Outsourcing and the Need for Supplier Audits
|
|
- Dominick Boone
- 6 years ago
- Views:
Transcription
1 Outsourcing and the Need for Supplier Audits John A. Gatto Retired April 3, 2017 Agenda Why Audit Suppliers Outsourcing Supplier Risks Minimum Security Standards Audit Focus 2 1
2 Definitions Third Party Any entity not under direct business control of an organization 3rd Party Risk Management Encompasses supplier risk management and is more broadly focused on understanding organizational risks 3rd Party Inventory Comprehensive list of 3 rd parties from across the enterprise Suppliers, business partners, marketing partners Understanding which risks can be affected by a third party, either + or - Should also include subsidiaries 3 High Level of Risk Access to / custody of vital information Critical to the success of the business 4 2
3 Why? $50 billion estimated annual losses to business from data and identity theft 3 rd parties are a major source of data breaches of regulated data 5 (A) PwC 2014 Global State of Information Security Survey 74% of companies do not have a complete inventory of all 3 rd parties that handle personal data of its employees and customers (A) Breaches and noncompliance can lead to brand reputation, fines, lost revenue and / or regulatory sanctions 73% of companies lack incident response processes to report and manage breaches to 3 rd parties that handle data (A) Financial impact: investigations, legal fees, monitoring services for victims, reissuance of credit cards, government fines, etc. Regulatory Requirements GLBA ISO PCI FDIC REGS HIPAA FFIEC OCC 6 3
4 Key 2016 CEB Hot IT Spots Third Party Relationships Add to Audit Plan Externalization of application development, infrastructure operations and back office processing is continuing to rise 3 rd Party Contract Evaluation 3 rd Party Compliance Review Complex sourcing options and persistent economic volatility, poorly structured contracts, ineffective Supplier risk management and lower quality services Supply Chain Management Assessment Third party information security audit 7 Key 2016 CEB Hot IT Spots Key Risk Indicators Number of compliance violations attributed to 3 rd parties Number of 3 rd parties with access to sensitive company data Use of right to audit clause Number of 3 rd party contracts established outside the procurement function Frequency of business interruptions caused by 3 rd party control breakdowns 8 4
5 Agenda Why Audit Suppliers Outsourcing Supplier Risks Minimum Security Standards Audit Focus 9 Outsourcing Transform non-core business processes and ensure that maximum value from resources is focused on core processes Partnering with an outsourcer is a very effective means to build a company that is capable of meeting future needs and turning on a dime at a moments notice Delegate one or more business processes to an external provider who owns, administers or manages the processes based on performance metrics 10 5
6 Outsourcing Risks Handling and processing of data Security and access Retention of Data System availability Specific business factors 11 Areas for Outsourcing IT Accounting Corporate Services Document Management Healthcare processing Call Centers SoX / MAR Compliance CRM Storage Facilities Printing Internal Audit Real Estate Product Development 12 6
7 Major Types of IT Outsourcing Application management Infrastructure management Help desk services Independent testing / validation services Data center management Systems integration R&D services Managed security 13 Outsourcing Life Cycle ALIGNMENT Validating the strategy Identifying options Preparing the business model Agreeing on sponsorship and building the team FEASIBILITY Building the business model and case Creating the baseline Understanding the market Assessing and benchmarking options 14 7
8 Outsourcing Life Cycle TRANSACTION Structuring the deal Agreeing on outsourced assets Negotiating the contract Delivering the deal and the business case TRANSITION Delivering the change Getting quick returns on investment Establishing the culture Managing people 15 Outsourcing Life Cycle OPTIMIZATION & TRANSFORMATION Monitoring the contract and resolving disputes Transforming the business Reassessing the relationship Delivering the business case realizing the benefits TERMINATION / RENEGOTIATION Determine SLA adherence both parties Decide if agreement should continue or end If end, invoke termination process If continue, renegotiate contract 16 8
9 Agenda Why Audit Suppliers Outsourcing Supplier Risks Minimum Security Standards Audit Focus 17 Supplier Risk Problems What types of data do my suppliers have access to? How are my suppliers protecting my data? 18 9
10 Highest Risk Industries Government Financial Services Healthcare Payroll Management Companies Banking 19 Investment / Fund Managers Outsourcing Life Cycle - Risks Alignment Outsourcing strategy is not aligned with corporate objectives. Feasibility Transaction Transition Optimization and Transformation Termination and Renegotiation Assumptions (payback period and savings) are wrong - inadequate due diligence from suppliers and the organization's failure to assess relevant risks Procurement policies not met; proper service-level agreements not implemented; regulatory implications not considered; contingency arrangements not planned. Lack of formal transition planning, failure to plan for retention of appropriate skills, and ineffective escalation and resolution of operational IT issues. Outsourcing contract is not managed effectively - outsourcing benefits and efficiencies are not achieved. Inadequate termination of outsourcing processes
11 Risk Management Supplier Risk Management The process of assessing, mitigating and remediating key areas of risk around the suppliers that provide services to an organization Suppliers Data Data The Enterprise Data Data Customers The process of responding to, mitigating and remediating key areas of risk identified by customers. This is both a proactive (self identified) and a reactive (customer identified) process Customer Risk Management TPRM What It Is Third Party Risk Management (TPRM) is the process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties OTHER than your own company. Due Diligence is the investigative process by which a company or other third party is reviewed to determine its suitability for a given task. Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire vendor lifecycle. No universally-accepted framework like CobiT or COSO 22 11
12 Parties in Risk Management Business Operations IT Security Finance Legal Compliance Procurement Internal Audit 23 TPRM - Process Initial Risk Review Based on risk tier Documentation review On-site review Business process documentation Inherent risk/residual risk Remediation plan Ongoing Monitoring Both for changed risks and for changes at third party Recurring Reviews Based on risk tier 24 12
13 Classes of Data Suppliers Handle Public Confidential Internal Restricted Types of Data Suppliers Handle Classification of Data Handled by Supplier Confidential Restricted Internal Public Examples of Type of Data Handled by Supplier Protected health information Medical records Patient /member information Treatment & condition information Credit card information Payroll information Employee performance data HR and personnel records Proprietary and trade secrets Proprietary code & business logic Reports / Assessments Findings and recommendations Strategy /roadmap documents Internal company memoranda Marketing and promotional materials Mailings and solicitations Public relations Campaigns and outreach Member address Phone number Biometric info address Date of birth Investigations Tax information Employee info Highly sensitive reports Budgets Financial data Projections Telemarketing Surveys Advertising material Web and media Example of Supplier Business Relationship Outsourced software development Outsourced software maintenance and support Customer/Member helpdesk Claims processing Mail/Envelope stuffing and fulfillment Payroll and check printing services Benefits administration services Tax compliance services HR consulting and outsourcing services Mission critical consultants and contractors Professional services firms Consultants and advisory firms Professional service contractors Advertising agency Event marketing firm Web-design and digital media services Printing and graphics design Marketing and survey companies
14 Risk Levels by Types of Data R High I S K Medium L E V E Low L Public Internal Restricted Confidential Classification of Data Handled by Supplier Supplier Risks Contract language not clear / missing critical component Cannot meet contract due to financial issues Security issues / data breaches affect company brand Adherence to employment requirements Not able to provide services to match SLA s Inadequate recovery processes 28 14
15 Supplier Risks Country specific laws and regulations hinder performance Access data outside of the business arrangements Subcontractors not adhere to main contract provisions Cost reductions not met Loss of business knowledge Customer restrictions 29 Supplier Risks Process discipline Scope creep Turnover of key personnel Knowledge transfer Internal control structure Culture
16 Supplier Landscape Considerations On-shore versus offshore Suppliers Risks in both Sensitivity with many customers about the availability of their data to off-shore personnel Volume & sensitivity of data Increased reliance on Supplier solutions to work with your most sensitive data requires you are cognizant of the shared risk How data is accessed, stored, transmitted & viewed More control when Suppliers access the data via your network More risk when data leaves your network Maturity of Supplier & Supplier s security program Understand the Supplier s commitment to security & reducing risk - a stolen unencrypted laptop can harm company reputation if data is exposed 31 Suppler Contracting Privacy Business Supplier Contracting Audit Security Legal
17 Supplier Security Controls Life Cycle Phase Considerations Strategy & Planning Privacy, Audit, Legal & Security requirements RFP Contracting Implementation Monitoring Contract Termination Supplier ability and method to meet contractual requirements Supplier security controls questionnaire Business Associate Agreements Minimum Security Requirements Requirements for data access, connectivity, data transfer, etc. Understanding the process for incident notification Supplier security controls questionnaire Supplier assessments / audits Protocols over data when relationship no longer exists Agenda Why Audit Suppliers Outsourcing Supplier Risks Minimum Security Standards Audit Focus
18 Due Diligence Audited Financial Statements Experience & Capabilities Business Reputation Qualifications & Experience Scope of internal controls, systems, data security and audit coverage Existence of significant complaints, litigation or regulatory actions Business resumption strategy & contingency plans Use of other parties or subcontractors Adequacy of management information systems Supplier Management Processes Insurance Coverage 35 Contract Risks Understanding your needs Establishing stakeholders and defining roles Defining business and technical requirements Defining supplier requirements Supplier outsourcing
19 Key Contract Components Scope Data protection, privacy, and intellectual property Price protections Third-party assignments Ownership of assets used or created by partnership Conflicts among different legal systems Contingency planning and change management Right to audit Termination Dispute Resolution Confidentiality & Security Key Items to Understand How is contract structure for Suppliers: Standard, Master Service Agreement, Amendments, Exhibits, Appendices, etc. Do you have a right to audit clause in the contract? Are services detailed? Are locations identified and addresses provided? Are resources assigned? Is system access identified? Are minimum security requirements included?
20 Minimum Security Requirements Security Assessment Security Officer Implement Security Policies and Procedures Conduct an annual security assessment Identified gaps - remediation plans Appoint a person who is either the Security Officer and/or is responsible for compliance Document the administrative, technical and physical controls to protect data Include appropriate disciplinary provisions for data security violations 39 Minimum Security Requirements Awareness & Training Security Monitoring Incidence Response Have data security awareness and training Continuously monitor security events / conduct periodic reviews of activity Timely notification of suspected / actual data compromise Receive training prior to contact with data Implement hardware, software and procedural audit control mechanisms Steps to prevent further damage and corrective action steps to stop incident from recurring
21 Minimum Security Requirements Monitor building exterior and all entrances Process for logging and escorting visitors Deploy / monitor cameras 24 x 7 Deploy and use electronic access control system Have solid floor-to-ceiling walls Provide alternate power sources Not display any information about Company Data received in paper or portable media stored in locked containers, etc. Physical Security Minimum Security Requirements Be enclosed by a compound wall with entry/exit gate attended by security guard 24x7 Restricted access parking requires: vehicle identifiers, vehicle examination prior to entrance (visual inspection of undercarriage, interior of vehicle, interior of trunk, etc.), presentation of employee identification badge prior to entrance Physical Security outside the US - additional requirements
22 Minimum Security Requirements Workstation Security Workstations shall be positioned so that XYZ data is not visible outside of the designated XYZ production area Workstations shall lock after no more than 10 minutes of inactivity. Supplier personnel shall be instructed to lock their workstations when they shall be away from their desks. Laptops shall not be used to access, process, transmit or store data Minimum Security Requirements Workstation Security Print capability is disabled Access to applications is limited. Applications not required for processing data are disabled. USB and CD/DVD drives are disabled End-point firewalls installed on all Supplier workstations and be configured to prevent unauthorized network access attempts
23 Minimum Security Requirements Subcontractors Not employ subcontractors unless express written permission granted prior to implementing the arrangement Monitor activities of subcontractors for compliance with the Agreement Encryption Comply with standards provided by the National Institute of Standards and Technology (NIST). For data in transit, must use encryption technologies that comply with NIST applicable state and federal regulations ( Approved Encryption ). Implement technical security measures to guard against unauthorized access to data that is being transmitted over an electronic communications network. Encryption shall be the primary means of securing the data while in transit. 45 Other Security Requirements Hard Copy Documentation Remote Access / Network Security Asset Tracking, Disposal & Destruction Security Safeguards for Data in Transit Anti-Malware Patch Management Logical Separation of Data Access to Data Development & Testing Business Continuity/Disaster Recovery
24 Why Lax Supplier Management No formal program or owner No formal framework or guidance, so people don't know where to start Time consuming Too many vendors to assess OR lack of vendor inventory to know who to assess Manual process spreadsheet driven Vendors may be brought in as personal referral 47 Supplier Governance Framework Align every IT outsourcing contract with the organization s key business objectives Set up a monitoring mechanism Manage changes in IT projects and services across complex portfolios Define wellintegrated IT management processes for the client and service provider Define specific ownership of key contract terms Establish direct and visible accountability for IT performance
25 Monitoring Which suppliers require monitoring What should be monitored Who should conduct the monitoring How frequently When to do on site versus remote Compliance Elements Legal and Regulatory Compliance Financial Condition Business Reputation Compliance/Risk Management Subcontracting Is the supplier compliant with regulators and selfregulatory organizations? In addition to the vendor s current financial condition, assess third-party suppliers growth, earnings, pending litigations and any other factors that may affect the supplier s overall stability. Does the supplier have a history of complaints performing the activities the company is planning to outsource? Only work with third-party suppliers that have processes in place for ensuring compliance with contractual and regulatory requirements and following industry best practices. Assessments should include validation that the supplier is in compliance with contractual provisions concerning supplier outsourcing
26 Compliance Elements Business Continuity Physical and IT Security The Right to Audit and Require Remediation Termination A third-party supplier should have a plan in place to respond to service disruptions ranging from Internet outages to cyber-attacks or natural disasters. The vendor should have controls in place to ensure its IT systems are protected from external and internal attacks and that its computers and servers are protected from theft. Before entering into an agreement, establish their right to audit the third-party and to require remediation when issues are identified. Procedures should also be spelled out in some level of detail should the third party be unwilling or unable to fulfill its compliance and performance obligations. 51 Agenda Why Audit Suppliers Outsourcing Supplier Risks Minimum Security Standards Audit Focus
27 Audit Planning Key Questions Who are your key suppliers? Who maintains the supplier inventory and how is it updated? What can the supplier provide in terms of assurance (SOC2, HITRUST certification)? Do you have a right to audit clause in the contract? How clear is it? Do you exercise your right to audit clause? Does your company have a centralized supplier management program? Audit Focus IA needs to be independent and determine if TPRM controls are designed properly and operating as designed TPRM is the second line of defense and the operational aspects of the program should be reviewed with key stakeholders IA is the 3 rd line of defense and should focus on 3 rd party on-site activities required by the program Depending on who owns the controls, IA will need to review that area for sustainability The supplier owner must be in compliance with the contract IA needs to audit that area also IA should be reviewing the compensating controls that help minimize risks and monitor all remediations needed 54 27
28 Audit Focus Have 1 person facing off with 3 rd party management Sets the audit standard for 3 rd party audit programs Acts as SME on 3 rd party risk management within audit Conducts reviews and identifies potential risks and required remediation. Develops an opinion of the overall design and effectiveness of the TPRM 55 Key Audit Focus Audit Focus Supplier selection / governance Supplier security Supplier management procedures
29 Key Controls Supplier Operations Overall control environment Security considerations Data protection Network, physical, environment, personal and logical access security SDLC Controls Change management controls HR policies and Procedures 57 What Should Audit Do? Supplier Selection Obtain list of all Suppliers Who is approved to update the list Statistics on spend Criticality to core business functions Supplier Audits Questionnaire Rank results Follow-up calls with Suppliers Site visits Supplier Oversight Reporting Meetings Site visits KPIs Supplier Termination Assess vendor termination control environment Ensure data properly returned or destroyed Review contract termination controls Audit Reports Identify gaps Follow-up on remediation
30 Audit Approach Identify the Services Provided Identify the Potential Risks Document Security and Privacy Controls Document Gaps Recommend Enhancements Audit Approach Identify the Services Provided Identify the Potential Risks Document Security and Privacy Controls What information is accessed, managed or handled? Does the supplier store any critical information Does the supplier have access to the information via connection to network? Does the supplier provide access to critical data? Based on services provides, identify the areas of potential risks Use COBIT, ISO 27001, NIST or you own questionnaire If data is not confidential, do you need to audit this supplier? Document the risk for each service activity Identify security controls for each risk identified in step 2 For each control refer to documentation or evidence of the effectiveness of the control Request SOC-1, or SOC-2 or Pen Test reports
31 Audit Approach Document Gaps Compare the controls of the supplier with industry best practices Identify areas where controls are missing or substandard Focus on areas that could impact confidential data and brand image Recommend Enhancement Prioritize risks associated with the gaps Recommend solutions to bridge the gaps Prioritize the timing of the enhancements Determine if the report will be an advisory or an audit based on the risk raking Identify follow-up items and personnel responsible Audit Domains Organizational Network and Server Security Physical Security and Environmental Change Management Workstation Security Corporate Continuity Logical/Data Access Supplier Governance 62 31
32 Audit Domain Coverage Organization Controls in place to ensure that audit risks are identified and mitigated properly Personnel policies in place regarding employee hiring, candidate background checks as permitted by applicable local laws, orientation, and training Physical Security and Environmental Controls Building exterior and physical access security controls are in place to prevent unauthorized access (on and offshore) Identification badge controls Environmental safeguards Safeguards surrounding the destruction and disposal of sensitive information Physical access to production area is restricted to prevent unauthorized access Materials allowed to be brought into workspace are limited based on Supplier services provided Audit Domain Coverage Workstation Security Controls are in place to: secure sensitive data on computer workstations (on shore and off shore locations) secure workstation assets and data protect mobile computing assets such as tablet computers and mobile phones Logical/Data Access General controls are in place to prevent unauthorized access to: information resources (Internal) computer resources (External)
33 Audit Domain Coverage Network and Server Security Controls are in place to: detect and prevent network threats apply security updates and to harden settings for application and database servers identify, escalate, and track security incidents until resolution ensure that remote or wireless access to the network is disabled or securely controlled Technical safeguards are in place for data in transit and data at offshore Supplier locations Change Management and Regulatory Compliance Change Management controls are in place to ensure that only authorized, tested, and documented changes are made to the system Organizational controls are in place to monitor and track compliance HIPAA and Security awareness training is communicated to employees Audit Domain Coverage Corporate Continuity Controls (BC/DR) Business Continuity/Disaster Recovery (BC/DR) plans are established and in place Data storage and backup activities occur on a scheduled basis and are available for file recovery and disaster recovery events Controls are in place to ensure that computer equipment is disposed and recycled securely Supplier Governance Controls are in place to ensure that Third Parties who the Supplier has contracted with are adequately managed
34 Audit Implications Service level management Contractual requirements Data transmission controls Data security / privacy Continuity / availability of systems Operational controls Availability of SOC-1, SOC-2, ISO17799 Supplier Internal Audit Function As companies focus on core business practice, they outsource more functions to specialized Suppliers Suppliers differ based by industry: Retailers, Manufacturers, Insurance, etc. Key Take Aways 2 Most companies struggle with managing their Suppliers No one does it perfectly 3 Solution requires enterprise effort Required + increased focus by customers and regulatory agencies across all disciplines 68 34
35 End of Presentation Any questions? 69 Join #IIAChi Institute of Internal Auditors
Agenda. Agenda. Why Audit Suppliers. Outsourcing / Offshoring. Supplier Risks. Minimum Security Standards. Audit Focus
Agenda Outsourcing and the Need for Supplier Audits 1 Agenda Why Audit Suppliers Outsourcing / Offshoring Supplier Risks Minimum Security Standards Audit Focus 2 Outsourcing and the Need for Supplier Audits
More informationThird Party Risk Management ( TPRM ) Transformation
Third Party Risk Management ( TPRM ) Transformation September 20, 2017 Internal use only An introduction to TPRM What is a Third Party relationship? A Third Party relationship is any business arrangement
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR), which takes effect in 2018, will bring changes
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR) that takes effect in 2018 will bring changes for
More informationASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016
ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016 Charles J. Brennan Chief Information Officer Office of Innovation and Technology 1234 Market
More informationPolicy Outsourcing and Cloud-Based File Sharing
Policy Outsourcing and Cloud-Based File Sharing Version 3.3 Table of Contents Outsourcing and Cloud-Based File Sharing Policy... 2 Outsourcing Cloud-Based File Sharing Management Standard... 2 Overview...
More informationSupplier Security Directives
Page 1 (8) Supplier Directives 1 Description This document (the Directives ) describes the security requirements applicable to Suppliers (as defined below) and other identified business partners to Telia
More informationVol. 2 Management RFP No. QTA0015THA A2-2
Manufacturing and Assembly: All MetTel manufacturing and assembly activities are focused on the reduction of supply chain risk. MetTel s SCRM Plan and the associated Systems Acquisition (SA) controls for
More informationExtended Enterprise Risk Management
Extended Enterprise Risk Management Driving performance through the extended enterprise October 2015 A network within a network The Extended Enterprise is the concept that an organization does not operate
More informationVENDOR RISK MANAGEMENT FCC SERVICES
VENDOR RISK MANAGEMENT FCC SERVICES Introductions Chris Tait, CISA, CFSA, CCSK, CCSFP Principal, Financial Services Baker Tilly Russ Sommers, CPA, CISA Senior Manager, Financial Services Baker Tilly Agenda
More informationANNEX 2 Security Management Plan
ANNEX 2 Page 1 of 24 The following pages define our draft security management plan (a complete and up to date shall be submitted to The Authority within 20 days of contract award as per Schedule 2.4, para
More informationGOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.
GOVERNANCE 8.A.1 - Objective: Information Technology strategies, plans, personnel and budgets are consistent with AES' business and strategic requirements and goals. Objective Risk Statement(s): - IT Projects,
More informationSarbanes-Oxley Compliance Kit
Kit February 2018 This product is NOT FOR RESALE or REDISTRIBUTION in any physical or electronic format. The purchaser of this template has acquired the rights to use it for a SINGLE Disaster Recovery
More informationhttps://www.e-janco.com
E-mail: support@e-janco.com https://www.e-janco.com Summary Table of Contents IT INFRASTRUCTURE, STRATEGY, AND CHARTER SUMMARY...1 Benefits of IT Infrastructure Management...1 Base Assumptions and Objectives...2
More informationSecurity Monitoring Service Description
Security Monitoring Service Description Contents Section 1: UnderdefenseSOC Security Monitoring Service Overview 3 Section 2: Key Components of the Service 4 Section 3: Onboarding Process 5 Section 4:
More informationManagement Excluded Job Description
Management Excluded Job Description 1. Position Identification Position Number 993234 Position Title Department Reports to (title) Associate Director, Supply Management Purchasing Services Director, Purchasing
More informationTHIRD-PARTY RISK MANAGEMENT
THIRD-PARTY RISK MANAGEMENT Beyond a Regulatory Requirement April 28, 2017 Ken Glascock, CPA, CAMS, CIA, CFSA, CRCM Director kglascock@bkd.com AGENDA Let s Break It Down What Is Third-Party Risk Management?
More informationNavigating the New Health Economy
Navigating the New Health Economy How non-traditional healthcare players are using the HITRUST CSF to drive their security programs forward Speakers Dennis Quandt Risk Assurance Director, PwC Boston, MA
More informationManaging Third Party Risk
Managing Third Party Risk Presenters: L o r i D a n i e l s E n g a g e m e n t M a n a g e r R i s k A d v i s o r y S e r v i c e s T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k
More information06.0 Data and Access Classification
Number 6.0 Policy Owner Information Security and Technology Policy Data and Asset Classification Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 6. Data and Asset
More informationExternal Supplier Control Obligations. Information Security
External Supplier Control Obligations Information Security Version 7.0 December 2016 Control Area / Title Control Description Why this is important Roles and Responsibilities The Supplier must define and
More informationSOX 404 & IT Controls
SOX 404 & IT Controls IT Control Recommendations For Small and Mid-size companies by Ike Ugochuku, CIA, CISA TLK Enterprise 2006, www.tlkenterprise.com INTRODUCTION Small, medium, and large businesses
More informationIT Strategic Plan Portland Community College 2017 Office of the CIO
IT Strategic Plan Portland Community College 2017 Office of the CIO 1 Our Vision Information Technology To be a nationally recognized standard for Higher Education Information Technology organizations
More informationBusiness Continuity Framework
Business Continuity Framework A definition to the Components of Resiliency March, 1 Business Continuity Framework 1. INTRODUCTION... 3 2. PURPOSE... 3 3. THE FRAMEWORK... 4 4. STEERING COMMITTEE... 5 5.
More informationSecuring Intel s External Online Presence
IT@Intel White Paper Intel IT IT Best Practices Information Security May 2011 Securing Intel s External Online Presence Executive Overview Overall, the Intel Secure External Presence program has effectively
More informationEmerging Technology and Security Update
Emerging Technology and Security Update February 13, 2015 Jordan Reed Managing Director Agenda 2015 Internal Audit Capabilities and Needs Survey 2014 IT Priorities Survey Results 2014 IT Security and Privacy
More informationCorporate Background and Experience: Financial Soundness: Project Staffing and Organization
A motion by Kentucky, on behalf of the Certification Committee, to adopt changes to the Governing Board Rules, Appendix C, Criteria and Minimum Standards for CSP Certification: Appendix C (04/07/2015)
More information12.0 Business Continuity Management
Number 12.0 Policy Owner Information Security and Technology Policy Business Continuity Management Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 12. Business Continuity
More informationTop 5 Must Do IT Audits
Top 5 Must Do IT Audits Mike Fabrizius, Sharp HealthCare, VP, Internal Audit DJ Wilkins, KPMG, Partner, IT Advisory 2011 AHIA Annual Conference www.ahia.org Background on Sharp HealthCare Sharp s Co-sourcing
More informationNavigating the Intersection of Vendor Management and Business Continuity
Navigating the Intersection of Vendor Management and Business Continuity MICHAEL BERMAN, J.D. Table of Contents Why are we here? Business Continuity and Vendor Management Primary Intersection BCP Each
More informationStandard Statement and Purpose
Personnel Security Standard Responsible Office: Technology Services Initial Standard Approved: 10/23/2017 Current Revision Approved: 10/23/2017 Standard Statement and Purpose Security of information relies
More informationCHARTER OF THE AUDIT COMMITTEE NATIONWIDE MUTUAL INSURANCE COMPANY NATIONWIDE MUTUAL FIRE INSURANCE COMPANY NATIONWIDE CORPORATION
CHARTER OF THE AUDIT COMMITTEE NATIONWIDE MUTUAL INSURANCE COMPANY NATIONWIDE MUTUAL FIRE INSURANCE COMPANY NATIONWIDE CORPORATION ESTABLISHMENT The Audit Committees are committees of the Board of Directors
More informationUNIVERSITY STANDARD. Title UNIVERSITY OF NORTH CAROLINA AT CHAPEL HILL STANDARD ON ENTERPRISE DATA GOVERNANCE. Introduction
UNIVERSITY STANDARD Issuing Office Responsible University Title UNIVERSITY OF NORTH CAROLINA AT CHAPEL HILL STANDARD ON ENTERPRISE DATA GOVERNANCE PURPOSE Introduction This Standard to the Policy on Enterprise
More informationAUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF THE TORONTO-DOMINION BANK CHARTER
AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF THE TORONTO-DOMINION BANK CHARTER ~ ~ Supervising the Quality and Integrity of the Bank's Financial Reporting ~ ~ Main Responsibilities: overseeing reliable,
More informationIntegrating COSO s Fraud Risk Management Guide on an Enterprise Scale
Integrating COSO s Fraud Risk Management Guide on an Enterprise Scale September 15, 2017 Vincent Walden Partner EY Atlanta Delores White Director, Internal Audit Southern Company Scott Hulsey Chief Compliance
More informationData protection in light of the GDPR
Data protection in light of the GDPR How to protect your organization s most sensitive data Why is data protection important? Your data is one of your most prized assets. Your clients entrust you with
More informationGDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges
GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges Cyber Risk 1 GDPR and Canadian organizations: Addressing key challenges The regulation
More informationGUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector
GUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector TABLE OF CONTENTS INTRODUCTION... 2 Accountable privacy management 2 Getting started 3 A.
More informationREQUEST FOR PROPOSAL FOR INFORMATION TECHNOLOGY SERVICES
REQUEST FOR PROPOSAL FOR INFORMATION TECHNOLOGY SERVICES 2018-003 Pines Behavioral Health 200 Vista Drive Coldwater MI Phone 517-278-2129 1 NOTICE REGARDING DISCLOSURE OF CONTENTS OF DOCUMENT All responses
More informationIT Framework Memorandum. For. Supervised Institutions
CENTRALE BANK VAN CURAÇAO EN SINT MAARTEN (Central Bank) IT Framework Memorandum For Supervised Institutions WILLEMSTAD, Updated version April 2011 IT Framework Memorandum for Supervised Institutions 1.
More information4A s Client Audit Guidance
4A s MSA Guidance Series January 2017 4A s Client Audit Guidance A Guidance Directive from the American Association of Advertising Agencies 4A s Client Audit Guidance A Guidance Directive from the American
More informationERP IMPLEMENTATION RISK
ERP IMPLEMENTATION RISK Kari Sklenka-Gordon, Director at RSM National ERP Risk Advisory Leader March 2017 2015 2016 RSM US LLP. All Rights Reserved. Speaker Kari Sklenka-Gordon National RSM ERP Risk Advisory
More informationTier I assesses an institution's process for identifying and managing risks. Tier II provides additional verification where risk is eviden
Appendix A: Examination Procedures EXAMINATION OBJECTIVE: Determine the quality and effectiveness of the organization's business continuity planning process, and determine whether the continuity testing
More informationOhio Public Employees Retirement System. Request for Proposal
Ohio Public Employees Retirement System For: Consulting Services for Development of the Business Intelligence & Analytics Office Date: 9/11/2017 Project Name: Business Intelligence & Analytics Program
More informationPART THREE: Work Plan and IV&V Methodology (RFP 5.3.3)
PART THREE: Work Plan and IV&V Methodology (RFP 5.3.3) 3.1 IV&V Methodology and Work Plan 3.1.1 NTT DATA IV&V Framework We believe that successful IV&V is more than just verification that the processes
More informationUnderstanding Internal Controls Office of Internal Audit
Understanding Internal Controls Office of Internal Audit July 2015 Objectives for this manual Provide guidance to help management understand their responsibility to ensure that internal controls are established,
More informationBuilding and Maintaining a Business Continuity Program
Building and Maintaining a Business Continuity Program Successful strategies for financial institutions for effective preparation and recovery 1 Building and Maintaining a Business Continuity Program Table
More informationCarahsoft End-User Computing Solutions Services
Carahsoft End-User Computing Solutions Services Service Description Horizon View Managed Services Gold Package Managed Services Packages Options # of Desktops to be Managed Desktop Type Duration of Services
More informationThe General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner,
The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner, Deloitte, Cyber Advisory Table of Contents Introduction
More informationAnalysis of ISO 9001:2015 against the ICoCA Certification Assessment Framework
Analysis of ISO 9001:2015 against the ICoCA Certification Assessment Framework As detailed in the ICoCA Certification Procedure, the Board of Directors assesses and recognizes standards for potential recognition
More informationKPMG s Major Projects Advisory Project Leadership Series: Stakeholder Management and Communication
KPMG Global Energy Institute KPMG International KPMG s Major Projects Advisory Project Leadership Series: Stakeholder Management and Communication Stakeholder management and communication is critical to
More informationThe Case for Outsourcing Accounts Payable
Presented by Lynn Belletti BNY Mellon Transaction Processing Director The & Procure-To-Pay Conference & Expo is produced by: The world is changing. How will you respond to the new pressures of regulatory
More informationTriple C Housing, Inc. Compliance Plan
Triple C Housing, Inc. Compliance Plan Adopted by Board of Directors on draft November 13, 2014 Overview Triple C Housing, Inc. is committed to its consumers, employees, contractual providers, vendors,
More informationInformation Technology Risks in Today s Environment
Information Technology s in Today s Environment - Traci Mizoguchi Enterprise Services Senior Manager, Deloitte & Touche LLP Agenda Overview Top 10 Emerging IT s Summary Q&A 1 Overview Technology continues
More informationCORE VALUES AND CODE OF CONDUCT
CORE VALUES AND CODE OF CONDUCT CORE VALUES AND CODE OF CONDUCT Colorado Access, its subsidiaries and affiliated entities, are dedicated to providing access to high quality healthcare services to members
More informationBENEFITS OF AN EFFECTIVE OUTSOURCING STRATEGY. March 1, 2017
BENEFITS OF AN EFFECTIVE OUTSOURCING STRATEGY March 1, 2017 RSM overview Fifth largest audit, tax and consulting firm in the U.S. Over $1.6 billion in revenue 80 cities and more than 8,000 employees in
More informationITS Service Level Agreement
SAN JACINTO COMMUNITY COLLEGE DISTRICT ITS Document Owner: ITS Customer Care 01/10/2012 Change Log: Revision Number Date Changes By PG5-SEC5.3 1/7/2015 Norberto Valladares PG5-SEC5.3 2/25/2015 Norberto
More informationTHE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Department of Communication Report No
THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES Report No. 15-02 OFFICE OF INTERNAL AUDITS THE UNIVERSITY OF TEXAS - PAN AMERICAN 1201 West University Drive Edinburg, Texas
More informationEnterprise Compliance Management for Credit Unions
Enterprise Compliance for Credit Unions Streamline Regulatory Compliance with a Unified Platform to Manage Requirements and Demonstrate Compliance to Regulators Industry Challenge Credit unions are subject
More informationClickStaff Orientation Training. Presented to: Contingent Workers Presented by: <Supplier ABC> Version Effective Date: June 20, 2012 Version: 8FINAL
ClickStaff Orientation Training Presented to: Contingent Workers g Presented by: Version Effective Date: June 20, 2012 Version: 8FINAL Housekeeping reminders Session will take about 15-20
More informationContract Risk and Compliance & Warranty Fraud. David Maberry Chief Risk Officer American Fidelity Assurance Company
Contract Risk and Compliance & Warranty Fraud David Maberry Chief Risk Officer American Fidelity Assurance Company Who am I and Why Am I Here? David Maberry is the Chief Risk Officer for American Fidelity
More informationAIST Investment Manager Operational Due Diligence Guidance Note February Investment Manager Operational Due Diligence Review Process
AIST Investment Manager Operational Due Diligence Guidance Note February 2017 Introduction The Australian Prudential Regulatory Authority (APRA) regularly communicates its expectations with the entities
More informationProven Strategies for Overcoming Business Continuity Challenges for Healthcare Organizations
Proven Strategies for Overcoming Business Continuity Challenges for Healthcare Organizations Kathy Lee Patterson, CBCP Business Continuity & Disaster Recovery Manager Children's Hospital of Philadelphia
More informationAgenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)
The Intersection of Enterprise-wide Risk (ERM) and Business Continuity (BCM) Marc Dominus 2005 Protiviti Inc. EOE Agenda Terminology and Process Introductions ERM Process Overview BCM Process Overview
More informationCompetency Area: Business Continuity and Information Assurance
Competency Area: Business Continuity and Information Assurance Area Description: Business Continuity and Information Assurance competency area mainly concerns the continuity, auditing and assurance of
More informationUniversity Internal Audit
University Internal Audit Compliance Audit Overview Bill Abplanalp Audit Manager Agenda Introductions What is Internal Audit Compliance Review Questions Internal Audit Mission Provide independent, objective
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Common healthcare industry approach for assessing security and reporting compliance Background and challenges Compliance requirements for healthcare organizations and their
More information6 Ways To Protect Your Business From Data Breaches in 2017
6 Ways To Protect Your Business From Data Breaches in 2017 Alaskan-owned company providing Paper Shredding & Hard Drive Destruction Services. We serve all of Southcentral Alaska with professional, secure,
More informationPERSONAL DATA SECURITY GUIDANCE FOR MICROENTERPRISES UNDER THE GDPR
PERSONAL DATA SECURITY GUIDANCE FOR MICROENTERPRISES UNDER THE GDPR The General Data Protection Regulation ( the GDPR ) significantly increases the obligations and responsibilities of organisations and
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY 1. Introduction This policy sets out how The Robert Gordon University shall comply with the requirements of the Data Protection Act 1998 and was created with reference to the JISC
More informationData Privacy Policy for Employees and Employee Candidates in the European Union
Data Privacy Policy for Employees and Employee Candidates in the European Union This Data Privacy Policy is effective as of February 1, 2014 1. Data Privacy Policy Overview 1.1 Under Armour, Inc. (the
More informationCORROSION MANAGEMENT MATURITY MODEL
CORROSION MANAGEMENT MATURITY MODEL CMMM Model Definition AUTHOR Jeff Varney Executive Director APQC Page 1 of 35 TABLE OF CONTENTS OVERVIEW... 5 I. INTRODUCTION... 6 1.1 The Need... 6 1.2 The Corrosion
More informationTAG Certified Against Fraud Guidelines. Version 1.0 Released May 2016
TAG Certified Against Fraud Guidelines Version 1.0 Released May 2016 About the TAG Certified Against Fraud Program The mission of the TAG Certified Against Fraud Program is to combat fraudulent non-human
More informationITSM Process/Change Management
ITSM Process/Change Management Process Documentation Revision Date: December 13, 2017 Version Number: 2.0 Document Ownership Document Owner Maury Collins Revision History ITSM Role, Department Service
More informationComparison Matrix ISO 9001:2015 vs ISO 9001:2008
Comparison Matrix ISO 9001:2015 vs ISO 9001:2008 Description: This document is provided by American System Registrar. It shows relevant clauses, side-by-side, of ISO 9001:2008 standard and the ISO 9001:2015
More informationDraft Internal Audit Plan for Institute of Technology Blanchardstown 2017
Draft Internal Audit Plan for Institute of Technology Blanchardstown 2017 Contents 1. Introduction and Approach 4 2. Principal Risks 5 3. Proposed areas of focus for Internal Audit 6 4. Draft Internal
More informationThese guidelines describe how Hamilton College approaches the development, measurement and management of information security. Version 3.03.
These guidelines describe how Hamilton College approaches the development, measurement and management of information security. Version 3.03 Page 1 1. Introduction 4 1.1 Overview 4 1.2 The Information Security
More informationPREDICTIVE INTELLIGENCE SECURITY, PRIVACY, AND ARCHITECTURE
PREDICTIVE INTELLIGENCE SECURITY, PRIVACY, AND ARCHITECTURE Last Updated: May 6, 2016 Salesforce s Corporate Trust Commitment Salesforce is committed to achieving and maintaining the trust of our customers.
More informationBPO Service Level Agreement
BPO Service Level Agreement Versión / Version: 2.3 Código Documento / Document Code: AVSP-BPO-OD-001-SLA Fecha Emisión / Distribution Date: November 30, 2014 Elaboró / Created by: Revisó / Reviewed by:
More informationNTT DATA Service Description
NTT DATA Service Description NTT DATA Managed Services for Microsoft Azure Site Introduction NTT DATA is pleased to provide NTT DATA Managed Services for Microsoft Azure Site (the Service(s) ) in accordance
More informationINFORMATION SERVICES FY 2018 FY 2020
INFORMATION SERVICES FY 2018 FY 2020 3-Year Strategic Plan Technology Roadmap Page 0 of 14 Table of Contents Strategic Plan Executive Summary... 2 Mission, Vision & Values... 3 Strategic Planning Process...
More informationPCI COMPLIANCE PCI COMPLIANCE RESPONSE BREACH VULNERABLE SECURITY TECHNOLOGY INTERNET ISSUES STRATEGY APPS INFRASTRUCTURE LOGS
TRAILS INSIDERS LOGS MODEL PCI Compliance What It Is And How To Maintain It PCI COMPLIANCE WHAT IT IS AND HOW TO MAINTAIN IT HACKERS APPS BUSINESS PCI AUDIT BROWSER MALWARE COMPLIANCE VULNERABLE PASSWORDS
More informationLevel 3 Diploma in Management. Qualification Specification
Qualification Specification ProQual 2017 Contents Page Introduction 3 Qualification profile 3 Qualification structure 4 Centre requirements 6 Support for candidates 6 Assessment 7 Internal quality assurance
More informationGuidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.
Guidance Note: Corporate Governance - Audit Committee March 2015 Ce document est aussi disponible en français. Applicability The Guidance Note: Corporate Governance Audit Committee (the Guidance Note )
More informationAUDIT COMMITTEE CHARTER
- 1 - AUDIT COMMITTEE CHARTER I. ROLE AND OBJECTIVES The Audit Committee is a committee of the Board of Directors (the "Board") of Pembina Pipeline Corporation (the "Corporation") to which the Board has
More informationSUPPLIER CODE OF BUSINESS ETHICS AND CONDUCT
Compliance with Laws We expect our suppliers to maintain full compliance with all laws and regulations applicable to their business. When conducting international business, or if their primary place of
More informationCOBIT Control Assessment Questionnaire
The key to maintaining profitability in a technologically changing environment is how well you maintain control. COBIT's Control Objectives provides the critical insight needed to delineate a clear policy
More informationGuidelines for Information Asset Management: Roles and Responsibilities
Guidelines for Information Asset Management: Roles and Responsibilities Document Version: 1.0 Document Classification: Public Published Date: April 2017 P a g e 1 Contents 1. Overview:... 3 2. Audience...
More informationInsurance Outsourcing Services
BUSINESS PROCESS OUTSOURCING INSURANCE Insurance Outsourcing Services Delivering Measurable Results 2 Introduction Insurers want to keep pace with emerging industry trends and adapt quickly to new market
More informationIT Due Diligence UNCOVER ISSUES AND PREPARE FOR ACTION
IT Due Diligence UNCOVER ISSUES AND PREPARE FOR ACTION There s perhaps no segment of business operations that s evolving and changing as rapidly as information technology (IT). As IT impacts nearly every
More informationOCI Mitigation Plan SAMPLE for IDIQ contract
OCI Mitigation Plan SAMPLE for IDIQ contract Company (Authorized Signatory) Company Vice President (or equivalent level) i TABLE OF CONTENTS Section Description Page I. Organizational Conflict of Interest
More informationCERTIFIED ADMINISTRATOR OF SCHOOL FINANCE AND OPERATIONS
SFO SCHOOL FINANCE AND OPERATIONS CERTIFIED ADMINISTRATOR OF SCHOOL FINANCE AND OPERATIONS SFO Exam Guidebook ASBO International s certification program is governed by the Certification Commission, a semi-independent
More informationSTANDARD SUPPORT SERVICE FOR LARGE BUSINESS CUSTOMERS SOLUTION DESCRIPTION
STANDARD SUPPORT SERVICE FOR LARGE BUSINESS CUSTOMERS SOLUTION DESCRIPTION Table of Contents 1. INTRODUCTION 3 2. PROVISIONING 3 3. DEVICE AND ACCESSORY ORDERING 4 4. SUPPORTING DEVICE SOFTWARE 5 5. ACCOUNT
More informationTHE BODY OF KNOWLEDGE FOR MEDICAL PRACTICE MANAGEMENT A FRAMEWORK FOR SUCCESS
THE BODY OF KNOWLEDGE FOR MEDICAL PRACTICE MANAGEMENT A FRAMEWORK FOR SUCCESS It s a direct reference to what we do on a daily basis, of what you need to know... Professionals demonstrate that knowledge
More informationRSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, anti-virus, intrusion prevention systems, intrusion
More informationHITRUST CSF Assurance Program. The Common Healthcare Industry Approach for Assessing Security and Reporting Compliance
The Common Healthcare Industry Approach for Assessing Security and Reporting Compliance February 2017 Contents Background and Challenges.... 3 Improving Risk Management While Reducing Cost and Complexity...
More informationReport on controls over Devon Funds Management Limited s investment management services. For the period from 1 January 2014 to 31 December 2014
Report on controls over Devon Funds Management Limited s investment management services For the period from 1 January 2014 to 31 December 2014 Description of Investment Management Services, Controls
More informationInternal Control Questionnaire and Assessment
Bureau of Financial Monitoring and Accountability Florida Department of Economic Opportunity September 30, 2017 107 East Madison Street Caldwell Building Tallahassee, Florida 32399 www.floridajobs.org
More informationS12 - Guidelines for Planning an IS Audit Christopher Chung
S12 - Guidelines for Planning an IS Audit Christopher Chung IS Auditing Guidelines for Planning an IS Audit Session Objectives Agenda Information Systems Audit Planning and Scoping o Understanding Business
More informationCORPORATE QUALITY MANUAL
Corporate Quality Manual Preface The following Corporate Quality Manual is written within the framework of the ISO 9001:2008 Quality System by the employees of CyberOptics. CyberOptics recognizes the importance
More information