Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jeff Miller Tamra Pawloski. 2014 IT Procurement Summit headline news…

Published byBertram McDowell Modified over 9 years ago

Similar presentations

Presentation on theme: "Jeff Miller Tamra Pawloski. 2014 IT Procurement Summit headline news…"— Presentation transcript:

1 Jeff Miller Tamra Pawloski

2 2014 IT Procurement Summit headline news…

3 Cybersecurity is evolving and dynamic Program elements Policy – program framework Prevention - anticipate risks & safeguards assets Detection - test & attempt to penetrate your own fortress Communication – awareness and understanding of risk & benefits Collaborate, adapt, and innovate with time…

4 Cybersecurity Maturity Path It’s a Journey… Opposing risk & benefit objectives Emerging technologies / outsourcing Increased threats & attacks Tactical reactive silos to risk practice Information technology / sourcing / legal Collaborative team work Risk Management - human Capital Global scope & process integration

5 Risk Management Human Capital (beyond policies) Vendor Risk Management (IT) Vendor Risk Committee (IT, Legal, Sourcing and Business Continuity Certified Specialists Information Systems Professional (CISSP) Information Privacy Professional (CIPP) Risk & Information Systems Control (CRISC) Chief Security Officer (IT) Chief Privacy Officer (Legal)

6 Emerging need for Cyber Risk skills are growing… Traditional Skills Spend Analytics Evaluations RFX’s Negotiations Term’s & Condition’s SOW & SLA Asset & Vendor Management Taming the Maintenance Monster Additional Skills Risk Management Technology and data security assessments Outsourcing Specialist Office of Foreign Assets (OFAC) Monitoring Data Privacy Business Continuity

7 “Defense in Depth” Internal Systems and Solutions Policies, Procedures, Awareness Physical Perimeter Internal Network Operating System Application Data

8 Various Supplier Relationship Models Containing Data Applications Services Providers (ASP’s) Software-As-A-Service (SaaS) Business Process Outsourcing (BPO’s) Benefit contractors (health insurance, 401k,...) Treasury contractors (banks, transfer agents, …) Third-Party Administrators (TPA’s) Global IT Outsourcers Programing outsourcers Program managers

9 “Defense in Depth” External Service Providers Corporate Privacy & Security Policies Trained Subject Matter Experts Solutions Investigators Security Terms & Conditions Cyber Insurance Standard Sourcing Process

10 Cybersecurity - Collaborative Effort Technology Platform compliance, system & access controls, vulnerability testing, and system monitoring Vendor Risk Management Performs “assessments” / recommends options Legal Regulatory, privacy and confidentiality T&C’s Strategic Sourcing Sourcing compliance, and negoitations.

11 Supplier & Business Assessment “Risk Profile” Supplier Store or Host Data? Supplier Access Our Systems? Supplier Provide Critical Product or Service?

12 Data Protection Agreements and Provisions If possible part of RFX process along with your standard agreement template Holds supplier accountable to safeguard your data Contains requirements which are more than what is required by law Part of our Sourcing Cyber Security process

13 Data Protection Agreements Contents Data Restriction (what supplier can and cannot do with our data) Complies with federal, state, provincial and local laws and regulations Physical Security Controls Location (alarm systems, visitor access, security guards, fire & water HVAC, video surveillance, etc.) Trash disposal program Security and environmental controls over all computer rooms and equipment used to process, file, store, or transmit data.

14 Data Protection Agreements Contents (continued) Data Security Controls Logical access controls User sign on identification and authentication Password protection of system applications, data files, databases, repositories, and libraries Accountability tracking Anti-virus software Secured printers Restricted ability to download to disk / devices No logically shared environments with others…

15 Data Protection Agreements Contents (continued) Supplier Representatives Background checks once a year Citizenship check & Social Security check OFAC Specially Designated National check Criminal felony and misdemeanor check Education / prior employment check Credit / financial check Must attend confidentiality and security awareness training (including monitoring) Must advise of any international handling

16 Data Protection Agreements Contents (continued) Audits and Inspections permitted Security Administration :access records Access : no shared ID’s, need to know job function basis Supplier System Security (adequate network protection, logically secured…) Operation Procedures (security patches and escalation procedures)

17 Data Protection Agreements Contents (continued) Encryption (any exchange of data across Internet or removable media) Network Security (detection / prevention sensors & firewalls / vulnerability tests) Web Application Security (same above) Breach Notification (procedures, escalation, investigations & liabilities) Call Recording and Monitoring (secured consent, and access to recordings) More…?

18 Data Protection Agreements Types IT Vendor Risk Management completes “Risk Profile” & determines agreement Earlier in the process, more success! Various types Long standalone - comprehensive Short form – limited or no risk Custom Cyber Insurance where & when required Part of our standard sourcing process

19 Data Protection Agreement Process Taming the Maintenance Monster NDA Business Assessment Supplier Assessment Data Protection Agreement Contract & Monitor Master Services Agreement Terms & Conditions Statement of Work Data Protection Service Level Agreement Data Protection Agreement Long form - comprehensive Custom Short form – limited risk

20 Data Protection Agreement Process – Who? NDA Business Assessment Supplier Assessment Data Protection Agreement Contract & Monitor Strategic Sourcing Legal Vendor Risk Management & IT Vendor Risk Management & Strategic Sourcing Legal & Vendor Risk Management & Strategic Sourcing Legal & IT

21 Summary Threats are on the rise – be vigilant! Technology expands and cyber risk mitigation is a journey… Risk management skills will become critical for everyone! Hold your suppliers accountable when handling your data and information! Make cyber security part of your standard process!

22 Questions? Thank you…

Download ppt "Jeff Miller Tamra Pawloski. 2014 IT Procurement Summit headline news…"

Similar presentations

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
New Data Regulation Law 201 CMR 17.00. TJX Video.

New Data Regulation Law 201 CMR TJX Video.
Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM 817.352.4929 or

Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or
Consultancy.

Consultancy.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

Similar presentations

Ads by Google