda We want to be connected to the internet……… We may even want to host our own web site……… We must have a secure network! What are the.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
QIP Education Session INFORMATION SECURITY Joseph Zurba Information Security & IT Compliance Officer Harvard Medical School February 16, 2015.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Information Security tools for records managers Frank Rankin.
Security – 2015’s Biggest Threat to Client Confidentiality A Panel Discussion Joseph Abrenio, VP of Cyber Advisory Services & General Counsel Delta Risk.
Cybersecurity - What’s Next? June 2017
Security Standard: “reasonable security”
Introduction to the Federal Defense Acquisition Regulation
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
I have many checklists: how do I get started with cyber security?
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
County HIPAA Review All Rights Reserved 2002.
Security week 1 Introductions Class website Syllabus review
Cyber Security: What the Head & Board Need to Know
Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham
Presentation transcript:

Jeff Miller Tamra Pawloski

2014 IT Procurement Summit headline news…

Cybersecurity is evolving and dynamic Program elements Policy – program framework Prevention - anticipate risks & safeguards assets Detection - test & attempt to penetrate your own fortress Communication – awareness and understanding of risk & benefits Collaborate, adapt, and innovate with time…

Cybersecurity Maturity Path It’s a Journey… Opposing risk & benefit objectives Emerging technologies / outsourcing Increased threats & attacks Tactical reactive silos to risk practice Information technology / sourcing / legal Collaborative team work Risk Management - human Capital Global scope & process integration

Risk Management Human Capital (beyond policies) Vendor Risk Management (IT) Vendor Risk Committee (IT, Legal, Sourcing and Business Continuity Certified Specialists Information Systems Professional (CISSP) Information Privacy Professional (CIPP) Risk & Information Systems Control (CRISC) Chief Security Officer (IT) Chief Privacy Officer (Legal)

Emerging need for Cyber Risk skills are growing… Traditional Skills Spend Analytics Evaluations RFX’s Negotiations Term’s & Condition’s SOW & SLA Asset & Vendor Management Taming the Maintenance Monster Additional Skills Risk Management Technology and data security assessments Outsourcing Specialist Office of Foreign Assets (OFAC) Monitoring Data Privacy Business Continuity

“Defense in Depth” Internal Systems and Solutions Policies, Procedures, Awareness Physical Perimeter Internal Network Operating System Application Data

Various Supplier Relationship Models Containing Data Applications Services Providers (ASP’s) Software-As-A-Service (SaaS) Business Process Outsourcing (BPO’s) Benefit contractors (health insurance, 401k,...) Treasury contractors (banks, transfer agents, …) Third-Party Administrators (TPA’s) Global IT Outsourcers Programing outsourcers Program managers

“Defense in Depth” External Service Providers Corporate Privacy & Security Policies Trained Subject Matter Experts Solutions Investigators Security Terms & Conditions Cyber Insurance Standard Sourcing Process

Cybersecurity - Collaborative Effort Technology Platform compliance, system & access controls, vulnerability testing, and system monitoring Vendor Risk Management Performs “assessments” / recommends options Legal Regulatory, privacy and confidentiality T&C’s Strategic Sourcing Sourcing compliance, and negoitations.

Supplier & Business Assessment “Risk Profile” Supplier Store or Host Data? Supplier Access Our Systems? Supplier Provide Critical Product or Service?

Data Protection Agreements and Provisions If possible part of RFX process along with your standard agreement template Holds supplier accountable to safeguard your data Contains requirements which are more than what is required by law Part of our Sourcing Cyber Security process

Data Protection Agreements Contents Data Restriction (what supplier can and cannot do with our data) Complies with federal, state, provincial and local laws and regulations Physical Security Controls Location (alarm systems, visitor access, security guards, fire & water HVAC, video surveillance, etc.) Trash disposal program Security and environmental controls over all computer rooms and equipment used to process, file, store, or transmit data.

Data Protection Agreements Contents (continued) Data Security Controls Logical access controls User sign on identification and authentication Password protection of system applications, data files, databases, repositories, and libraries Accountability tracking Anti-virus software Secured printers Restricted ability to download to disk / devices No logically shared environments with others…

Data Protection Agreements Contents (continued) Supplier Representatives Background checks once a year Citizenship check & Social Security check OFAC Specially Designated National check Criminal felony and misdemeanor check Education / prior employment check Credit / financial check Must attend confidentiality and security awareness training (including monitoring) Must advise of any international handling

Data Protection Agreements Contents (continued) Audits and Inspections permitted Security Administration :access records Access : no shared ID’s, need to know job function basis Supplier System Security (adequate network protection, logically secured…) Operation Procedures (security patches and escalation procedures)

Data Protection Agreements Contents (continued) Encryption (any exchange of data across Internet or removable media) Network Security (detection / prevention sensors & firewalls / vulnerability tests) Web Application Security (same above) Breach Notification (procedures, escalation, investigations & liabilities) Call Recording and Monitoring (secured consent, and access to recordings) More…?

Data Protection Agreements Types IT Vendor Risk Management completes “Risk Profile” & determines agreement Earlier in the process, more success! Various types Long standalone - comprehensive Short form – limited or no risk Custom Cyber Insurance where & when required Part of our standard sourcing process

Data Protection Agreement Process Taming the Maintenance Monster NDA Business Assessment Supplier Assessment Data Protection Agreement Contract & Monitor Master Services Agreement Terms & Conditions Statement of Work Data Protection Service Level Agreement Data Protection Agreement Long form - comprehensive Custom Short form – limited risk

Data Protection Agreement Process – Who? NDA Business Assessment Supplier Assessment Data Protection Agreement Contract & Monitor Strategic Sourcing Legal Vendor Risk Management & IT Vendor Risk Management & Strategic Sourcing Legal & Vendor Risk Management & Strategic Sourcing Legal & IT

Summary Threats are on the rise – be vigilant! Technology expands and cyber risk mitigation is a journey… Risk management skills will become critical for everyone! Hold your suppliers accountable when handling your data and information! Make cyber security part of your standard process!

Questions? Thank you…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.