HOW TO AVOID THE DANGER OF WEAK CONTROLS IN THIRD-PARTY RISK MANAGEMENT

Similar documents
VDI VS. DAAS: HOW ARE CLOUD-HOSTED DESKTOPS DIFFERENT?

HOW TO OPTIMIZE YOUR MDM STRATEGY

SAP takes on Oracle in database war

MicroScope storage roundtable: Watch out for DAS and SSD Part One

VENDOR RISK MANAGEMENT FCC SERVICES

HITRUST CSF Assurance Program. The Common Healthcare Industry Approach for Assessing Security and Reporting Compliance

HITRUST CSF Assurance Program

REGULATORY HOT TOPIC Third Party IT Vendor Management

Best Practices: Vendor Risk Questionnaires PROCESSUNITY WEBINAR SERIES

Solution Spotlight 10 KEY ELEMENTS FOR EFFECTIVE DASHBOARD DESIGN

DONE RIGHT, PREDICTIVE ANALYTICS POINTS PATH TO BETTER BUSINESS FUTURE

Effects of GDPR and NY DFS on your Third Party Risk Management Program

E-Guide PACS INTEGRATION SCHEDULING OTHER ELEMENTS STREAMLINE RADIOLOGY IT

E-Guide SOFTWARE AS A SERVICE CHALLENGES: BUILDING YOUR ROADMAP TO SUCCESS

E-Guide HOW TO GAIN CONTROL OVER BIG DATA PROJECTS

Navigating the New Health Economy

E-Guide UNIFIED PLATFORM MANAGEMENT NEEDED FOR HYBRID CLOUD UC

E-Guide GETTING REAL-TIME ANALYTICS FROM IOT DEVICES

Securing Sharepoint: SharePoint Security Best Practices

Managing the Business Associate Relationship: From Onboarding to Breaches. March 27, 2016

E-Guide BIG AGENDAS FOR BIG DATA ANALYTICS PROGRAMS

Vendor Due Diligence: Keep The Risk Out!

Deepening Collaboration through More Effective Document and Content Management

RSA ARCHER IT & SECURITY RISK MANAGEMENT

E-Guide READING THE SIGNS FOR ERP CONSOLIDATION

Firm Profile TURNING RISKS INTO OPPORTUNITIES

Assessments for Certified and Non-Certified Vendors

Be Remarkable. CONTRACT LIFECYCLE MANAGEMENT SOFTWARE. Software Overview OVERVIEW. Additional Available Professional Services

DELIVERING MANAGED MOBILITY SERVICES: THE CHALLENGES AND OPPORTUNITIES

E-Guide REAPING THE BENEFITS OF BIG DATA AND REAL-TIME ANALYTICS

RSA Solution for egrc. A holistic strategy for managing risk and compliance across functional domains and lines of business.

Strengthening Vendor Risk Management Program

Hardening Defense in Depth Cyber Risk Management Principles with Integrated Regulatory Risk Management. Sponsor:

Health, Safety Environmental Advisor (HSEA): This employee oversees the HSE program and reports to the SVP, Global Real Estate Services;

CONSULTING & CYBERSECURITY SOLUTIONS

GOVERNANCE. Overview. The Governance Module can address all applicable standards and regulations.

E-Guide WHEN IS ERP CONSOLIDATION THE RIGHT MOVE?

Measuring, Monitoring and Improving Customer Experience

Drive Your Business. Four Ways to Improve Your Vendor Risk Program

EVALUATING CONTRACT LIFECYCLE MANAGEMENT SOLUTIONS: BEST-IN-CLASS FEATURES

IT Risk Advisory & Management Services

HIPAA Demystified: Strategies to Bullet Proof Your Compliance Plan. Chris Apgar, CISSP Ron Moser, CISA, CRISC

COMPLIANCE TRUMPS RISK

Understanding SAP HANA

No more excuses: VDI is ready!

Ensuring Organizational & Enterprise Resiliency with Third Parties

table of contents INTRODUCTION...3 CHAPTER 1: WHAT IS HITRUST?...4 CHAPTER 2: THE BENEFITS OF USING HITRUST...6

STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference

RSA ARCHER INSPIRE EVERYONE TO OWN RISK

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

Improving corporate behavior in a way that positively impacts the world. Anti-Bribery Management Systems ETHISPHERE ISO CERTIFICATION

The intelligent video network: Telepresence and visual collaboration

Sarbanes-Oxley Compliance Kit

Data integrity forensics Bring transparency and trust to third-party data use

AWS MSP Partner Program Validation Checklist v3.2 Mapping

How to Measure the Value of Your Internal Audit Group

Internal Audit Report - Contract Compliance Cycle Audit Department of Technology Services: SHI International Corporation Contract Number

Bribery and Corruption

Recognizing your needs

SOLUTION BRIEF RSA IDENTITY GOVERNANCE & LIFECYCLE SOLUTION OVERVIEW ACT WITH INSIGHT TO DRIVE INFORMED DECISIONS TO MITIGATE IDENTITY RISK

Increasing ROI with mobile computing

E-Guide THE EVOLUTION OF IOT ANALYTICS AND BIG DATA

Buying IoT Technology: How to Contract Securely. By Nicholas R. Merker, Partner, Ice Miller LLP

SERVICES AND CAPABILITIES. Technology and Management Consulting

How to Stand Up a Privacy Program: Privacy in a Box

Improving Information Security by Automating Provisioning and Identity Management WHITE PAPER

HR Metrics Key to Strategic Planning

Business Risk Intelligence

Achieve Continuous Compliance via Business Service Management (BSM)

Information Security Policy

UNITING IOT AND SUPPLY CHAIN ANALYTICS

Third Party Information Security Risk Management Programs. Tanya Scott Risk and Controls Program Manager, Autodesk In-Depth Seminars D33

HCCA Compliance Institute : Intersection of Internal Audit & Compliance. April 17, Agenda. Where are we today?

EY Center for Board Matters. Leading practices for audit committees

Prepare for GDPR today with Microsoft 365

Trusted KYC Data Sharing Framework Implementation

MICROSOFT AZURE CLOUD CAPABILITIES, COSTS, AND UPDATES

Optiv's Third- Party Risk Management Solution

Defining and Managing an Optimal Sourcing Mix

Driving healthy growth

ENVIRONMENTAL AUDITING GUIDE TD 16/16/E

Overview of Top Risks & Risk Management Best Practices. Today s Agenda

Today s Agenda. David Wong, Monica Reinmiller

CONFLICTS OF INTEREST MANAGER SOLUTION OVERVIEW

Moving ERP Systems to the Cloud

REPORT 2014/010 INTERNAL AUDIT DIVISION. Audit of contract administration at the United Nations Office at Geneva

Ensuring progress toward risk management and continuous configuration compliance

Big Data Challenges and Pitfalls

PREVENTIA. Where security begins... Five Best Practices of Vendor Application Security Management

Cloud-based BI, the pros and cons

Management Excluded Job Description

The past, present and future of service organization control reporting

Vendor Cloud Platinum Package: Included Capabilities

Vol. 2 Management RFP No. QTA0015THA A2-2

Role Profile. Role Details. Grade 4 Business unit. Date produced or updated March 2017

Integrated backup vs. traditional disk libraries

Information Security Roles and Responsibilities Procedure Page 1

Efficiency First Program

THOMSON REUTERS CLIENT ON-BOARDING

Transcription:

E-Guide HOW TO AVOID THE DANGER OF WEAK CONTROLS IN THIRD-PARTY RISK MANAGEMENT SearchSecurity

S ecurity expert Michael Cobb explains how to put in place additional safeguards to protect the system and data access of trusted partners. PAGE 2 OF 8

HOW TO AVOID THE DANGER OF WEAK CONTROLS IN THIRD-PARTY RISK MANAGEMENT Michael Cobb Closer relationships with third-party vendors can improve and streamline business operations. But when service providers and contractors are given access to systems containing protected information or handle sensitive data sets, such as customer records, is paramount. Due diligence in assessment is crucial because an indemnity agreement can t realistically cover an organization s strategic, operations or reputational risks. And if the activities of a business partner or service provider put your data security efforts at risk of non-compliance, it s your company that s held accountable. REVIEW THE RISKS A assessment helps you detect identity and access issues and locate the necessary controls to include in a contractual requirement. This review process covers risk identification, assessment, measurement and PAGE 3 OF 8

monitoring procedures. It should be completed prior to engaging the thirdparty vendor, not treated as a formality after the fact. Business partners or contractors with greater privileges or autonomy to access internal resources and systems merit a more in-depth review than those with limited rights. The assessment should involve personnel from various teams, such as internal audit, procurement, compliance, legal counsel, and IT administration and security. To speed and simplify the process of assessing tens, if not hundreds, of thirdparty vendors, it s best to have them complete standardized documentation. Thankfully, there s no need to develop these from scratch: The Shared Assessments Program (SAP), a paid membership organization founded in 2005 by financial institutions and accounting firms, offers numerous tools. These are available for purchase or free with membership and include documents used by companies of all sizes for consistency and cost efficiency in vetting third parties. Large service providers routinely complete these assessments, which are based on a trust, but verify model. By using SAP s Standard Information Gathering (SIG) questionnaire, your organization can obtain all of the information necessary to conduct an initial assessment of a service provider s IT, privacy and data security controls. PAGE 4 OF 8

You can filter the questionnaire for service types provided by different thirdparty vendors. A how-to guide is available to help with this process. (There are also guides that can help service providers respond to client-issued SIG questionnaires.) The SAP Tools are based on international, federal, and industry standards such as ISO-27001/27002, PCI DSS and HIPAA. And they are constantly updated -- cloud security, mobile devices, fourth-party risk and software security were recently added, according to the organization s website. Of course, self-assessments need verifying: The Shared Assessments Agreed Upon Procedures (AUP) allow answers provided by a third party in the SIG questionnaire to be validated by your organization or an independent assessment firm. They also set out the risk control areas to be evaluated as part of an onsite assessment and include a report template for collecting and reporting the results. As part of any third-party review, it s important to establish whether security has true boardroom-level support. A good indicator of how genuine a third-party vendor is about security is the quality of its privacy practices and training programs. Are employees required to participate in data privacy and security awareness training? How frequently are they required to take refresher PAGE 5 OF 8

courses? A well-rehearsed security incident response plan and annual external security assessments are other signs that security is taken seriously. EVALUATE THE PROVIDERS Management should use the assessment to evaluate the controls of a prospective service provider to protect systems and data. The assessment can also serve as a negotiating tool when discussing contractual obligations. Knowing where risk points exist means additional safeguards can be requested to ensure sensitive data is properly protected. Documentation covering the risk assessment, details of controls in place to mitigate risks and agreed-upon compliance monitoring should be signed by the board and retained as a benchmark for future audits. Always ask for proof that remediation actions that resulted from vulnerabilities identified in the security audit have been carried out. Assign an owner for each vendor relationship to oversee the monitoring process and check its adherence to the data protection and security standards set out in the contract. Tools such as the Brinqa Vendor Risk Management, a risk modeling and analytics framework, and Rsam, which is Web-based GRC software, support SIG questionnaire content, making the review process more PAGE 6 OF 8

manageable. EMC s RSA Archer Vendor Management Software also automates the oversight of third-party relationships and supports NIST Open Checklist Interactive Language 2.0 (OCIL), a framework for interpreting responses to IT security checklists. Finally, remember that assessing third-party vendors is not a onetime event. Managing is a complex and time-consuming task, but with the right tools many aspects can be automated. Third-party risk assessment is an area of information security that needs greater focus; it reduces the chances of a data breach and improves the overall security of identity and access on today s interconnected systems. MICHAEL COBB, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He co-authored the book IIS Security and has written many technical articles for SearchSecurity.com and other leading IT publications. He was formerly a Microsoft Certified Database Manager and a registered consultant with the CESG Listed Advisor Scheme (CLAS). PAGE 7 OF 8

FREE RESOURCES FOR TECHNOLOGY PROFESSIONALS TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. WHAT MAKES TECHTARGET UNIQUE? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. PAGE 8 OF 8

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback