Best Practices: Vendor Risk Questionnaires PROCESSUNITY WEBINAR SERIES

Transcription

1 Best Practices: Vendor Risk Questionnaires PROCESSUNITY WEBINAR SERIES

2 Today s Presenters Tom Garrubba Senior Director Shared Assessments Bryan Burnhart Head of Strategic Alliances ProcessUnity Ed Thomas Vice President of Marketing ProcessUnity 2 ProcessUnity, Inc. All Rights Reserved.

3 About ProcessUnity Risk & Compliance SIMPLIFIED Risk & Compliance Automation Third-Party Risk Management Policy & Procedure Management Risk Management Compliance Management 84% 3X Revenue Growth 2016 Customer Growth 2016 HQ: Concord, Massachusetts 2003 FOUNDED 3 ProcessUnity, Inc. All Rights Reserved.

4 THE SHARED ASSESSMENTS PROGRAM The Trusted Source in Third Party Risk Assurance July 19, 2017

5 WHAT IS SHARED ASSESSMENTS?

6 What is Shared Assessments? Shared Assessments: The trusted source in third party risk assurance A member-driven, industrystandard body with thought leadership, best practices and tools that inject thoroughness, consistency, efficiency and cost savings into the control assessment process 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 3

7 What is Shared Assessments? In 2005: Six members of the financial services industry Accounting s Big 4 Key industry service providers The goal: Ease the burden on both outsourcers and third parties, streamline the vendor evaluation process, create an industry standard The result: The Shared Assessments Program The Santa Fe Group is the managing agency that oversees the Shared Assessments Program 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 4

8 Establishing Global Standards Shared Assessments Today: 250+ members, thousands of tool users Multi-industry Global Program s Tools and Standards: Standardized Information Gathering (SIG) questionnaire Shared Assessments Agreed Upon Procedures (AUP) Vendor Risk Management Maturity Model (VRMMM) Continued Promotion of Operational Efficiency: Collaborative Onsite Assessments: Industry peers brought together to assess a common service provider Frequently results in removal of intensive, multiple and overlapping information requests, simplifying the assessment process 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 5

9 Members and Licensees Shared Assessments members include international organizations of all sizes that understand the importance of comprehensive standards for managing risk: Best in their class members of a global community of third party risk management experts who understand the value of implementing efficient and effective industry-standard practices for third party risk management Shared Assessments is proud to have ProcessUnity as part of the Shared Assessments family! 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 6

10 Evolving Regulatory Landscape of TPRM Apr 1993 AICPA SAS to Present Proprietary Vendor Assessment Techniques Jul 2005 Shared Assessments Established SIG and AUP Jun 2011 SOC Reporting Jan 2015 The Santa Fe Group / Shared Assessments Collaborative AUP Jul 2015 SOC 2+ May 2017 AICPA Attestation Standards SSAE Aug 1996 Health Insurance Portability and Accountabilit y Act (HIPAA) Jul 2001 Graham-Leach Bliley Act (GLBA) Nov 2001 OCC Third Party Relationships May 2002 OCC Foreign Third Party Service Providers Privacy Breach Notification Laws Various States Jun 2008 FDIC FIL Guidance for Managing Third Party Risk Jan 2011 PCI-DSS V2.0 Payment Card Industry Data Security Standards Jan 2012 FDIC FIL Payment Processor Relationships Revised Guidelines Oct 2013 OCC Third Party Relationships: Risk Management Guidance The Office of the Comptroller of the Currency (OCC) defines a third party relationship as any business arrangement between a bank and another entity, by contract or otherwise; and it expects a bank to practice effective risk management, regardless of whether the bank performs the activity internally or through a third party. Dec 2013 FRB SR Guidance on Managing Outsourcing Risk Feb 2015 SEC OCIE and FINRA Report on Cyber Security Feb 2015 FFIEC Information Technology Examination Handbook: New Appendix for Business Continuity Planning Booklet May 2015 PCI-DSS V3.0 Payment Card Industry Data Security Standards Jun 2015 FFIEC Cybersecurity Assessment Tool Nov 2015 FFIEC Information Technology Handbook: Revised Management Booklet Jun 2016 OCC Cybersecurity of Interbank Messaging and Wholesale Payment Networks: FFIEC Statement Jun 2016 FDIC FIL Information Technology Risk Examination (InTREx) Program Sep 2016 FFIEC Press Release Revised Information Security Booklet Feb 2017 OCC Third Party Relationships: Supplemental Examination Procedures Mar 2017 NYS DFS 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies Jun 2017 OCC Frequently Asked Questions to Supplement OCC The Shared Assessments Program. All Rights Reserved. 7

11 The Challenge Third Party Risk Extends to All Outsourcers and Verticals: Executive Perspectives on Risks for 2017 shows third party risk is rapidly escalating as a major business concern 63% of data breaches investigated globally were linked to a third party component Third party involvement is shown to increase data breach cost per record from $158 to $172 New sectors have joined the financial sector in high frequency of cyberattacks notably Gaming, Information Technology and IT services, Public Utilities, Professional Services and Healthcare 2017 The Shared Assessments Program. All Rights Reserved. 8

12 Program Tools Standardized Information Gathering Developed using ISO 27001/2 for the framework methodology. Among the regulations / standards SIG corresponds to are: OCC, FRB, ISO, PCI-DSS, HIPAA/HITECH, NIST CSF and FFIEC guidance. Provides a complete picture of service provider controls. Scoring capability for response analysis and reporting. Developed to be a standardized and repeatable process. Agreed Upon Procedures Developed using ISO 27001/2 for the framework methodology. Shared Assessments AUP provides objective, robust, repeatable, consistent, control-by-control procedures to ensure presence or absence of specific controls. Factually-based reporting, which does not provide an opinion. Objective test of controls, validation of third party self-assessment(s) and report of results. Companies view control-by-control results in the context of their own unique third party risk management requirements. Vendor Risk Management Maturity Model Developed to allow companies to benchmark third party risk management programs against industry and their own progress over time. Rates Maturity levels from 0-5, from Non-existent to Continuous Improvement. Gauges the market through Annual Benchmarking Study led by Shared Assessments and Protiviti The Shared Assessments Program. All Rights Reserved. 9

13 For More Discussion Tom Garrubba; CISA, CRISC, CIPT, CTPRP Senior Director, The Santa Fe Group/Shared Assessments Program follow us on 2017 The Shared Assessments Program. All Rights Reserved. 10

14 Questions 2017 The Santa Fe Group, Shared Assessments Program. All Rights Reserved. 11

15 Automating the SIG ProcessUnity Vendor Cloud 5

16 How Automation Can Help Streamline Assessments with Industry-Standard Best Practices Information Security, Privacy, Business Continuity, and Compliance dominate examiners coverage areas and are typically the greatest areas of risk. Trust Verify Monitor SIG Full content (1695 questions) SIG Lite content (141 questions) AUP content (~100 Controls) VRMMM content (~100 questions) SIG = Standardized Information Gathering AUP = Agreed Upon Procedures VRMMM = Vendor Risk Management Maturity Model 6 ProcessUnity, Inc. All Rights Reserved.

17 How Automation Can Help Streamline Assessments with Industry-Standard Best Practices Information Security, Privacy, Business Continuity, and Compliance dominate examiners coverage areas and are typically the greatest areas of risk. Trust Verify Monitor SIG Full content (1695 questions) SIG Lite content (141 questions) AUP content (~100 Controls) VRMMM content (~100 questions) Speed questionnaire development Improve assessment accuracy, shorten response times Automate scoring, review and reporting SIG = Standardized Information Gathering AUP = Agreed Upon Procedures VRMMM = Vendor Risk Management Maturity Model 7 ProcessUnity, Inc. All Rights Reserved.

18 Third-Party Risk Lifecycle Support Onboarding Establish an enterprise-wide process to introduce potential providers Due Diligence Enforce objectivity within your vendor due diligence process Self-Assessments Streamline the assessment process while reducing potential errors On-Site Control Assessments Systematically conduct and document on-site control assessments Performance Reviews Manage performance reviews in a consistent, manageable process Contract Reviews Create a unified process for contract management SLA Monitoring Documents KPIs, monitor activity and record observations Issue Management Implement a formal process for tracking vendor issues 8 ProcessUnity, Inc. All Rights Reserved.

19 Complete Due Diligence Process A reasonable Program Must Involve the Business Equip the business to request a vendor certification from the VRM team Reflect Business Policy Establish and adhere to corporate guidelines for the acceptance or restriction of business Collect and Inspect Data Facilitate assessments to be completed by both the business and the vendor Classify Vendors Use established criteria (e.g. financial, information security, reputational, BCP/DR, physical security, legal, privacy, country, compliance, and technology) 9 ProcessUnity, Inc. All Rights Reserved.

20 Due Diligence Process 1 New Vendor 2 Begin Due 3 Vendor 4 Request Diligence Assessment Due Diligence Complete Business Requests New Service Vendor Manager Initiates Due Diligence Vendor Completes Questionnaire Vendor Manager Reviews Vendor Scorecard Vendor Manager Determines Due Diligence Level Vendor Uploads Appropriate Documentation Vendor Manager Provides Final Recommendations Vendor Analyst Reviews the Results 10 ProcessUnity, Inc. All Rights Reserved.

21 Due Diligence Process Leveraging SIG & SIG Lite 1 New Vendor 2 Begin Due 3 Vendor 4 Request Diligence Assessment Due Diligence Complete Business Requests New Service Vendor Manager Initiates Due Diligence Vendor Completes SIG or SIG Lite Questionnaire Vendor Manager Reviews Vendor Scorecard Vendor Manager Determines Due Diligence Level Vendor Uploads Appropriate Documentation Vendor Manager Provides Final Recommendations Vendor Analyst Reviews the Results 11 ProcessUnity, Inc. All Rights Reserved.

22 ProcessUnity + Shared Assessments = Integrated Due Diligence 5 1 IMPORT Customer uploads any version of the SIG (including Section Z) to ProcessUnity with a single click. + ASSESS Based on the customer s configuration, ProcessUnity auto-scores vendor responses and highlights areas of concern 4 CONFIGURE Customer applies scoring rules, assigns owners, sets schedules, determines the scope and creates reports. to make response modifications before submitting 2. Download the SIG-based assessment in Excel, complete it, then upload the responses 3. Complete the SIG-based assessment online via ProcessUnity s easy-to-use interface 12 2 COLLECT RESPONSES 3 DISTRIBUTE ProcessUnity distributes the SIG-based assessment to vendors via the Vendor Portal Vendors can respond in one of three ways: 1. Upload their completed SIG (any version) and ProcessUnity automatically populates the assessment and allows the vendor

23 Demonstration ProcessUnity Vendor Cloud

24 AUP Mapping 14 ProcessUnity, Inc. All Rights Reserved.

25 AUP Linkage to SIG & Regulatory Provisions 15 ProcessUnity, Inc. All Rights Reserved.

26 Automate Third-Party Risk Less Busy Work Automated s, notifications, electronic questionnaires and scoring reduce tedious, manual tasks. Streamlined Vendor Assessments Automatically determine questionnaire scope and complete assessments for more vendors in less time. Better Reporting Interactive reports and dashboards provide real-time access to the state of third-party risk. Integration with Other Tools Connect external news feeds and enterprise systems for full visibility into vendor risk. 16 ProcessUnity, Inc. All Rights Reserved.

27 RISK & COMPLIANCE SIMPLIFIED CLOUD- BASED EASY-TO-USE INTERFACE END-USER CONFIGURABLE DEPLOYS QUICKLY FLEXIBLE PRICING SaaS-based system features automatic system updates / upgrades and includes customer support. Point-and-click interface, dashboards, alerts and online help make our tools the easiest to use. Business users can configure our tools to fit their programs and processes without calling IT. Most customer implementations are completed within 30 days. Tiered pricing plans allow customers to purchase only the features, functions and licenses they need. 17 ProcessUnity, Inc. All Rights Reserved.

28 Vendor Cloud Pricing SILVER GOLD PLATINUM CUSTOM $1700/month* $2800/month* $5400/month* For solutions tailored to the needs of global enterprises 5 USERS 500 VENDORS 15 USERS 1000 VENDORS 30 USERS 2000 VENDORS 18 INCLUDED CAPABILITIES: Vendors, Facilities & 4 th Parties Vendor Portal Classification Assessments Due Diligence Reviews Performance Reviews Contracts & Contract Reviews Findings Vendor Scoring Preferred Responses Unlimited Questionnaires Standard Reports Standard Properties Standard Dashboards Up to 10 User Reports Up to 10 User Properties Up to 4 User Notifications 4 Preconfigured Roles INCLUDES ALL SILVER CAPABILITIES PLUS: Vendor Services Vendor Request Forms Vendor Collaboration Automated Assessments Document Requests Issue Management Regulations & Standards Projects Test Environment Import/Export User Defined Hierarchy Unlimited User Reports Unlimited User Properties Unlimited User Notifications Unlimited Roles INCLUDES ALL GOLD CAPABILITIES PLUS: On-site Controls Assessments Controls Library SLA Tracking Incident Management Risk Register Process Library Change Notices Organizations Certifications External Components Single Sign-on MS Excel Connector Our experts will work with you to understand the specific needs and requirements of your program. They will then develop a custom quote for your company. *Paid annually

29 Third-Party Risk Management Pre-Assessment Assessment Ongoing Monitoring FINDINGS ASSESSMENT STATUS ISSUES DASHBOARDS Schedule Your Deep-Dive Demonstration 19 ProcessUnity, Inc. All Rights Reserved.