Presentation is loading. Please wait.

Presentation is loading. Please wait.

The NYS Forum, Inc. Third Party Risk Management

Published byZoe Richards Modified over 6 years ago

Similar presentations

Presentation on theme: "The NYS Forum, Inc. Third Party Risk Management"— Presentation transcript:

1 The NYS Forum, Inc. Third Party Risk Management
John Verry, Managing Partner 2016 NYSICA Annual Conference

2 Startling Statistics 74% think that 3rd Parties will provide highly important or critical services in the next year 26% have suffered reputational damage due to a third party security incident in the last year 87% of organizations have been impacted by a third party security incident n the last year 2016 NYSICA Annual Conference

3 Startling Statistics 74% think that 3rd Parties will provide highly important or critical services in the next year 26% have suffered reputational damage due to a third party security incident in the last year 87% of organizations have been impacted by a third party security incident in the last year Only one problem, they are not “real”, :>) 2016 NYSICA Annual Conference

4 Knowing Where We Are And Where We Are Going …
Cost & complexity drive cloud & outsourcing Evolving threat vectors result in events Events result in regulations Regulations drive changes in practices and the development of technology solutions (see step 1) Repeat steps 1 – 4 2016 NYSICA Annual Conference

5 Events Regulations Changes
You’re Fired … 2016 NYSICA Annual Conference

6 Knowing Where We Are And Where We Are Going …
Greater understanding of Third Party/Vendor Risk Including Shadow IT Greater expectation of managing Third Party/Vendor Risk You end up at a NYSICA event listening to me drone on … 2016 NYSICA Annual Conference

7 For Today, Two Overlapping Audiences
Risk Officers need to understand and analyze Third Party Risk and insure that it is being managed in accordance with the entity’s risk appetite Auditors need to assess the effectiveness of the design and operation of the Third Party Risk Management Program 2016 NYSICA Annual Conference

8 Tomorrow, Six+ Overlapping Participants
TPRM (often procurement) operates the program Information Security which may/should play some role Enterprise Risk Management which may/should play some role Auditors which may/should play some role Third Parties Vendors Other Agencies Regulators Insurers Fourth Parties (Third Parties to your Third Party

9 2016 NYSICA Annual Conference

10 Risk Realization IT/Infosec Confidentiality Integrity TPRM
Availability Breach Reputational Impact Financial 2016 NYSICA Annual Conference

11 2016 NYSICA Annual Conference
Common Data & Risk Classification & Appetite (ERM, ISMS, TPRM) Internal Risks Inform Third Party Risk Consideration CLI Informs ISMS & TPRM TPRM Informs CLI Selection Threat/Risk Monitoring? Geo-political? Weather? Incidents? Viability? Incident Response -> Crisis Incident Response Plan (3rd Party Integration) Vendor’s TPRM PSPs Inform TPRM Your & Their BIAs Inform TPRM (DRBCP Testing?) 2016 NYSICA Annual Conference

12 Risk Officers Normalize risk identification, analysis, and acceptable risk across IT/InfoSec TPRM ERM Impact criteria and probability are key Insure TPRM & Info Sec Risks inform Enterprise Risk and vice versa 2016 NYSICA Annual Conference

13 Auditors Need to identify a suitable standard for Design audits:
ISO-27001/2 provides limited guidance Shared Assessments VRMM is great if you are a member OCC:2013:29 can be used as a framework Key Areas include: Governance, PSP’s, Contract, Vendor Risk(4th Party & Resilience), Skill/ Expertise, Reporting, Tool Use, Ongoing Monitoring 2016 NYSICA Annual Conference

14 If You Are Green - Fielding
2016 NYSICA Annual Conference

15 Tidbits & Gotchas Prevailing “Good Practice” on TPRM (10% H, 40% M, 50% L) Build your program before you buy your tools Capabilities, Process, Pricing, Population, and Staffing all impact choice Some TP Risks are more challenging to identify and/or monitor Concentration risk – What if the wrong combination of suppliers use AWS, a particular ISP, or Florida? Geographic risk – Does your supplier move data geographically for BC? Are the wrong combinations of vendors subject to political/geographic turmoil? TP Exit Strategy is critical Address time-frames, data “recovery,” and transition support Include T&Cs that trigger Exit (breach, business conditions, etc.) 2016 NYSICA Annual Conference

16 Questions & Additional Help
Packaged VRM (SIG, AUP, VRMMM) Certified Third Party Risk Professional Certification issuances/bulletins/2013/bulletin html 2016 NYSICA Annual Conference

17 John Verry Pivot Point Security 888.PIVOTPOINT
2016 NYSICA Annual Conference

Download ppt "The NYS Forum, Inc. Third Party Risk Management"

Similar presentations

1 COPING WITH UNCERTAIN TIMES Lisa Sciarrino UniCredit Group Jim Certoma CPE Ed Tracy The Tracy Group, Inc. Paul Katzer Pfizer.

1 COPING WITH UNCERTAIN TIMES Lisa Sciarrino UniCredit Group Jim Certoma CPE Ed Tracy The Tracy Group, Inc. Paul Katzer Pfizer.
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”

“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”
Introduction to Enterprise Risk Management (ERM)

Introduction to Enterprise Risk Management (ERM)
Security Controls – What Works

Security Controls – What Works
NAIC Review of ERM & Internal Controls David Altmaier Florida Office of Insurance Regulation.

NAIC Review of ERM & Internal Controls David Altmaier Florida Office of Insurance Regulation.
Who is FCm? FCm Global Network (Equity & Partner Countries) Total 75+ Countries Network - $4.67b EMEA - $2.51b APAC - $1.25b Americas - $914m Offices.

Who is FCm? FCm Global Network (Equity & Partner Countries) Total 75+ Countries Network - $4.67b EMEA - $2.51b APAC - $1.25b Americas - $914m Offices.
3rd Party Risk Categorization Process

3rd Party Risk Categorization Process
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Enterprise Risk Management at Your School: Getting Started Constance Neary, VP for Risk Management, United Educators Debra Wilson, Legal Counsel, National.

Enterprise Risk Management at Your School: Getting Started Constance Neary, VP for Risk Management, United Educators Debra Wilson, Legal Counsel, National.
Information Security Risk Management

Information Security Risk Management
1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.

Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.

Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
BITS Proprietary and Confidential © BITS 2003. Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Chapter 10 10-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 1 Assurance Services. Need for Assurance Why do you need assurance? Potential bias in providing information. Remoteness between a user and the.

Chapter 1 Assurance Services. Need for Assurance Why do you need assurance? Potential bias in providing information. Remoteness between a user and the.
Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.

Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.
OUTSOURCING PLANNING. Group Members Sumeet Rao 39 Aastha Salaskar 59 Krunal Madia 58 Dhanashree Kalamkar 18 Ritesh Karunakar 19.

OUTSOURCING PLANNING. Group Members Sumeet Rao 39 Aastha Salaskar 59 Krunal Madia 58 Dhanashree Kalamkar 18 Ritesh Karunakar 19.

Similar presentations

Ads by Google