Strengthening Vendor Risk Management Program

Similar documents
THIRD-PARTY RISK MANAGEMENT

Types of Systems Audit & Relevance. Presented By: Prasad Pendse, CISA

Third Party Risk Management ( TPRM ) Transformation

VENDOR RISK MANAGEMENT FCC SERVICES

Integrating COSO s Fraud Risk Management Guide on an Enterprise Scale

ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016

Securing Intel s External Online Presence

ABS GUIDELINES ON CONTROL OBJECTIVES & PROCEDURES FOR OUTSOURCED SERVICE PROVIDERS. FREQUENTLY ASKED QUESTIONS 15 June 2017.

PCI Information Session. May NCSU PCI Team

Extended Enterprise Risk Management

Will Your Company Pass a Privacy Audit?

Cloud Computing Opportunities & Challenges

Implementing and maintaining ISAE 3402

The top five benefits of outsourcing B2B payments processing

The past, present and future of service organization control reporting

Microsoft Cloud Agreement Financial Services Amendment

CFPB Readiness Series: Consumer Complaint Resolution and Tracking

PCI Data Breach Preparedness How To Prevent Your Organization From Becoming the Next Data Breach Headline

AuditLink VM A Complete Vendor Management Service

ACC 269 Auditing and Assurance Services

Advanced External Auditing [AU2] Examination Blueprint

The Do's and Don'ts of Vendor Risk Management

Statement on Risk Management and Internal Control

Brink's Modern Internal Auditing

GOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.

Agenda. Agenda. Why Audit Suppliers. Outsourcing / Offshoring. Supplier Risks. Minimum Security Standards. Audit Focus

IT Strategic Plan Portland Community College 2017 Office of the CIO

Enterprise Content Management and Business Process Management

Salesforce s Processor Binding Corporate Rules. for the. Processing of Personal Data

Risk Advisory Services Developing your organisation s governance for competitive advantage

EY Center for Board Matters. Leading practices for audit committees

IIROC 2015 Financial Administrators Section Conference

Internal Auditing 101 with Panel Discussion. VGFOA Virginia Beach May 2013

C&H Financial Services. PCI and Tin Compliance Basics

Elements of a Successful Compliance Management System and Vendor Management Rules of the Road

HOW TO AVOID THE DANGER OF WEAK CONTROLS IN THIRD-PARTY RISK MANAGEMENT

Information Technology Risks in Today s Environment

OPERATIONAL RISK MANAGEMENT MODULE

OPERATIONAL RISK MANAGEMENT MODULE

Emerging Technology and Security Update

Applying Integrated Assurance Management Scenarios for Governance Capability Assessment

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Navigating the New Health Economy

CLAconnect.com/creditunions. Impact the Future of Credit Unions


ENTERPRISE RISK SERVICES Managing Risk, Driving Results

Strengthening Your Enterprise Risk Management Process

UNIVERSITY OF OKLAHOMA Campus Payment Card Security Standard Norman Campus

Security overview. 2. Physical security

Merchant Services What You Need to Know. Agenda 6/5/2017. Overview of Merchant Services. EMV, Tokenization/Encryption, and PCI (Oh My!

2013 COSO Internal Control Framework Update. September 5, 2013

BENEFITS OF AN EFFECTIVE OUTSOURCING STRATEGY. March 1, 2017

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

Multisource Management in the Cloud Age Keys to MSI and SIAM success in Hybrid IT environments

Business and Application Architecture

Cloud sourcing: are you familiar with Luxembourg s revised regulatory environment?

PCI COMPLIANCE PCI COMPLIANCE RESPONSE BREACH VULNERABLE SECURITY TECHNOLOGY INTERNET ISSUES STRATEGY APPS INFRASTRUCTURE LOGS

SARBANES-OXLEY COMPLIANCE MANAGING CHANGING EXPECTATIONS January 20, 2017

System Council November 2017 paper

Third - Party Governance Done Right. Brenda Ward Director - Global Information Security

September 9, 2016 kpmg.ca

Job Description Network Security Analyst

Security Monitoring Service Description

Model Risk Management

NTGA Compliance & Operational Manager Due Diligence Process

Operational Due Diligence Spotlight on the On-Site Visit

SOX 404 & IT Controls

THE FIVE ELEMENTS OF AN EFFECTIVE HIPAA AUDIT PREPARATION PROGRAM

Introduction. Scott Jerabek. The CBORD Group. Product Manager

Excellence in Third Party Risk Management (TPRM)

General Data Protection Regulation (GDPR) Readiness

Juan Carlos Ramirez, VP, AML/ATF & Sanctions Audit, Scotiabank. Compliance and Risk Management

TABLE OF CONTENTS. The Definitive Guide To SaaS Solutions For The Insurance Industry EXECUTIVE OVERVIEW... 3

Dexia Group Audit Charter

TAG Certified Against Fraud Guidelines. Version 1.0 Released May 2016

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

December 2015 THE STATUS OF GOVERNMENT S GENERAL COMPUTING CONTROLS:

Business Continuity vs. Operational Risk Management vs. Business Resiliency. Karen Dye Oakley, CBCP, MBCI

Securing Capabilities in the Cloud: Security and Privacy in the Evolution of Cloud Computing

Terms of Reference CGIAR System Internal Audit Function

IBM QRadar SIEM. Detect threats with IBM QRadar Security Information and Event Management (SIEM) Highlights

Navigating Technology s Top 10 Risks

Measuring Compliance Program Effectiveness

Audit Committee Presentation FY2011 Audit Plan (annual risk assessment) August 16, 2010

Top 5 Must Do IT Audits

RSA ARCHER IT & SECURITY RISK MANAGEMENT

CA Network Automation

The Case for Outsourcing Accounts Payable

Draft Internal Audit Plan 2012/13 Audit Committee (September 2012) Airedale NHS Foundation Trust

ISAE 3402 Type 2. Independent auditor s report on general IT controls regarding operating and hosting services for to

RFP for Consultancy to Upgrade from CMMI Maturity Level 3 to CMMI Maturity Level 5 & Prism Certification

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

AIST Investment Manager Operational Due Diligence Guidance Note February Investment Manager Operational Due Diligence Review Process

Experience the commitment. CGI Exploration2Revenue TM Business Suite. Optimize your upstream back office

Standard Statement and Purpose

Effective implementation of COSO s new anti-fraud guidance

The New COSO Framework: Avoiding Deficiencies and Driving Change

Open Cloud Foundation

AWS Life Sciences Competency Consulting Partner Validation Checklist

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

Transcription:

Strengthening Vendor Risk Management Program ACUIA Region 5 Fall Meeting Portsmouth, N.H. October 2017

PKF O Connor Davies Risk Advisory Services Governance & Regulations Cyber-Security Risk Management & IT Strategy COSO 2013 Implementation Co-source or Outsource Internal Audit Data Governance and Data Analytics Enterprise Risk Management and Internal Control Reviews (Operations and IT) IIA Quality Assessment Reviews / Internal Audit Transformation Business and IT Policy Development Attest Engagements and Agreed-Upon Procedures HIPAA and PCI-DSS Gap Analysis IT Governance and Best Practices Review DMZ or Network Architecture Review / Firewall, Router and Switches Hardening Review DRP/ BCP Assessment IT Security Vulnerability Assessments and Penetration Testing (Network and Web Application) Malware Analysis Wireless Network Assessment Privacy Assessments General Source Code Review (Java,.NET, PHP, Python, C, C++, Objective- C) Social Engineering (includes phishing) Business Continuity Assessments Project Management Service Organization Control (SOC 1) Reporting (SSAE 16 and ISAE 3402) Readiness Reviews and Attestations SOC 2 and 3 Readiness Reviews and Attestations (Trust Services Principles) IT Strategy (Including IT and Business Strategic Alignment) Third Party Risk, Social Media and Cloud Risk Assessment

Learning Objectives Why you need a vendor risk management program Discuss the steps of a vendor risk management program Compare the intended uses of Service Organization Control reports and what to look for during the review.

Vendor Risk Management A process for assessing and managing risk associated with third party relationships. A third party relationship is any business arrangement between a financial institution and another entity, by contract or otherwise. The relationship includes activities that involve outsourced products and services, use of independent consultants, networking arrangements, merchant payment processing services, joint ventures, and other business arrangements where the financial institution has an ongoing relationship or may have responsibility for associated records.

Intertwining Risks Operational Technology Compliance Business Continuity 3 rd Party Risk Reputational Financial Strategic

Cloud Responsibility Source: http://pen-testing.sans.org/blog/2012/07/05/pentesting-in-the-cloud

Discussion with a Cloud Hosting Provider The client needs to communicate the organization s regulatory requirements Assigning responsibilities to internal IT who have the technical knowledge Robust access management Not relying on service providers policies and procedures Managing the data is the organization s responsibility

Discussion with a Cloud Hosting Provider (cont.) Clients should discuss network design with the provider Inquire whether standard or custom API s are used to prevent vendor lock-out Inquire whether contract terms can be modified based on current and future needs Being responsive when a collaborative effort is need to address an incident Reviewing and addressing the SLA before going live

Who Should Be Involved in a Vendor Risk Management Program Procurement & Accounts Payable Information Technology Legal and Regulatory Compliance Risk Management Internal Audit (advisory role)

Continuous Vendor Risk Management Due Diligence / Planning Risk Management Contract Management Monitoring Termination Governance Manage & remediate vendor risk Evaluate vendor risk Report on vendor risk Identify & manage evidence Provide a risk rating for each vendor Create a schedule for review Identify triggers that would escalate the review

Governance Governance Define the goals and appoint champion Define organization structure & assign responsibilities Develop vendor management policy Taking a risk-based approach Vendor due diligence and monitoring process Escalation process Provide training

Elements of a Vendor Risk Management Policy Should outline staff responsibilities and authorities for vendor relationships and program oversight. Should distinguish what is required for critical relationships versus non-critical relationships Should stipulate which employee(s) are authorized to sign contracts Outline expectation and limitations of the vendor relationship

Initial Risk Assessment / Planning Ensuring that the vendor relationship is consistent with the strategy and overall business needs Determine the short and long term goals, which should be measurable Creating the criticality levels Assess the vendor based on the risk criteria Appoint a person to be responsible for the relationship Review all documentation (e.g. financials) and vendor responses Identify controls (i.e. reports, insurance, etc) Establish exit Strategy / Contingency Plans

Risk Management Risk Management Determine risk factors Conduct risk assessment Establish risk levels Collection of data Address results with management Develop a remediation steps and communication back to the vendor

Risk Factors In Evaluating Vendors New service to the credit union Material impact to revenue or expenses Impact to reputation Significant operations functions Sensitivity of the data Compliance and regulatory risk Impact to members

Contract Management Contract Management Getting key stakeholders and Legal involved (drafting, reviewing) Keeping abreast of regulatory requirements or industry standards Maintaining position on key contract requirements and language Establishing KPI and SLA Process in place to modify and approve changes to contracts

Monitoring Vendor Monitoring Tracking incidents and complaints Manage vendor inventory Evaluate vendor onboarding and off-boarding Evaluate vendor value Process in place to notify incidents (security breach, insolvency)

Monitoring Third Parties with a SOC Report Service Organization Control 1 (SOC 1) Service Organization Control 2 (SOC 2) Service Organization Control 3 (SOC 3) Restricted Use Report (Type I or II report) Generally a Restricted Use Report (Type I or II report) General Use Report (with a public seal) Purpose: Reports on controls for financial statement audits Purpose: Reports on controls related to compliance or operations Purpose: Reports on controls related to compliance or operations Trust Services Principles & Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy

Monitoring Third Parties with a SOC Report Is this the right report? Is our location and service covered? Is it the correct period? What are the results of the Independent Auditor s Report opinion? Did they use any subservice providers? Does the department have the appropriate internal controls to address the User Considerations section? Did they cover all the control objectives? Were the test steps sufficient? Evaluate the deviations.

Contact Info: Mark Bednarz, MS, CPA, CISA, CFE PKF O Connor Davies, LLP Partner, Head of Risk Advisory P: 646-449-6376 E: mbednarz@pkfod.com

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback