Model Approach to Efficient and Cost-Effective Third-Party Assurance
|
|
- Alice Darleen Cross
- 5 years ago
- Views:
Transcription
1 Model Approach to Efficient and Cost-Effective Third-Party Assurance 1
2 CHALLENGES WITH THIRD-PARTY ASSURANCE 2
3 What s Driving Demand for Increased Assurance? Increasing risk posed by third parties Increasing cyber threat landscape Confusion What is reasonable, appropriate or adequate? Growing compliance risk and liability Breach and legal costs; regulatory penalties Compliance Effectiveness Cost of Compliance 3
4 Approach from Customer (Covered Entity) Request detailed information on the Business Associate Require appropriate assurances on or Vendor Security Program Scope of information they receive No consistency of request What was tested Self-attestation and questionnaires How the information was vetted Proprietary assessments Third-party audits Customer BusiBneussi ness PartnPear tner Customer Obtain assurances in a Business Partner Business Partner Customer Business Partner Business Partner format they can understand and consume 4
5 Response from Business Partners Negotiate requests they receive from their customers Suggest alternative approaches Complicates contracting process due to unique security requirements Customer Audit Report # Audit Report 2 Requirement s Business Partner (BP) Broad range and inconsistent expectations for responses to questionnaires inability to effectively leverage responses across organizations Dedicate staff and funding to those requiring unique approaches Customer Customer Audit Report Y Audit Report X Audit Report 1 Requirement s Requirement s Requirement s Requirement s Business Partner (BP) Business Partner (BP) 5
6 Implications of the Current Response Customers Requires significant resources to engage, negotiate and track assurances Business Partners Dedicates significant resources to respond to duplicative and redundant assurance requests Incurs costs to comply and satisfy requests and requirements Creates inconsistency around acceptable standards of due diligence and due care Distracts resources from other security-related programs Although addressed in many different ways, there are only so many privacy and security controls one can implement and assess 6
7 Universal Agreement that the Current Model is Broken There are no scenarios where performing 25, 50 or 250 or more unique assessments makes sense for a business partner to communicate their information privacy and security posture (on same scope) Nor does maintaining and supporting an organizational specific assessment methodology and performing assessments HITRUST has been working with organizations and business partners to identify a practical and implementable approach Common Requirements Uniform Assessment Process Simplified Reporting More Efficient and Effective Compliance Process 7
8 Section 4 HOW HITRUST FACILITATES THIRD-PARTY ASSURANCE 8
9 Approach Taken in Healthcare Industry To minimize the cost, time and effort around third-party assurance, initially five (5) of the largest U.S. health plans notified industry of updates to their business associate and partner agreements, specifically use of the HITRUST CSF Assurance Program HITRUST CSF certification or SOC 2 leveraging HITRUST CSF Controls is required 2-year implementation schedule Created the momentum to move the industry and vendor community 9
10 HITRUST CSF Assurance Program Provides a common set of information security and privacy requirements through the HITRUST CSF Provides a standardized assessment and reporting processes Improved efficiency Lowered costs Helps ensure organizations can trust that their business partners are adequately protecting sensitive information through HITRUST s oversight and governance of the program For more information, see and 10
11 A Win-Win for Customers and Vendors Established a uniform set of expectations for communicating information privacy and security posture Customer Business Partner (BP) Reduced time and expense on redundant audits, assessments, and HITRUST Assessment CSF Requirements onsite reviews Customer HITRUST Assessment HITRUST Common Business Partner Compliance Framework CSF Requirements Business Partner (BP) Reduced time and expense of procurement managing various assessment processes Facilitates a specific level of assurance around implemented controls Customer HITRUST Assessment CSF Requirements Business Partner (BP) 11
12 The HITRUST Vendor/Business Associate Council Provides healthcare vendors the opportunity to drive efficiency and effectiveness in third-party assurance. Arvato Digital Services Armor Availity Azure (Microsoft) Catalyze Change Healthcare Cognizant Dropbox Epic Systems Fiserv: Healthedge HMS PDHI RR Donnelley Salesforce West Corporation Xerox Corporation 12
13 Vendor / Market Support 13
14 KEY ELEMENTS OF THE APPROACH 14
15 Transparency The approach should be open and transparent. Requirements are agnostic for similar types of sensitive information Integrates relevant federal control baselines Incorporates industry leading practices Leverages threat-to-control relationships* Entire program is publicly available and commonly understandable Control framework / requirements Assessment methodology / procedures Scoring model *Leveraging HITRUST Threat Catalogue 15
16 Accuracy The approach should ensure accuracy in evaluation and reporting of the implemented controls. HITRUST uses a 5x5 control maturity and scoring model to evaluate the HITRUST CSF s control requirements 5 maturity levels for each control requirement 5 scoring levels for each control maturity level HITRUST also provides a scoring rubric for each maturity level 16
17 Consistency The approach should ensure consistency in evaluation and reporting regardless of the specific assessor used. Extensive assessment guidance General guidance for each maturity level Specific guidance for each control HITRUST quality assurance review process Applies to all third-party assessments Standardized reporting format 17
18 Scalability The approach should be scalable enough to address the needs of the entire industry, while maintaining consistency and accuracy. Formal HITRUST CSF Assessor Program HITRUST CSF trained staff Experience/capabilities vetted by HITRUST Choose from a pool of certified HITRUST CSF Assessors to ensure The best fit The best price Program is market-based As demand for assurances increase, so does the pool of HITRUST CSF Assessor organizations 18
19 Efficiency The approach should allow an organization to assess once and report many, i.e., an assessment must address multiple compliance and best practice requirements and support the reporting of assurances tailored to each requirement. HITRUST fully leverages the Assess Once, Report Many approach Multiple security requirements (e.g., legal, regulatory) One cybersecurity program One targeted, cost-effective assessment that provides a reasonable level of assurance at a reasonable cost Multiple reporting options from a single assessment 19
20 CSF Assurance - Degrees of Assurance CSF Self Assessments can be conducted by business associate CSF Validated or Certified requires third party engagement 20 20
21 Reporting Options Consideration HITRUST CSF Report SOC 2 Report with HITRUST CSF SOC 2 + HITRUST CSF Report Type of report (Relevant Standard) HITRUST CSF Assurance AT101 AT101 + HITRUST CSF Assurance Scope of report HITRUST CSF controls (may or may not be limited to those required for certification) Security, availability, confidentiality Trust Services Principles; HITRUST CSF controls (may or may not be limited to those required for certification) Security, availability, confidentiality Trust Services Principles; HITRUST CSF controls (may or may not be limited to those required for certification) Intended Users Unlimited distribution Limited distribution Limited distribution Resulting Deliverable HITRUST CSF report with background, mgmt. rep., scope, results of maturity scores, CAPs, NIST CsF scorecard/certification Attest Opinion with description of systems & service auditor test/ results against selected Trust Services Principles; HITRUST CSF controls (suitable criteria) Attest Opinion with description of systems & service auditor test/ results against selected Trust Services Principles, HITRUST CSF controls (suitable criteria); HITRUST CSF report with background, mgmt. rep., scope, scores, CAPs, NIST CsF scorecard/ certification Report issued by HITRUST Independent CPA firms Independent CPA firms, HITRUST Report Addresses HITRUST CSF, NIST CsF HITRUST CSF, AICPA Trust Services Principles HITRUST CSF, AICPA Trust Services Principles, NIST CsF 21
22 Reliability The approach should provide a high degree of assurance for relying parties, such as internal stakeholders (e.g., audit, management, Board of Directors) and external stakeholders (e.g., customers, business partners, vendors and regulators). Obtained through: Transparency Accuracy Consistency Scalability Accuracy RELIABILITY Transparency Provided by: HITRUST CSF HITRUST CSF Assurance Program HITRUST CSF Assessor Program Scalability Consistency 22
23 ASSESSMENT EXCHANGE 24
24 HITRUST Assessment Exchange Innovative way to request, manage, view and share HITRUST CSF assessment data in an electronically consumable format Supports integration with leading GRC/VRM platforms 24
25 Challenges in Managing Risk Assessments Limited internal resources Identifying appropriate resources responsible for security and privacy at third parties Educating vendors on your process and expectation Follow-up to ensure risks are measured, adequately addressed and managed Developing and managing approach is cost intensive Inconsistent vendor security risk evaluation methodology Operational and labor intensive process 25
26 Benefits to an Exchange Vendor outreach Contact vendor, and identify points of contact Deliver POC and contact information as part of vendor profile HITRUST can emphasize importance of assurance by contacting a vendor on behalf of many versus contact on behalf of one Centralized vendor population management and tracking ensures efficient outreach and emphasizes importance Vendor education Experienced HITRUST CSF Assurance personnel to explain the assessment & assurance processes Technical support for MyCSF and assessment-related questions Vendors can benchmark themselves against one or more populations to see where they stand Visibility into status of vendors / third-party assurance Provide a portal for unified view of vendor risk postures & tracking progress View all vendors in one central location View a vendor s progress through the assurance process Perform vendor analysis and comparison across your vendor population via pre-defined and ad hoc reporting capabilities Open API allows for easy import and export of data from HITRUST to an organization s native tools 26
27 Benefits to an Exchange (continued) Provide a means to track corrective actions Receive real-time updates on corrective actions of vendors Analysis of control gaps across your vendor population Define and enable business rule alerts that notify you when a vendor makes an update or changes the assessment results Provide the ability to export results in a format that is easy to import into local GRC or VRM solutions Map data elements to native systems quickly and with little effort Create and report on security metrics across a vendor population Understand vendor relationships & identify weak links in the chain 27
28 COMMON QUESTIONS 29
29 What does the HITRUST CSF Include? The HITRUST CSF provides coverage across multiple regulations and includes significant components from other well-respected IT security standards bodies and governance sources. It is scalable, risk based, industry agnostic and certifiable Legislative, Regulatory, and Best Practice Standards and Frameworks include, but are not limited to: ISO/IEC 27001: , 27002:2005, 2013, 27799:2008 CFR Part 11 COBIT 4.1 NIST SP Revision 4 NIST Cybersecurity Framework (CsF) DHS Cyber Resilience Review (in CSF v9) NIST SP Revision 1 PCI DSS version 3 FTC Red Flags Rule FFIEC IT InfoSec Examination (in CSF v9) 201 CMR (State of Mass.) NRS 603A (State of Nev.) CSA Cloud Controls Matrix version 3.1 CIS CSC version 6 (SANS Top 20) CMS IS ARS version 2 MARS-E version 2 IRS Pub 1075 v2014 FedRAMP (in CSF v9) Analyzed, Rationalized & Consolidated Scoping Factors Regulatory Federal, state and domain specific compliance requirements Organization Geographic factors Number of records processed or held System Data stores External connections Number of users/transactions Control Objectives (45) Control Categories (14) Control Specifications (149) Control Categories 1. Information Security Management Program 2. Access Control 3. Human Resources Security 4. Risk Management 5. Security Policy 6. Organization of Information Security 7. Compliance 8. Asset Management 9. Physical and Environmental Security 10. Communications and Operations Management 11. Information Systems Acquisition, Development & Maintenance 12. Information Security Incident Management 13. Business Continuity Management 14. Privacy Practices 29
30 Does this mean I have to redo my security program? The HITRUST CSF covers 100% of the: ISO controls (mapping is trivial, as the HITRUST CSF is built on ISO ) ISO controls (depicted on the left) NIST SP r4 controls, moderatelevel baseline (depicted on the left) To simplify the process of aligning from a standard like ISO or NIST to the HITRUST CSF, HITRUST provides a HITRUST CSF Standards & Regulations Cross-Reference (X-Ref) spreadsheet with detailed mappings (depicted by the examples on the right) *HITRUST CSF control category 0.0 addresses the original ISMS requirements in Section 4 of ISO 27001:
31 How does all this facilitate trust? 31
32 Why can t I just do a SOC 2? HITRUST CSF meets AICPA SOC 2 reporting requirements for suitable criteria Realize significant time efficiencies and cost savings Reduce inefficiencies/costs associated with multiple reporting requirements Provide additional detail around how an organization is addressing internal control Lack of uniform acceptable controls criteria results in a reduction of the following when viewed across multiple entities: Transparency Accuracy Consistency Reliability 32
33 What does acceptable controls criteria mean? The SOC 2 guide and Appendix C of TSP section 100 require an organization to establish controls that meet all applicable trust services criteria The control objectives must align with the applicable trust services criteria, and the controls must address all of the applicable trust services criteria AICPA requirements for suitable criteria Objectivity Measurability Completeness Relevance 33
34 Why can t I just use the NIST Cybersecurity Framework? The HITRUST CSF provides the foundation needed to implement the NIST Cybersecurity Framework. Although scalable, the NIST CSF lacks prescription in: Requirements Assessment methodology Subsequently lacks: Transparency Accuracy Consistency Reliability 34
35 Why can t I just do the AICPA Cyber Examination? AICPA Cyber Examination consists of two major components: A description of an entity s program based on new description criteria An assessment of control effectiveness based on its control criteria As with the AICPA Trust Services Principles, additional information (specificity) is needed to address the criteria, and the Cyber Examination would result in a reduction of the following when viewed across multiple entities: Transparency Accuracy Consistency Reliability 35
36 How do I know what was in place and tested? HITRUST CSF Validated and Certified Report Letter of Certification Representation Letter Assessment Context Assessment Scope Security Program Analysis Assessment Results Overall Security Program Summary Breakdown of Controls Required for Certification Testing Summary Corrective Action Plan Questionnaire Results (Detailed) System Profile 36
37 How do I benefit from all this? Redundant, inconsistent assessments result in lost productivity, additional costs A more efficient, streamlined approach benefits the Plan and the Plan Sponsor Recommended approach leverages: A single controls framework for context A strong assessment methodology that provides high assurance and consistency A single assessment to provide efficient reporting HITRUST CSF control maturity scoring SOC 2 HITRUST CSF provides SOC 2 the necessary prescriptiveness and transparency for availability, confidentiality and security criteria NIST Cybersecurity Framework HITRUST CSF provides basis for consistency, HITRUST CSF Assurance enables transparency and assurance, and scorecard enables reporting on NIST CsF Core Subcategories 37
38 Questions 38
39 Visit for more information To view our latest do cuments, visit the Content Spotlight 39
40 HITRUST Resources Healthcare Sector CsF Implementation Guide Risk vs. Compliancebased Protection Risk Analysis Guide MyCSF vs. GRC Tools CSF Assessment Methodology CSF Assurance Program Requirements Discusses healthcare s implementation of the NIST Cybersecurity Framework based on the HITRUST CSF and CSF Assurance Program s/cybersecurity/hitrust_healthc are_sector_cybersecurity_frame work_implementation_guide.pdf Discusses the difference between compliance and risk-based information protection programs and shows how controls are selected based on a risk analysis, after which their implementation becomes a compliance exercise s/csf_rmf_related/riskvscomplian cewhitepaper.pdf Provides a detailed discussion of HITRUST s NIST-based control implementation maturity model, HITRUST s scoring model, and additional information on risk treatments, including remediation planning for control deficiencies s/csf_rmf_related/riskanalysisgui de.pdf Provides a discussion of the differences between a typical GRC tool and MyCSF, which was primarily designed to automate HITRUST s assessment validation and certification process s/content/mycsfvsgrctool.pdf Discusses HITRUST s NIST-based approach to conducting CSF assessments, including information on how to determine organizational and system scope s/assurance/csf/csfassessmentm ethodology.pdf Provides an overview of the CSDF Assurance Program, the various types of assessments available, and the process of obtaining and maintaining certification s/assurance/csf/csfassurancepro gramrequirements.pdf 40
HITRUST CSF: One Framework
HITRUST CSF: One Framework Leveraging the HITRUST CSF to Support ISO, HIPAA, & NIST Implementation and Compliance, and SSAE 16 SOC Reporting Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Senior
More informationHITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.
HITRUST CSF Roadmap for 2018 and Beyond HITRUST CSF Roadmap 2017 HITRUST CSF v9 Update 21 CFR Part 11 (FDA electronic signatures) Add FFIEC IT Examination (InfoSec), FedRAMP, DHS Critical Resilience Review
More informationThe HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information
The HITRUST CSF A Revolutionary Way to Protect Electronic Health Information June 2015 The HITRUST CSF 2 Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity,
More informationHITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience. Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO
HITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO Topics 1. HITRUST s Approach to CSF v10 2. Changes to the
More informationLeveraging HITRUST CSF Assessment Reports
Leveraging HITRUST CSF Assessment Reports A Guide for New Users 1 Covered Entity Challenges with Third Party Assurance Business Associate Challenges with Third Party Assurance Complex contracting process
More informationHITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.
HITRUST CSF Assurance Program HITRUST CSF Assurance Program The Need Organizations facing multiple and varied assurance requirements from a variety of parties Increasing pressure and penalties associated
More informationSOC for cybersecurity
April 2018 SOC for cybersecurity a backgrounder Acknowledgments Special thanks to Francette Bueno, Senior Manager, Advisory Services, Ernst & Young LLP and Chris K. Halterman, Executive Director, Advisory
More information2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification
2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification Presenters Jared Hamilton CISSP CCSK, CCSFP, MCSE:S Healthcare Cybersecurity Leader, Crowe Horwath Erika Del Giudice CISA, CRISC,
More informationExploring Emerging Cyber Attest Requirements
Exploring Emerging Cyber Attest Requirements With a focus on SOC for Cybersecurity ( Cyber Attest ) Introductions and Overview Audrey Katcher Partner, RubinBrown LLP AICPA volunteer: AICPA SOC2 Guide Working
More informationIntroduction to the HITRUST CSF. Version 9.1
Introduction to the HITRUST CSF Version 9.1 February 2018 Contents Executive Summary.... 3 Organization of the HITRUST CSF... 3 Practical Action Plan for Implementing the HITRUST CSF... 4 Introduction....
More informationIntroduction to the HITRUST CSF. Version 8.1
Version 8.1 February 2017 Contents Executive Summary.... 3 Organization of the HITRUST CSF.... 3 Practical Action Plan for Implementing the HITRUST CSF... 4 Introduction.... 5 Organization of the HITRUST
More informationHITRUST Common Security Framework - Are you prepared?
ALLINIAL HITRUST Common Security Framework - Are you prepared? Michael Kanarellis, HITRUST CCSFP May 17, 2017 MEMBER OF PKF ALLINIAL NORTH GLOBAL, AMERICA, AN ASSOCIATION AN OF LEGALLY OF LEGALLY INDEPENDENT
More informationCSF to Support SOC 2 Repor(ng
CSF to Support SOC 2 Repor(ng Ken Vander Wal, CPA, CISA, HCISPP Chief Compliance Officer, HITRUST * ken.vanderwal@hitrustalliance.net Agenda Introduction to SOC Reporting SOC 2 and HITRUST CSF AICPA and
More informationPeer Collaboration The Next Best Practice for Third Party Risk Management
SESSION ID: GRM-F02 Peer Collaboration The Next Best Practice for Third Party Risk Management Robin M. Slade EVP & COO The Santa Fe Group & Shared Assessments Program Introduction Q: How do we achieve
More informationPerspectives on Navigating the Challenges of Cybersecurity in Healthcare
Perspectives on Navigating the Challenges of Cybersecurity in Healthcare May 2015 1 Agenda 1. Why the Healthcare Industry Established HITRUST 2. What We Are and What We Do 3. How We Can Help Health Plans
More informationSERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?
WHITE PAPER SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY? JEFF COOK DIRECTOR CPA, CITP, CIPT, CISA North America Europe 877.224.8077 info@coalfire.com coalfire.com TABLE OF CONTENTS Summary...
More informationAchieving third-party reporting proficiency with SOC 2+
Achieving third-party reporting proficiency with SOC 2+ Achieving third-party reporting proficiency with SOC 2+ Today s organizations do business within a broad ecosystem. Customers, partners, agents,
More informationPerforming a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH
Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH 1 Speaker Bio Katie McIntosh, CISM, CRISC, CISA, CIA, CRMA, is the Cyber Security Specialist for Central Hudson Gas &
More informationRisk Management Frameworks
1 Risk Management Frameworks How HITRUST provides an efficient and effective approach to the selection, implementation, assessment and reporting of information security and privacy controls to manage risk
More informationSECURETexas Health Information Privacy & Security Certification Program
Partners in Texas Health Informa3on Protec3on SECURETexas Health Information Privacy & Security Certification Program 2015 HITRUST, Frisco, TX. All Rights Reserved. Outline Introduction Background Benefits
More informationPREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice
PREPARING FOR SOC CHANGES AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice On May 1, 2017, SSAE 18 went into effect and superseded SSAE 16. The following information is here
More informationHITRUST ON THE CLOUD. Navigating Healthcare Compliance
HITRUST ON THE CLOUD Navigating Healthcare Compliance As the demand for digital health solutions increases, the IT regulatory landscape continues to evolve. Staying ahead of new cybersecurity rules and
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationSAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010
JAYACHANDRAN.B,CISA,CISM jb@esecurityaudit.com August 2010 SAS 70 Audit Concepts and Benefits Agenda Compliance requirements Overview Business Environment IT Governance and Compliance Management Vendor
More information10 Considerations for a Cloud Procurement. March 2017
10 Considerations for a Cloud Procurement March 2017 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational purposes only. It represents
More informationISACA Cincinnati Chapter March Meeting
ISACA Cincinnati Chapter March Meeting Recent and Proposed Changes to SOC Reports Impacting Service and User Organizations. March 3, 2015 Presenters: Sayontan Basu-Mallick Lori Johnson Agenda SOCR Overview
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationSSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services
SSAE 18 & new SOC approach to compliance Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services Agenda 1. SSAE 18 overview 2. SOC 2 + 3. 2017 Trust Services Criteria SSAE 18
More informationBusiness Assurance for the 21st Century
14/07/2011 Navigating the Information Assurance landscape AUTHORS Niall Browne NAME AFFILIATION Shared Assessments Program Michael de Crespigny (CEO) Jim Reavis Kurt Roemer Raj Samani Information Security
More informationIntroduction to AWS GoldBase
Introduction to AWS GoldBase A Solution to Automate Security, Compliance, and Governance in AWS October 2015 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document
More informationSOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions
SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions DISCLAIMER: The contents of this publication do not necessarily reflect the position or opinion of the American
More informationFFIEC Cyber Security Assessment Tool. Overview and Key Considerations
FFIEC Cyber Security Assessment Tool Overview and Key Considerations Overview of FFIEC Cybersecurity Assessment Tool Agenda Overview of assessment tool Review inherent risk profile categories Review domain
More informationInformation for entity management. April 2018
Information for entity management April 2018 Note to readers: The purpose of this document is to assist management with understanding the cybersecurity risk management examination that can be performed
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationSOLUTION BRIEF Virtual CISO
SOLUTION BRIEF Virtual CISO programs that prepare you for tomorrow s threats today Organizations often find themselves in a vise between ever-evolving cyber threats and regulatory requirements that tighten
More information2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report
Nationwide Cyber Security Review: Summary Report Nationwide Cyber Security Review: Summary Report ii Nationwide Cyber Security Review: Summary Report Acknowledgments The Multi-State Information Sharing
More informationHow to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
How to implement NIST Cybersecurity Framework using ISO 27001 WHITE PAPER Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
More informationRisk Analysis Guide for HITRUST Organizations & Assessors
Risk Analysis Guide for HITRUST Organizations & Assessors A guide for self and third-party assessors on the application of HITRUST s approach to risk analysis February 2016 Contents Preface....3 Introduction....4
More informationA SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS
A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS Introduction If you re a growing service organization, whether a technology provider, financial services corporation, healthcare company, or professional
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationData Security Standards
Data Security Standards Overall guide The bigger picture of where the standards fit in 2018 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a
More informationCybersecurity & Privacy Enhancements
Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their
More informationSOC 3 for Security and Availability
SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2015 through September 30, 2016 Independent SOC 3 Report for the Security and Availability Trust
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationNE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS
NE HIMSS Vendor Risk October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Does Vendor Management Feel Like This? 2 Vendor Risk Management Lifecycle
More informationCompliance & Security in Azure. April 21, 2018
Compliance & Security in Azure April 21, 2018 Presenter Bio Jeff Gainer, CISSP Senior Information Security & Risk Management Consultant Senior Security Architect Have conducted multiple Third-Party risk
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationDesigning and Building a Cybersecurity Program
Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson lwilson@umassp.edu ISACA Breakfast Meeting January, 2016 Designing & Building a Cybersecurity
More informationMyCSF User Guide. Prepared By: HITRUST Frisco Square Blvd. Suite 327. Frisco, Texas P: (469) F: (469)
MyCSF User Guide Prepared By: HITRUST 6136 Frisco Square Blvd. Suite 327 Frisco, Texas 75034 P: (469)269-1110 F: (469)269-1101 www.hitrustalliance.net 1 P a g e Table of Contents MyCSF User Guide Browser
More informationReducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat?
Reducing Liability and Threats through Effective Cybersecurity Risk Measurement Does Your Security Posture Stand Up to Tomorrow s New Threat? Christopher Strand Security Compliance and Risk Officer 1 The
More informationThe value of visibility. Cybersecurity risk management examination
The value of visibility Cybersecurity risk management examination Welcome to the "new normal" Cyberattacks are inevitable. In fact, it s no longer a question of if a breach will occur but when. Cybercriminals
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationDecoding security frameworks for effective cyber defense. David Allott McAfee
Decoding security frameworks for effective cyber defense David Allott McAfee $171B Cost of cybercrime Frameworks useful or just another distracting trend? What are the analysts saying? What is the industry
More informationRobert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014
Robert Brammer Senior Advisor to the Internet2 CEO rfbtech@internet2.edu Internet2 NET+ Security Assessment Forum 8 April 2014 INTERNET2 NET+ Security Initiative Primary objective -- develop guidance to
More informationOptimising cloud security, trust and transparency
Optimising cloud security, trust and transparency April 2013 Jim Reavis, CSA Founder and Executive Director Daniele Catteddu, CSA Managing Director EMEA About the Cloud Security Alliance! Global, not-for-profit
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationInformation Security Risk Strategies. By
Information Security Risk Strategies By Larry.Boettger@Berbee.com Meeting Agenda Challenges Faced By IT Importance of ISO-17799 & NIST The Security Pyramid Benefits of Identifying Risks Dealing or Not
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationGETTING STARTED WITH THE SIG 2014: A RESPONDENT S GUIDE By Shared Assessments
GETTING STARTED WITH THE SIG 2014: A RESPONDENT S GUIDE By Shared Assessments GETTING STARTED WITH THE SIG 2014: A RESPONDENT S GUIDE TABLE OF CONTENTS About the SIG... 2 SIG Quick Start Guide For Responders...
More informationBHConsulting. Your trusted cybersecurity partner
Your trusted cybersecurity partner BH Consulting Securing your business BH Consulting is an award-winning, independent provider of cybersecurity consulting and information security advisory services. Recognised
More informationMANAGING CYBERSECURITY RISK IN A HIPAA-COMPLIANT WORLD ANDRE W HIC KS MB A, C IS A, C C M, CR IS C,
W H I T E P A P E R MANAGING CYBERSECURITY RISK IN A HIPAA-COMPLIANT WORLD ANDRE W HIC KS MB A, C IS A, C C M, CR IS C, HIT R US T CSF PRACT IT I O NE R D IRECTO R, HE AL T HC ARE PR ACT I CE L E AD DR.
More informationFDIC InTREx What Documentation Are You Expected to Have?
FDIC InTREx What Documentation Are You Expected to Have? Written by: Jon Waldman, CISA, CRISC Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity, LLC Since the FDIC rolled-out the
More informationUpdates to the NIST Cybersecurity Framework
Updates to the NIST Cybersecurity Framework NIST Cybersecurity Framework Overview and Other Documentation October 2016 Agenda: Overview of NIST Cybersecurity Framework Updates to the NIST Cybersecurity
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationDemystifying GRC. Abstract
White Paper Demystifying GRC Abstract Executives globally are highly focused on initiatives around Governance, Risk and Compliance (GRC), to improve upon risk management and regulatory compliances. Over
More informationAcademic Medical Centers & Vendor Security: Most Comprehensive Study to Date
Academic Medical Centers & Vendor Security: Most Comprehensive Study to Date NCHICA Meeting June 2018 Michelle Allar, Quality and Risk Management Manager Wake Forest Baptist Medical Center MAllar@WakeHealth.edu
More informationFedRAMP: Understanding Agency and Cloud Provider Responsibilities
May 2013 Walter E. Washington Convention Center Washington, DC FedRAMP: Understanding Agency and Cloud Provider Responsibilities Matthew Goodrich, JD FedRAMP Program Manager US General Services Administration
More informationISO 27001:2013 certification
www.pwc.ch/cybersecurity ISO 27001:2013 certification Building confidence in your digital future Our approach to certification PwC offers a four-phase approach to help with your ISO 27001 project, using
More informationCitation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.
Aalborg Universitet Vision for IT Audit 2020 Berthing, Hans Henrik Aabenhus Publication date: 2014 Document Version Early version, also known as pre-print Link to publication from Aalborg University Citation
More informationCyber Security in M&A. Joshua Stone, CIA, CFE, CISA
Cyber Security in M&A Joshua Stone, CIA, CFE, CISA Agenda About Whitley Penn, LLP The Threat Landscape Changed Cybersecurity Due Diligence Privacy Practices Cybersecurity Practices Costs of a Data Breach
More informationExecutive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI
Executive Order 13636 & Presidential Policy Directive 21 Ed Goff, Duke Energy Melanie Seader, EEI Agenda Executive Order 13636 Presidential Policy Directive 21 Nation Infrastructure Protection Plan Cybersecurity
More informationUsing Metrics to Gain Management Support for Cyber Security Initiatives
Using Metrics to Gain Management Support for Cyber Security Initiatives Craig Schumacher Chief Information Security Officer Idaho Transportation Dept. January 2016 Why Metrics Based on NIST Framework?
More informationBest Practices & Lesson Learned from 100+ ITGRC Implementations
Best Practices & Lesson Learned from 100+ ITGRC Implementations Presenter: Vivek Shivananda CEO of Rsam Dec 3, 2010 ISACA -NY Chapter Copyright 2002 2010 Relational Security Corp. (dba Rsam) Agenda Overview
More informationSOC Lessons Learned and Reporting Changes
SOC Lessons Learned and Reporting Changes Dec. 16, 2014 Your Presenters Today Arshad Ahmed, CISA, CISSP, CPA Leader of SOC and Technology Risk Services for Crowe Rod Smith, CISA, CPA Thought Leader for
More informationEffective Strategies for Managing Cybersecurity Risks
October 6, 2015 Effective Strategies for Managing Cybersecurity Risks Larry Hessney, CISA, PCI QSA, CIA 1 Everybody s Doing It! 2 Top 10 Cybersecurity Risks Storing, Processing or Transmitting Sensitive
More informationCyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. In today s escalating cyber risk environment, you need to make sure you re focused on the right priorities by
More informationHSCIC Audit of Data Sharing Activities:
Directorate / Programme Data Dissemination Services Project / Work Data Sharing Audits Status Final Acting Director Chris Roebuck Version 1.0 Owner Rob Shaw Version issue date 19-Jan-2015 HSCIC Audit of
More informationEvaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure
Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure March 2015 Pamela Curtis Dr. Nader Mehravari Katie Stewart Cyber Risk and Resilience Management Team CERT
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationManaging Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow
Managing Privacy Risk & Compliance in Financial Services Brett Hamilton Advisory Solutions Consultant ServiceNow 1 Speaker Introduction INSERT PHOTO Name: Brett Hamilton Title: Advisory Solutions Consultant
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationAssurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant
Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework Keith Price Principal Consultant 1 About About me - Specialise in cybersecurity strategy, architecture, and assessment -
More informationSYSTEMS ASSET MANAGEMENT POLICY
SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security
More informationCybersecurity The Evolving Landscape
Cybersecurity The Evolving Landscape 1 Presenter Zach Shelton, CISA Principal DHG IT Advisory Zach.Shelton@DHG.com Raleigh, NC 14+ years of experience in IT Consulting 11+ years of experience with DHG
More informationChallenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9
HAWK Overview Agenda Contents Slide Challenges 3 HAWK Introduction 4 Key Benefits 6 About Gavin Technologies 7 Our Security Practice 8 Security Services Approach 9 Why Gavin Technologies 10 Key Clients
More informationSOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2
Requirement Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence
More informationChecklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)
Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Member, InfraGard Compliance Mandates Key Regulations
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006
ISO / IEC 27001:2005 A brief introduction Dimitris Petropoulos Managing Director ENCODE Middle East September 2006 Information Information is an asset which, like other important business assets, has value
More informationNIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution
NIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution Dr. Michaela Iorga NIST October 2018 A Triple Inflection Point Marked A New
More informationCloud First Policy General Directorate of Governance and Operations Version April 2017
General Directorate of Governance and Operations Version 1.0 24 April 2017 Table of Contents Definitions/Glossary... 2 Policy statement... 3 Entities Affected by this Policy... 3 Who Should Read this Policy...
More informationSAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2
SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Changes in Reports on Service Organization Controls (formerly SAS 70) April 18, 2012 Duane M. Reyhl, CPA Andrews Hooper Pavlik
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More informationTurning Risk into Advantage
Turning Risk into Advantage How Enterprise Wide Risk Management is helping customers succeed in turbulent times and increase their competitiveness Glenn Tjon Partner KPMG Advisory Presentation Overview
More informationA Working Paper of the EastWest Institute Breakthrough Group. Increasing the Global Availability and Use of Secure ICT Products and Services
A Working Paper of the EastWest Institute Breakthrough Group Increasing the Global Availability and Use of Secure ICT Products and Services August 5, 2015 The EastWest Institute (EWI) is leading a Global
More informationRisk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23
Risk: Security s New Compliance Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23 Agenda Market Dynamics Organizational Challenges Risk: Security s New Compliance
More informationThe SOC 2 Compliance Handbook:
The SOC 2 Compliance Handbook: Your guide to SOC 2 Audit Success The SOC 2 Compliance Handbook Page 2 Table of Contents Abstract 3 Why am I being asked about SOC Compliance? 4 What s the difference between
More informationRe: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1
January 19, 2018 VIA EMAIL: cyberframework@nist.gov Edwin Games National Institute of Standards and Technology 100 Bureau Drive, Mail Stop 8930 Gaithersburg, MD 20899 Re: McAfee s comments in response
More informationPROFESSIONAL SERVICES (Solution Brief)
(Solution Brief) The most effective way for organizations to reduce the cost of maintaining enterprise security and improve security postures is to automate and optimize information security. Vanguard
More information