Vendor Risk Management Data Privacy & Security - Panel
|
|
- Augustus Conley
- 6 years ago
- Views:
Transcription
1 Vendor Risk Management Data Privacy & Security - Panel Sherry Ryan, CISO, Juniper Tanya O Connor, Director, Information Security, Arcadia Healthcare Solutions Gary Roboff, Senior Advisor, Santa Fe Group - Shared Assessments Rick Olin, Shareholder, CIPP/US, GTC Law Group (Moderator) 1
2 Vendor Risk Management Data Privacy & Security (Panel) Sherry Ryan, Chief Information Security Officer, Juniper Networks previously established and led information security programs at Blue Shield of California, Hewlett-Packard, Safeway and Levi Strauss Certifications: Certified Information Security Manager (CISM) from ISACA and Certified Information Systems Security Professional (CISSP) from ISC2 member of High Tech Crime Investigation Association (HTCIA) and Information Systems Security Association (ISSA) Tanya O Connor, Director, Information Security, Arcadia Healthcare Solutions responsible for strategic security and privacy planning and implementation, contract review, continuous monitoring, HIPAA/HITECH compliance, and responding to customer privacy/security assessments Oracle Corporation - Compliance Manager and Security Lead U.S. Department of the Treasury - Information Systems Security Manager U.S. Navy - Information Security Business Analyst and Information Assurance Governance Analyst 2
3 Vendor Risk Management Data Privacy & Security (Panel) Gary Roboff, Senior Advisor, Santa Fe Group Shared Assessments focuses on payments, risk management, mobile financial services, and information management JPMorgan served 25 years; retired as Senior Vice President of Electronic Commerce; led effort to return to merchant services business with the founding of Chase Merchant Services LLC (now Chase Paymentech) International Security Trust and Privacy Alliance (ISTPA) Founder Chemical and Manufacturers Hanover - led development of pinned debit services served on various Boards of Directors, including: ISTPA, the NYCE network, and the Electronic Funds Transfer Association Rick Olin, Shareholder, CIPP/US, GTC Law Group focuses on transactional matters, including: M&A and technology transfer; compliance areas such as data privacy and security, and information management matters; as well as general business counseling to GTC s technology and media clients TechTarget, Inc. (NASDAQ, TTGT) - Vice President, General Counsel and Secretary Workscape, Inc. (acquired by ADP, Inc.) - Senior Vice President of Corporate Development, General Counsel and Secretary SpeechWorks International, Inc. (acquired by ScanSoft, Inc. and now Nuance Communications, Inc.) - Vice President, General Counsel and Secretary 3
4 Vendor Risk Management Panel November 3, 2017 Sherry Ryan, VP/CISO
5 Why third-party cybersecurity matters CSO Cybersecurity Insights, December 7, % of breaches in recent years were traced to third-party vendors Cross industry: restaurants, chain stores, pharmacies, construction companies, hotels and medical centers Financial impact of breach response plus revenue and share price impact Reputational impacts, regulatory exposure, and lawsuits plus job loss for executives, directors and others
6
7 Key Findings The Third Party Ecosystem Managing Third Party Risk Third Party Governance Technology and Delivery Models As dependence on third parties becomes increasingly critical, organizations are being compelled to rapidly catch up in enhancing the maturity of their third party governance and risk management processes The drivers for third party engagement are progressively shifting from a focus upon cost to a focus upon value Third party risk incidents are on the increase Increased monitoring and assurance activity over third parties is believed to significantly reduce third party risk Organizational commitment to third party risk management is not supported by confidence in the related technology and processes Third party risk is starting to feature consistently on Board agendas Visits to third party locations are considered the most effective assurance method Most organizations are mandating consistent third party governance Existing technology platforms for managing third parties are considered inadequate Organizations are in the process of deciding between centralized inhouse models and external service-provider based models for third party monitoring Deloitte: Third Party Governance and Risk Management, Global Survey 2016
8 Due Diligence Tools On-site reviews Assessments and questionnaires Attestations Documentation review Review assessments and certifications Security risk rating scores Contractual
9 Risk-Based Approach Risk Factors Vendor Prioritization Level of Due Diligence and Monitoring Service risks: Customer and financial impact Data sensitivity Compliance and regulatory Transaction volume Vendor risks: Geographic location Financial health Prior breaches Performance record Extent of work performed Organize into high, medium and low risk categories Prioritize high risk vendors for greater scrutiny Higher risk On-site reviews and more frequent monitoring Moderate risk telephone reviews and periodic monitoring Lower risk vendor self assessments follow up as required
10 Trust But Verify Assessment Model
11 Thank you
12 VENDOR RISK MANAGEMENT PANEL PRESENTED BY TANYA O CONNOR DIRECTOR, INFORMATION SECURITY November, ARCADIA HEALTHCARE SOLUTIONS NOT FOR REDISTRIBUTION. 12
13 ARCADIA OVERVIEW ABOUT ARCADIA ARCADIA IS AN EHR DATA AGGREGATION AND ANALYTICS COMPANY FOCUSED ON ENABLING OUR PARTNERS TO SUCCEED IN SHARED RISK USING INTEGRATED AMBULATORY, INPATIENT & ADMINISTRATIVE DATA. ARCADIA HAS ANALYZED OVER 35 MILLION PATIENTS NATIONALLY 35M 50K PATIENTS MEASURED PROVIDERS MEASURED SEATTLE th Ave. #925 Seattle, WA PITTSBURGH 29 West Main Street Carnegie, PA BOSTON 20 Blanchard Rd. #10 Burlington, MA PRACTICES 3000 IMPACTED 30+ EHR VENDORS CONNECTED CHICAGO 630 E Jefferson St. Rockford, IL 2002 YEAR FOUNDED 250 AWESOME EMPLOYEES 2017 ARCADIA HEALTHCARE SOLUTIONS NOT FOR REDISTRIBUTION. 13
14 ARCADIA OVERVIEW EXAMPLE CUSTOMERS PROVIDERS HEALTH PLANS 2017 ARCADIA HEALTHCARE SOLUTIONS NOT FOR REDISTRIBUTION. 14
15 BECOMING A TRUSTED BUSINESS PARTNER (FROM THE VENDOR PERSPECTIVE) ALIGNMENT OF INTERESTS ØSame rules/liabilities apply to vendors (business associates) and customers (covered entities) ØRequires a partnership approach to securing data ØDriven by HIPAA/HITECH compliance for both parties DUE DILIGENCE/TRUST BUT VERIFY MODEL Ø1-5 written assessments monthly ØSubmission of artifacts ØFollow-up questionnaires ØOnsite visits ØProving downstream vendor compliance 2017 ARCADIA HEALTHCARE SOLUTIONS NOT FOR REDISTRIBUTION. 15
16 BECOMING A TRUSTED BUSINESS PARTNER - CHALLENGES PRIVACY & SECURITY ASSESSMENTS ARE TIME/RESOURCE INTENSIVE Ø Steady stream of written and on-site assessments (no two are ever alike!) Ø Often times not relevant to our business model (CAIQ for example) Ø Existing culture shifts burden onto vendor (except large companies like Amazon) to fill out assessment rather than review existing security controls and submit follow-up questions MANAGING CLIENT EXPECTATIONS Ø Resolving differing interpretations of HIPAA requirements, for example: v HIPAA/HITECH doesn t specific a time frame for audit log retention ` v HIPAA/HITECH does not provide specific guidance regarding what content must be logged 2017 ARCADIA HEALTHCARE SOLUTIONS NOT FOR REDISTRIBUTION. 16
17 BECOMING A TRUSTED BUSINESS PARTNER CHALLENGES (CONT) PROVING DOWNSTREAM VENDOR COMPLIANCE Ø Responsible for articulating downstream vendor security & compliance v For AWS, we use ISO Certification, HIPAA security configurations, SOC 3 report, security control mappings, whitepapers, published information, and more Ø Verification of downstream vendor security controls v Done through research, assessments, contractual clauses, etc ARCADIA HEALTHCARE SOLUTIONS NOT FOR REDISTRIBUTION. 17
18 ADDRESSING THE CHALLENGES MOVING TOWARDS AN INDUSTRY-ACCEPTED UNIFIED FRAMEWORK Ø Dramatically reduces the number of assessments, eliminates the multitudes of unique artifacts collected on a yearly basis, and shifts the burden of oversight to Certification body Ø Defines control parameters (such as audit log retention timeframe and content) based on best practices so that there is less conflict when it comes to interpreting grey areas of the law Ø Certification affirms security & compliance of both vendor and downstream vendors v Arcadia has chosen HITRUST and its common security framework (CSF)* and are working towards certification by next year. *The HITRUST CSF is a certifiable framework that encompasses and harmonizes several other compliance frameworks and standards including HIPAA, HITECH, PCI, ISO/IEC, COBIT, NIST RMF and varying state requirements ARCADIA HEALTHCARE SOLUTIONS NOT FOR REDISTRIBUTION. 18
19 VENDOR RISK MANAGEMENT PANEL Gary S. Roboff, Senior Advisor November 3, 2017
20 The Shared Assessments Program Thought Leadership Training and Certification ü Industry Agnostic ü Member-driven ü Annual Third Party Risk Management Summit ü More than 650 third party risk professionals trained since 2015 (CTPRP) Resources Research Studies White Papers Webinars Workshops Assessment Tools ü Actionable, enterprise-wide solution-building ü Industry and technology specific peer working groups ü Examine the entire TPRM Landscape ü Assessment Tools up-to-date with regulations and threat landscape ü Licensees incorporate SA Program Tools to deliver effective ERM solutions to their clients 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 20
21 Outsourcing Risks 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 21
22 Assertion Statements SIG Privacy Tab Example: P.2 P.2.1 P.2.2 P.2.3 P.2.4 P.2.5 P.2.6 P.2.7 For Scoped Data, is personal information about individuals transmitted to or received from countries outside the United States? If yes, list the countries. Is information directly collected and used about individuals? Are notices provided (and where required, consents obtained) when information is directly collected from an individual? If yes, describe. Are there documented policies and operating procedures regarding limiting the personal data collected and its use? Are there policies and operating procedures for onward transfer of Scoped Data? If yes, describe. Is Safe Harbor /Privacy Shield status maintained with the Department of Commerce with respect to the data protection applicable to the European Union or other legitimizing method such as Model Contracts? If customer data is directly collected from individuals, does the customer have the ability to opt out? If customer data of individuals is retained, are there processes and procedures to enable individuals to access, correct, amend, or delete inaccurate information? P.2.8 Are there documented policies and procedures for cross border data flows of Scoped Data to the US from other countries. If yes, list the countries: 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 22
23 Virtual Assessments Emerging Alternative to On-Site Assessments Hosted by Third Parties, Either: Regularly, as scheduled by third party (e.g., quarterly) As defined by contract (often annually), typically outsourcer determines timing Remotely Connected to Third Party; Vendor Demonstrates Controls, Shows Evidence, etc. Assertion Statement Due Diligence/Control Test Results Most are Interactive by Design Significantly Less Expensive for Both Outsourcer and Vendor Yields Perhaps 80% Value Compared to an On-Site Visit May not be appropriate for all mission-critical situations 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 23
24 Onsite Control Testing AUP Privacy Test Procedure Example P.4 Third Party Privacy Agreements Objective: All entities that access, process or store client-scoped privacy data can be a risk to an organization or its clients. Management should ensure that all agreements with third parties contain specific clauses to ensure scoped privacy data is protected and that certain other privacy requirements are included. Risk Statement: The absence of privacy agreements with third parties where data is shared may lead to misunderstandings in protection, disclosure and compliance, as well as loss of legal standing, in case there is a disclosure or breach. Control: Privacy agreements detail privacy and protection requirements between the organization and its third parties that have access to scoped privacy data. Procedure: a. Using the sample of third parties from the list obtained in P.1 Scoped Privacy Data Inventory and Flows, obtain from the organization and selected third parties, via the organization, the privacy and security portions of the agreement with the organization in place for providing services and a representative sample of third party privacy and security sections of the agreements from each third party. b. Inspect each agreement chosen in the sample for evidence of the following attributes: 1. Third party requirement to protect all scoped privacy data and protected scoped privacy data. 2. Third party requirement to document the flow of scoped privacy data within its organization and to those third parties with whom it shares scoped privacy data. 3. Third party requirement to process scoped privacy data in accordance with the agreement. 4. Etc The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 24
25 Continuous Monitoring Continuous third party risk monitoring is a real-time (or close to real-time) risk management approach designed to improve organizational awareness related to third party risks and potential control weaknesses as they emerge. Area Activity Being Monitored Risk Addressed Information Technology Information Security Privacy Human Resources Change Management, Network Connectivity Cyber Hygiene, Patch Management Data Obfuscation Employee Due Diligence, Background Checks, Access Management Device Connectivity, Identity Management, Penetration Testing Confidentiality, Integrity, Availability, Data Leakage, Vulnerability Exposure Encryption, Data Protection, Cross Boarder Data Flows Insider Threats, Social Engineering, Unauthorized Access 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 25
26 Vendor Risk Management Model Maturity Levels Level 5 Continuous improvement - Organizations that strive toward operational excellence, understand best-in-class performance levels and implement program changes to achieve them through continuous improvement processes. Level 4 Fully implemented and operational Organizations in which vendor risk management activities are fully operational and all compliance measures (including metrics reporting and independent oversight) are in place. Level 3 Defined and established Organizations with fully defined, approved and established vendor risk management activity, where activities are not yet fully operational and where metrics reporting and enforcement are lacking. Level 2 Approved road map and ad hoc activity Organizations which perform third party risk activity on an ad hoc basis, but have a management approved plan to structure the activity as part an effort to achieve full implementation. Level 1 Initial visioning and ad hoc activity Organizations which perform third party risk management activities on an ad hoc basis, but are considering how to best structure third party risk activities as part of an effort to achieve full implementation. Level 0 Start-up or no TPRM activity New organizations beginning operations or organizations with no existing vendor risk management activities The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 26
27 Board Engagement Correlates With Practice Maturity, Yet Most Boards Are Not Highly Engaged How engaged is your board of directors with cybersecurity risks relating to your vendors? High level of board engagement/understanding 29% 26% Medium level of board engagement/understanding 39% 37% Low level of board engagement/understanding 25% 27% Practice Maturity Level High engagement/ understanding by the board Medium engagement/ understanding by the board Low engagement/ understanding by the board Eight Category Average Source: 2017 Vendor Risk Management Benchmark Study, forthcoming, 2017 by The Santa Fe Group, Shared Assessments Program, and Protiviti, Inc The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 27
28 De-risking: Exiting High Risk Relationships Over the next 12 months, what is the likelihood that your organization will move to exit or "de-risk" third-party relationships that are determined to have the highest risk? Extremely Likely 14% Somewhat Likely 39% Somewhat Unlikely 24% Not all all Likely 13% Don t Know 10% Which of the following are reasons why your organization may be more inclined to exit or "derisk" certain third-party relationships? (Multiple responses permitted.) It's become imperative from a risk and regulatory standpoint to also assess our 48% vendors' subcontractors The cost associated to access our vendors properly is becoming too high 29% We lack the internal support and/or skills for the required sophisticated forensic control 24% testing of our vendors We will not receive sufficient internal support to "de-risk" our third party relationships 18% We do not have the right technologies in place to access vendor risk properly 15% Source: 2017 Vendor Risk Management Benchmark Study, forthcoming, 2017 by The Santa Fe Group, Shared Assessments Program, and Protiviti, Inc The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 28
29 Hot Topics GDPR Fourth Parties IoT Open Source Software Cloud De-Risking Resources Assessment Costs New York State Cyber Regs 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 29
30 Questions 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 30
31 Vendor Risk Management: GDPR Implications for Vendor Management 31
32 GDPR Implications for Vendor Management GDPR requires implementing a comprehensive vendor management program Vendor due diligence and audits Controllers may only use processors providing sufficient guarantees of their abilities to implement technical and organizational measures necessary to meet GDPR requirements (Art. 28) Existing vendor agreements must also be reviewed Consider conducting a Data Protection Impact Assessment ( DPIA ) prior to engaging a vendor (Art. 35) Long list of mandatory data processing provisions (Art. 28) Restrictions on sub-contracting (only with controller s prior consent and on same terms) (Art. 28) GDPR s direct compliance obligations and enhanced liability force processors to change their approach to data privacy compliance 32
33 GDPR Implications for Vendor Management (cont.) Vendor contracts should include (Art. 28): Details of data processing (e.g., subject-matter, duration, nature and purpose of processing, types of data, categories of data subjects) Processing only on controller s documented instructions (including international data transfers) Individuals processing data must be subject to duty of confidentiality Requirements to implement adequate security for processing Assist controller to comply with data subject rights (e.g., right of access, data portability, right to erasure ( right to be forgotten ), etc.) Assist controller in reporting data breaches and performing DPIAs Requirement to return or delete data after processing/end of the agreement Requirement to respond to controller s information request and submit to controller s audits Restrictions on engaging sub-processors 33
34 Thank You 34
General Data Privacy Regulation: It s Coming Are You Ready?
General Data Privacy Regulation: It s Coming Are You Ready? Presenters Tristan North Worldwide ERC Government Affairs Adviser, Moderator William R. Tehan General Counsel, Graebel Companies, Inc. Hank A.
More informationNavigating the New Health Economy
Navigating the New Health Economy How non-traditional healthcare players are using the HITRUST CSF to drive their security programs forward Speakers Dennis Quandt Risk Assurance Director, PwC Boston, MA
More informationVendor Agreements and the New EU GDPR Steps to Take Now
Presenting a live 90-minute webinar with interactive Q&A Vendor Agreements and the New EU GDPR Steps to Take Now Complying With the EU General Data Protection and Privacy Regulation TUESDAY, JANUARY 30,
More informationHITRUST CSF Assurance Program. The Common Healthcare Industry Approach for Assessing Security and Reporting Compliance
The Common Healthcare Industry Approach for Assessing Security and Reporting Compliance February 2017 Contents Background and Challenges.... 3 Improving Risk Management While Reducing Cost and Complexity...
More informationA COMPANION DOCUMENT TO THE GDPR READINESS DECISION TREE QUESTIONS AND ANALYSIS. April 19, 2017
A COMPANION DOCUMENT TO THE GDPR READINESS DECISION TREE QUESTIONS AND ANALYSIS April 19, 2017 The General Data Protection Regulation (GDPR) represents perhaps the most sweeping changes to the protection
More informationAgenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)
The Intersection of Enterprise-wide Risk (ERM) and Business Continuity (BCM) Marc Dominus 2005 Protiviti Inc. EOE Agenda Terminology and Process Introductions ERM Process Overview BCM Process Overview
More informationThe past, present and future of service organization control reporting
The past, present and future of service organization control reporting Key takeaways from EY s Annual SOCR Client Conference March 2016 Study the past if you would define the future. Confucius b 1 Conference
More informationGDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges
GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges Cyber Risk 1 GDPR and Canadian organizations: Addressing key challenges The regulation
More informationHow do we statisfy the information privacy and security assurance requests from our customers?
How can I leverage a single privacy and security assessment with all my customers? how are other organizations addressing third-party risk management? How do we statisfy the information privacy and security
More informationHOW TO AVOID THE DANGER OF WEAK CONTROLS IN THIRD-PARTY RISK MANAGEMENT
E-Guide HOW TO AVOID THE DANGER OF WEAK CONTROLS IN THIRD-PARTY RISK MANAGEMENT SearchSecurity S ecurity expert Michael Cobb explains how to put in place additional safeguards to protect the system and
More informationIT Due Diligence in an Era of Mergers and Acquisitions
IT Due Diligence in an Era of Mergers and Acquisitions Session 49, March 6, 2018 Charlie Jones, Director of Project Management, University of Vermont Health Network 1 Conflict of Interest Charlie Jones;
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Common healthcare industry approach for assessing security and reporting compliance Background and challenges Compliance requirements for healthcare organizations and their
More informationWill Your Company Pass a Privacy Audit?
Will Your Company Pass a Privacy Audit? by Tammi K. Franke The Issue - Companies that collect personal information are under increasing scrutiny by both consumers and governments in the United States and
More informationAccelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications
Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications O R A C L E W H I T E P A P E R D E C E M B E R 2 0 1 7 Disclaimer The purpose of this document
More informationThe General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner,
The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner, Deloitte, Cyber Advisory Table of Contents Introduction
More informationAchieving GDPR Compliance with Avature
Achieving GDPR Compliance with Avature What You Need to Know About GDPR The General Data Protection Regulation, or GDPR, is a regulation that was passed by the European Union in 2016 to update and replace
More informationEmerging Technology and Security Update
Emerging Technology and Security Update February 13, 2015 Jordan Reed Managing Director Agenda 2015 Internal Audit Capabilities and Needs Survey 2014 IT Priorities Survey Results 2014 IT Security and Privacy
More informationCloud Computing Opportunities & Challenges
Cloud Computing Opportunities & Challenges AICPA & CPA/SEA Interchange State Regulatory & Legislative Affairs Emerging Technologies July 11, 2017 Presented by Donny C. Shimamoto, CPA.CITP, CGMA 1 Unless
More informationSalesforce s Processor Binding Corporate Rules. for the. Processing of Personal Data
Salesforce s Processor Binding Corporate Rules for the Processing of Personal Data Table of Contents 1. Introduction 3 2. Definitions 3 3. Scope and Application 4 4. Responsibilities Towards Customers
More informationEU-GDPR and the cloud. Heike Fiedler-Phelps January 13, 2018
. EU-GDPR and the cloud Heike Fiedler-Phelps January 13, 2018 Disclaimer SAP does not provide legal advice The following presentation is only about a high level discussion about GDPR. 2 EU-GDPR Summary
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR), which takes effect in 2018, will bring changes
More informationTECHNOLOGY AND AUDIT: A MUTUAL FUTURE THERESA GRAFENSTINE CHAIR, ISACA BOARD OF DIRECTORS 2/15/2018
TECHNOLOGY AND AUDIT: A MUTUAL FUTURE THERESA GRAFENSTINE CHAIR, ISACA BOARD OF DIRECTORS 2/15/2018 1 AGENDA THE AUDIT LANDSCAPE PROCESSES AND TRENDS CHANGES LOOKING FORWARD AUDIT OF THE FUTURE ENTERPRISE
More informationSarbanes-Oxley Compliance Kit
Kit February 2018 This product is NOT FOR RESALE or REDISTRIBUTION in any physical or electronic format. The purchaser of this template has acquired the rights to use it for a SINGLE Disaster Recovery
More informationPCI Data Breach Preparedness How To Prevent Your Organization From Becoming the Next Data Breach Headline
PCI Data Breach Preparedness How To Prevent Your Organization From Becoming the Next Data Breach Headline Presented by the Bryan Cave Payments Team and Special Guest Speaker Andi Baritchi Agenda Introduction
More informationTop 5 Must Do IT Audits
Top 5 Must Do IT Audits Mike Fabrizius, Sharp HealthCare, VP, Internal Audit DJ Wilkins, KPMG, Partner, IT Advisory 2011 AHIA Annual Conference www.ahia.org Background on Sharp HealthCare Sharp s Co-sourcing
More informationSOLUTION BRIEF RSA ARCHER REGULATORY & CORPORATE COMPLIANCE MANAGEMENT
RSA ARCHER REGULATORY & CORPORATE COMPLIANCE MANAGEMENT INTRODUCTION Your organization s regulatory compliance landscape changes every day. In today s complex regulatory environment, governmental and industry
More informationBOARD GUIDELINES ON SIGNIFICANT CORPORATE GOVERNANCE ISSUES
BOARD GUIDELINES ON SIGNIFICANT CORPORATE GOVERNANCE ISSUES Management and the Board of Directors ( Board ) of Nabors Industries Ltd. (the Company ) are committed to conducting business consistent with
More informationSecuring Intel s External Online Presence
IT@Intel White Paper Intel IT IT Best Practices Information Security May 2011 Securing Intel s External Online Presence Executive Overview Overall, the Intel Secure External Presence program has effectively
More informationOptimizing an Enterprise Wide Effective Vendor Risk Management Program. Pam Schott Head and VP Enterprise Supplier Governance
Optimizing an Enterprise Wide Effective Vendor Risk Program Pam Schott Head and VP Enterprise Supplier Governance June 1, 2015 Emerging Industry Trends As Procurement organizations mature; their focus
More informationIMPACT OF THE NEW GDPR DIRECTIVE ON OUTSOURCING ARRANGEMENTS
IMPACT OF THE NEW GDPR DIRECTIVE ON OUTSOURCING ARRANGEMENTS This Insight provides an overview of the changes, and impact the GDPR Directive presents to outsourcing arrangements. Furthermore, it provides
More informationGeneral Data Protection Regulation and Episerver Learn how to leverage your organization s data to support GDPR compliance.
General Data Protection Regulation and Episerver Learn how to leverage your organization s data to support GDPR compliance. Page 2 What is General Data Protection Regulation? What The general data protection
More informationVENDOR RISK MANAGEMENT FCC SERVICES
VENDOR RISK MANAGEMENT FCC SERVICES Introductions Chris Tait, CISA, CFSA, CCSK, CCSFP Principal, Financial Services Baker Tilly Russ Sommers, CPA, CISA Senior Manager, Financial Services Baker Tilly Agenda
More informationInformation Technology Risks in Today s Environment
Information Technology s in Today s Environment - Traci Mizoguchi Enterprise Services Senior Manager, Deloitte & Touche LLP Agenda Overview Top 10 Emerging IT s Summary Q&A 1 Overview Technology continues
More informationThese guidelines describe how Hamilton College approaches the development, measurement and management of information security. Version 3.03.
These guidelines describe how Hamilton College approaches the development, measurement and management of information security. Version 3.03 Page 1 1. Introduction 4 1.1 Overview 4 1.2 The Information Security
More informationGDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry
GDPR Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry Who are we? Dillistone Group Plc, a public company listed on the AIM market of the London stock
More informationISACA. The recognized global leader in IT governance, control, security and assurance
ISACA The recognized global leader in IT governance, control, security and assurance High-level session overview 1. CRISC background information 2. Part I The Big Picture CRISC Background information About
More informationStatement on Risk Management and Internal Control
INTRODUCTION The Board affirms its overall responsibility for the Group s system of internal control and risk management and for reviewing the adequacy and effectiveness of the system. The Board is pleased
More informationCCV s self-service payment solutions drive PCI-DSS-compliant security
CCV s self-service payment solutions drive PCI-DSS-compliant security White Paper July 2016 1. Introduction This white Paper discusses the basic differences between the current PCI-DSS and the P2PE rules
More informationEnterprise Risk Management Defined and Explained
Enterprise Risk Management Defined and Explained Council of Engineering and Scientific Society Executives ACCESSE16 July 27, 2016 Paul Klein Managing Director Not-for-Profit Atlantic Coast Market Territory
More informationInternational Finance Corporation
International Finance Corporation Corporate Governance and Internal Audit Overview Bob Lamm Independent Senior Advisor Center for Corporate Governance Deloitte LLP Neil White Global IA Analytics Leader
More informationGUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector
GUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector TABLE OF CONTENTS INTRODUCTION... 2 Accountable privacy management 2 Getting started 3 A.
More informationRamifications of the New COSO Framework & Recent PCAOB Actions
Ramifications of the New COSO Framework & Recent PCAOB Actions Panelists Moderator Bob Meyer, Senior Vice President of Finance & Corporate Controller, American Tower Joann Cangelosi, Partner, Grant Thornton
More informationIntroduction. Scott Jerabek. The CBORD Group. Product Manager
PCI Compliance Introduction Scott Jerabek Product Manager The CBORD Group Founded in 1975 Foodservice, Campus Card and Security solutions to College and University and Healthcare markets CBORD Product
More informationEthical leadership and corporate citizenship. Applied. Applied. Applied. Company s ethics are managed effectively.
CORPORATE GOVERNANCE- KING III COMPLIANCE Analysis of the application as at 24 June 2015 by Master Drilling Group Limited (the Company) of the 75 corporate governance principles as recommended by the King
More informationTABLE OF CONTENTS. The Definitive Guide To SaaS Solutions For The Insurance Industry EXECUTIVE OVERVIEW... 3
2 TABLE OF CONTENTS EXECUTIVE OVERVIEW... 3 WHAT EVERY INSURER NEEDS TO KNOW ABOUT SAAS... 4 WHAT EVERY INSURER NEEDS TO KNOW ABOUT SAAS (CONT.)... 5 BUSTING SAAS MYTHS... 6 AN EVALUATION CHECKLIST FOR
More informationOutsourcing transparency evolution
Outsourcing transparency evolution How information transparency creates value across the extended enterprise Outsourcing transparency evolution Transparent communication is evolving for outsource service
More informationData protection in light of the GDPR
Data protection in light of the GDPR How to protect your organization s most sensitive data Why is data protection important? Your data is one of your most prized assets. Your clients entrust you with
More informationRisk Management For and By the BOT. Secured BOT Series
Secured BOT Series 2018 Contents Risk Management For and By the BOT Setting context for RPA Risk Management Deloitte's Risk Framework For RPA Risk Management For the BOT Risk Management By the BOT How
More informationBrink's Modern Internal Auditing
Brink's Modern Internal Auditing A Common Body of Knowledge Seventh Edition ROBERT R. MOELLER WILEY John Wiley & Sons, Inc. Preface About the Author xix XXV PART ONE CHAPTER 1 FOUNDATIONS OF MODERN INTERNAL
More informationOrganisational Readiness for the European Union General Data Protection Regulation (GDPR)
Organisational Readiness for the European Union General Data Protection Regulation (GDPR) 1 Contents Foreword...3 Executive Summary...4 Survey Results and Key Findings...6 1. GDPR impact, organisational
More informationCorporate Background and Experience: Financial Soundness: Project Staffing and Organization
A motion by Kentucky, on behalf of the Certification Committee, to adopt changes to the Governing Board Rules, Appendix C, Criteria and Minimum Standards for CSP Certification: Appendix C (04/07/2015)
More informationGDPR factsheet Key provisions and steps for compliance
GDPR factsheet Key provisions and steps for compliance Organisations hold vast amounts of personal data relating to customers, employees, and suppliers as well as within marketing databases. Compliance
More informationIT Strategic Plan Portland Community College 2017 Office of the CIO
IT Strategic Plan Portland Community College 2017 Office of the CIO 1 Our Vision Information Technology To be a nationally recognized standard for Higher Education Information Technology organizations
More informationGeneral Data Protection Regulation (GDPR) Readiness
For External Distribution Canada Life UK General Data Protection Regulation (GDPR) Readiness Customers, Clients and Business Partners FAQ GDPR TP FAQ January 2018 Frequently Asked Questions (FAQ) Document
More informationEU General Data Protection Regulation (GDPR) Tieto s approach and implementation
EU General Data Protection Regulation (GDPR) Tieto s approach and implementation GDPR roles and positions Data subjects Information on processing Consent or other basis for processing Right requests High
More informationGDPR Factsheet - Key Provisions and steps for Compliance
GDPR Factsheet - Key Provisions and steps for Compliance Organisations in the Leisure & Hospitality industry hold vast amounts of personal data relating to customers, employees, and suppliers as well as
More informationIndustry insight and global experience: the intelligent connection
Life sciences sector Industry insight and global experience: the intelligent connection Fraud Investigation & Dispute Services Reactive response and proactive risk management Life sciences companies are
More informationApplying Integrated Assurance Management Scenarios for Governance Capability Assessment
Applying Integrated Assurance Management Scenarios for Governance Capability Assessment János Ivanyos Trusted Business Partners Ltd, Budapest, Hungary, ivanyos@trusted.hu Abstract. The well established
More informationWhat you need to know. about GDPR. as a Financial Broker. Sponsored by
What you need to know about GDPR as a Financial Broker Dear Partner The regulatory and compliance environment is ever changing and the burden and requirements on financial services professionals continues
More informationASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016
ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016 Charles J. Brennan Chief Information Officer Office of Innovation and Technology 1234 Market
More informationIPO Readiness. Sarbanes-Oxley Compliance & Other Considerations. Presented by:
IPO Readiness Sarbanes-Oxley Compliance & Other Considerations Presented by: IPO Readiness Enhanced Financial / Legal compliance SEC / Stock Exchange Compliance Entity Structure / Registration Filing Requirements
More informationTypes of Systems Audit & Relevance. Presented By: Prasad Pendse, CISA
Types of Systems Audit & Relevance Presented By: Prasad Pendse, CISA Agenda Systems Audit Categories & Types of Systems Audit, Relevance IT & Application Audits Security Audits Process Audits Advantages
More informationThird Party Risk Management ( TPRM ) Transformation
Third Party Risk Management ( TPRM ) Transformation September 20, 2017 Internal use only An introduction to TPRM What is a Third Party relationship? A Third Party relationship is any business arrangement
More informationEY Center for Board Matters. Leading practices for audit committees
EY Center for Board Matters for audit committees As an audit committee member, your role is increasingly complex and demanding. Regulators, standard-setters and investors are pressing for more transparency
More informationGeneral Personal Data Protection Policy
General Personal Data Protection Policy Contents 1. Scope, Purpose and Users...4 2. Reference Documents...4 3. Definitions...5 4. Basic Principles Regarding Personal Data Processing...6 4.1 Lawfulness,
More informationRSA Solution for egrc. A holistic strategy for managing risk and compliance across functional domains and lines of business.
RSA Solution for egrc A holistic strategy for managing risk and compliance across functional domains and lines of business Solution Brief Enterprise Governance, Risk and Compliance or egrc is an umbrella
More informationRSM ANTI-MONEY LAUNDERING SURVEY BEST PRACTICES AND BENCHMARKING FOR YOUR BSA/AML PROGRAM
RSM ANTI-MONEY LAUNDERING SURVEY BEST PRACTICES AND BENCHMARKING FOR YOUR BSA/AML PROGRAM Anti-money laundering (AML) regulations are at times challenging for banks. Emerging risks and increased scrutiny
More informationMake money, save money and manage risk
Make money, save money and manage risk The benefits of well-designed environment, health, safety and sustainability programs EHS and sustainability The opportunities and risks associated with environment,
More informationCurrent State of Enterprise Risk Oversight:
Current State of Enterprise Risk Oversight: Progress is Occurring but Opportunities for Improvement Remain July 2012 Mark Beasley Bruce Branson Bonnie Hancock Deloitte Professor of ERM Associate Director,
More informationBENEFITS OF AN EFFECTIVE OUTSOURCING STRATEGY. March 1, 2017
BENEFITS OF AN EFFECTIVE OUTSOURCING STRATEGY March 1, 2017 RSM overview Fifth largest audit, tax and consulting firm in the U.S. Over $1.6 billion in revenue 80 cities and more than 8,000 employees in
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR) that takes effect in 2018 will bring changes for
More informationGOLD FIELDS LIMITED. ( GFI or the Company ) BOARD CHARTER. (Approved by the Board of Directors on 16 August 2016)
1 GOLD FIELDS LIMITED ( GFI or the Company ) BOARD CHARTER (Approved by the Board of Directors on 16 August 2016) 2 1. INTRODUCTION The Board Charter is subject to the provisions of the South African Companies
More informationComments on Chapter IV Part I Controller and processor 25/08/2015 Page 1
Comments on Chapter IV Part I Controller and processor 25/08/2015 Page 1 Bitkom represents more than 2,300 companies in the digital sector, including 1,500 direct members. With more than 700,000 employees,
More informationStandard Statement and Purpose
Personnel Security Standard Responsible Office: Technology Services Initial Standard Approved: 10/23/2017 Current Revision Approved: 10/23/2017 Standard Statement and Purpose Security of information relies
More informationAudit Committee Charter Amended September 3, Tyco International plc
Audit Committee Charter Amended September 3, 2015 Tyco International plc Page 1 Purpose The Audit Committee is appointed by the board to assist the board in monitoring: a. The integrity of the financial
More informationCloud sourcing: are you familiar with Luxembourg s revised regulatory environment?
Cloud sourcing: are you familiar with Luxembourg s revised regulatory environment? Contents 4 Cloud sourcing: are you familiar with Luxembourg s revised regulatory environment? 6 The new CSSF Circular
More informationRisk Advisory Services Developing your organisation s governance for competitive advantage
Advisory Services Developing your organisation s governance for competitive advantage The Deloitte Advisory Platform of Services can help you to govern your strategic plan to guide your operations measure
More informationQUICK FACTS. Delivering a Managed Services Solution to Satisfy Exponential Business Growth TEKSYSTEMS GLOBAL SERVICES CUSTOMER SUCCESS STORIES
[ Financial Services, Application Management Outsourcing ] TEKSYSTEMS GLOBAL SERVICES CUSTOMER SUCCESS STORIES Client Profile Industry: Financial Services Revenue: Approximately $30 billion annually (parent
More informationExtended enterprise risk management: New perspectives on a growing imperative The Dbriefs Governance, Risk, & Compliance series
Extended enterprise risk management: New perspectives on a growing imperative The Dbriefs Governance, Risk, & Compliance series Dan Kinsella, Partner, Deloitte & Touche LLP Kristian Park, Partner, Deloitte
More informationShow notes for today's conversation are available at the podcast website.
Information Compliance: A Growing Challenge for Business Leaders Transcript Part 1: Information Compliance Overload Julia Allen: Welcome to CERT's podcast series: Security for Business Leaders. The CERT
More informationPrivacy governance survey. The state of privacy management in Belgian organisations
Privacy governance survey The state of privacy management in Belgian organisations January 2017 Welcome How are Belgian organisations performing when it comes to the protection of personal data? In November
More informationPreparing for an OCR Audit: What is Expected of You
Preparing for an OCR Audit: What is Expected of You Speakers Chuck Burbank CISO and Director of Managed Privacy Services FairWarning Robert Mireles, CIPM Sr. Healthcare Privacy Specialist for Managed Privacy
More informationExtended Enterprise Risk Management
Extended Enterprise Risk Management Driving performance through the extended enterprise October 2015 A network within a network The Extended Enterprise is the concept that an organization does not operate
More informationThe SAM Optimization Model. Control. Optimize. Grow SAM SOFTWARE ASSET MANAGEMENT
The Optimization Model Control. Optimize. Grow The Optimization Model In an ever-changing global marketplace, your company is looking for every opportunity to gain a competitive advantage and simultaneously
More informationW. R. GRACE & CO. CORPORATE GOVERNANCE PRINCIPLES
W. R. GRACE & CO. CORPORATE GOVERNANCE PRINCIPLES The primary responsibility of the directors of W. R. Grace & Co. is to exercise their business judgment to act in what they reasonably believe to be in
More informationPREDICTIVE INTELLIGENCE SECURITY, PRIVACY, AND ARCHITECTURE
PREDICTIVE INTELLIGENCE SECURITY, PRIVACY, AND ARCHITECTURE Last Updated: May 6, 2016 Salesforce s Corporate Trust Commitment Salesforce is committed to achieving and maintaining the trust of our customers.
More informationETHICS & COMPLIANCE PROGRAM REVIEW: A LOOK AT FOUR COPORATE COMPLIANCE PROGRAMS
ETHICS & COMPLIANCE PROGRAM REVIEW: A LOOK AT FOUR COPORATE COMPLIANCE PROGRAMS 1 Panelists Amy T. Lilly Director Ethics & Compliance, CenterPoint Energy, Inc. Jackie L. Phillips VP, Corporate Ethics &
More informationInformation Governance Policy
Information Governance Policy Version: 4.0 Ratified by: NHS Bury Clinical Commissioning Group Information Governance Operational Group Date ratified: 19 th September 2017 Name of originator /author (s):
More informationOPTINOSE, INC. CORPORATE GOVERNANCE GUIDELINES
OPTINOSE, INC. CORPORATE GOVERNANCE GUIDELINES The Board of Directors (the Board ) of OptiNose, Inc. (the Company ) has adopted these Corporate Governance Guidelines (these Guidelines ) to assist the Board
More informationFour faces of the CFO
Four faces of the CFO CFOs play four critical roles Catalyst Catalyze behaviors across the organization to execute strategic and financial objectives while at the same time creating a risk intelligent
More informationDealing with the EU Data Protection Regulation in Practice. William Long, Partner Sidley Austin LLP February 11, 2016
Dealing with the EU Data Protection Regulation in Practice William Long, Partner Sidley Austin LLP February 11, 2016 Do you need to comply? The Regulation will apply to a business processing personal data:
More informationThe New EU General Data Protection Regulation 1
The New EU General Data Protection Regulation 1 Dear clients and friends, On 14 April 2016 the EU Parliament formally approved the General Data Protection Regulation ( the Regulation ). The Regulation
More informationENTERPRISE RISK SERVICES Managing Risk, Driving Results
ENTERPRISE RISK SERVICES Managing Risk, Driving Results Risk Management Solutions At MNP, our Enterprise Risk Services team assists organizations as they navigate through uncertainty by helping them effectively
More informationEGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY Created for mike elfassi
Created for mike elfassi Bridging The Gap Between Healthcare & Hipaa Compliant Cloud Technology and outsource computing resources to external entities, would provide substantial relief to healthcare service
More informationWhen Recognition Matters TRAINING AND CERTIFICATION CATALOGUE
When Recognition Matters TRAINING AND CERTIFICATION CATALOGUE 2017 www.pecb.com Table of Contents THE IMPORTANCE OF PECB TRAINING COURSES IN YOUR EVERYDAY LIFE... 5 CHOOSE WHICH COURSE IS RIGHT FOR YOU...
More informationTWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION
TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION Awareness Data Stream Map Communication Rights of the subject Legal basis Consent Data Breaches Privacy by design and PIA
More informationNATIONAL VISION HOLDINGS, INC. CORPORATE GOVERNANCE GUIDELINES
NATIONAL VISION HOLDINGS, INC. CORPORATE GOVERNANCE GUIDELINES INTRODUCTION The Board of Directors (the Board ) of National Vision Holdings, Inc. (the Company ) has adopted these corporate governance guidelines
More informationEU GENERAL DATA PROTECTION REGULATION
EU GENERAL DATA PROTECTION REGULATION GENERAL INFORMATION DOCUMENT This resource aims to provide a general factsheet to Asia Pacific Privacy Authorities (APPA) members, in order to understand the basic
More informationRSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, anti-virus, intrusion prevention systems, intrusion
More informationCORPORATE GOVERNANCE KING III COMPLIANCE
CORPORATE GOVERNANCE KING III COMPLIANCE Analysis of the application as at March 2013 by AngloGold Ashanti Limited (AngloGold Ashanti) of the 75 corporate governance principles as recommended by the King
More information