Peer Collaboration The Next Best Practice for Third Party Risk Management

Similar documents
HITRUST CSF: One Framework

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

Model Approach to Efficient and Cost-Effective Third-Party Assurance

Global Statement of Business Continuity

SOC for cybersecurity

Business Assurance for the 21st Century

Exploring Emerging Cyber Attest Requirements

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

A Working Paper of the EastWest Institute Breakthrough Group. Increasing the Global Availability and Use of Secure ICT Products and Services

Guidance for Exchange and Medicaid Information Technology (IT) Systems

GETTING STARTED WITH THE SIG 2014: A RESPONDENT S GUIDE By Shared Assessments

NIS Standardisation ENISA view

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

SOC Lessons Learned and Reporting Changes

CSF to Support SOC 2 Repor(ng

ISACA Cincinnati Chapter March Meeting

The value of visibility. Cybersecurity risk management examination

IT Attestation in the Cloud Era

HITRUST Common Security Framework - Are you prepared?

SOC 3 for Security and Availability

Defining the Challenges and Solutions. Resiliency Model. A Holistic Approach to Risk Management. Discussion Outline

Cyber Risks in the Boardroom Conference

ENISA EU Threat Landscape

locuz.com SOC Services

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Workday s Robust Privacy Program

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Data Security Standards

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Framework for Improving Critical Infrastructure Cybersecurity

ENISA s Position on the NIS Directive

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Protecting vital data with NIST Framework

COBIT 5 With COSO 2013

Achieving third-party reporting proficiency with SOC 2+

SECURETexas Health Information Privacy & Security Certification Program

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Table of Contents. Sample

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

THREE COLOCATION MYTHS HEALTHCARE PROVIDERS SHOULD LEAVE BEHIND. Exploring Security, Compliance, and Performance in Healthcare IT

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

Why you should adopt the NIST Cybersecurity Framework

Optimising cloud security, trust and transparency

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

NYDFS Cybersecurity Regulations

Protecting your data. EY s approach to data privacy and information security

EISAS Enhanced Roadmap 2012

Compliance & Security in Azure. April 21, 2018

BHConsulting. Your trusted cybersecurity partner

Google Cloud & the General Data Protection Regulation (GDPR)

Improving Cybersecurity through the use of the Cybersecurity Framework

Information for entity management. April 2018

Medical Device Cybersecurity: FDA Perspective

Altius IT Policy Collection Compliance and Standards Matrix

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition

Run the business. Not the risks.

EY s data privacy service offering. How to transform your data privacy capabilities for an EU General Data Protection Regulation (GDPR) world

Cybersecurity in Higher Ed

Cybersecurity & Privacy Enhancements

FDIC InTREx What Documentation Are You Expected to Have?

FISMAand the Risk Management Framework

FDA & Medical Device Cybersecurity

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Background FAST FACTS

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

HITRUST ON THE CLOUD. Navigating Healthcare Compliance

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

PROFESSIONAL SERVICES (Solution Brief)

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

Directive on Security of Network and Information Systems

Governing cyber security risk: It s time to take it seriously Seven principles for Boards and Investors

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Third Party Security Review Process

Endpoint Security for Wholesale Payments

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Implementing Executive Order and Presidential Policy Directive 21

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

BHConsulting. Your trusted cybersecurity partner

Launch of the Cybersecurity Fortification Initiative by the HKMA at Cyber Security Summit 2016

Locking Down the Cloud Security is Not a Myth

Top Five Privacy and Data Security Issues for Nonprofit Organizations

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Perspectives on Navigating the Challenges of Cybersecurity in Healthcare

Securing Europe's Information Society

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

IoT & SCADA Cyber Security Services

Updates to the NIST Cybersecurity Framework

Transcription:

SESSION ID: GRM-F02 Peer Collaboration The Next Best Practice for Third Party Risk Management Robin M. Slade EVP & COO The Santa Fe Group & Shared Assessments Program

Introduction Q: How do we achieve standardization, efficiencies and cost savings in the third party risk assessment process? A: By agreeing that third party risk management is not a competitive issue. Collective Intelligence + Industry Standard --------------------------------------------- = Improved Risk Assessment Process 2

The Environment Dependence on outsourcing critical services increases inherent risk Numerous and overlapping regulatory requirements and heightened expectation on assurance, including increased transparency regarding cybersecurity practices Boards and senior management involvement in the risk reporting process Proprietary methods for information gathering and assessments are inefficient, costly and lack standardization Risk areas continue to evolve and expand Threats are becoming increasingly more sophisticated 3

The Need Robust Vendor Management Programs Evaluate, track and measure third-party risk Alignment of risk controls to corporate requirements to lessen exposure to risk from third (and fourth) parties Ensure compliance to regulations, standards and guidelines Consistent, robust and repeatable process Ongoing oversight program 4

The Problem Lack of standardized risk assessment processes by outsourcers Varying interpretation of regulations and differing risk appetites Service providers resources strained by outsourcers Need to respond to diverse client information requests Time and resource intensive onsite visits 5

The Solution The Collaborative Onsite Assessment Top-tier US-based financial institution risk managers working collaboratively to improve the third party risk environment Leverage the collective intelligence to improve current standards for IT, privacy and data security controls Shared Assessments Agreed Upon Procedures (AUP) Service Organization Control (SOC) 2 Utilize industry associations to foster collaboration and provide project management Shared Assessments Program Securities Industry and Financial Markets Association (SIFMA) 6

Project Goals - Creating Efficiencies Collaborate on Onsite Assessments of Key Third Parties To the extent that common services are offered to multiple organizations in the financial services industry, evaluate the associated risk in a consistent, uniform manner Leverage the Shared Assessments Agreed Upon Procedures (AUP), standardized testing procedures for onsite assessments, as the common risk assessment methodology Reduce the time and expense of conducting multiple onsite vendor assessments Ensure a standardized, robust, consistent, and repeatable evaluation of a vendor s risk posture 7

Project Goals - Improve the Framework Top tier financial institutions worked collaboratively to develop: A Superset AUP framework for onsite assessments (Shared Assessments) Development of a SOC 2 Plus (SIFMA) Both projects hold the same common goals the development of a more robust and scalable risk assessment process that injects speed, efficiency and cost savings into the third party risk assessment process 8

Project Pilot: Collaborative Onsite Assessments Participants piloted the process of working collaboratively to assess key third parties for whom they share common shared services: Pilot 1: Iron Mountain + 3 financial institutions Pilot 2: Early Warning Services, LLC + 5 financial institutions Pilot 3: Small Business Financial Exchange (SBFE) Superset AUP now meets all internal corporate requirements for many U.S. financial institutions, including key pilot participants: JPMorgan Chase; Citigroup; Capital One; US Bank; Morgan Stanley; Northern Trust 9

Collaborative Assessment Pilot Approach Step 1: Determine participants Select 3+ financial institutions to participate in a joint assessment Select a vendor broadly used within the financial services industry Step 2: Scoping Scope and location of services outlined by the vendor Financial Institution participants agree to the scope and location of services Step 3: Selection of auditor Participants agree to auditor to conduct the shared assessment CPA or Non-CPA independent assessment firm may be used Step 4: Superset modifications Leveraging the gap analysis developed in the mapping of requirements to AUP, auditor adds additional controls and testing procedures to create the Superset Participants review and approve for accuracy and completeness 10

Collaborative Assessment Pilot Approach Step 5: Assessment prep Auditor and Service Provider narrow the AUP to the specific services being assessed Step 6: Assessment performed Auditor schedules and conducts an onsite assessment using the narrowed Superset AUP Step 7: Post assessment Auditor presents the findings from the assessment to the service provider Service provider presents comments and observations to auditor in response for inclusion into the report Auditor presents final report to all participants Financial institutions meet separately with service provider to review and agree upon remediation plan(s) for any issues or findings 11

Pilot Lessons Learned More robust framework developed with broader risk domain coverage than individual proprietary practices More robust controls testing process Efficiency gained through one assessment by multiple banks Enhanced communication and improved relationship between financial institutions and third party service providers Assessors are completely independent of participating banks Each participant able to view report based on their unique risk environments 12

Benefits Summary Increased rigor, consistency, efficiency and cost savings in the control assessment process for both the outsourcing organizations and the service provider Larger Tier 1 and 2 service providers would benefit most immediately from participating in collaborative assessments For mid and small size institutions who cannot necessarily dedicate a high level of resources to meet the changing regulatory and evolving risk environment, there exist tangible cost savings and personnel efficiencies benefits through use of a consistent, reliable tool More robust control sets developed through collective intelligence are expected to drive improvements in service provider programs 13

Continuous Efforts and Improvements Next Steps: Ongoing development and refinement of the Superset AUP to ensure additional robustness by expanding the collective intelligence to include additional financial institutions Develop and broaden the collaborative onsite assessment program including project management services Release the enhanced Superset AUP Program Tool mid 2015 Promote adoption of the Program s Superset AUP as a best practices standard for each industry or sector as they are developed. 14

Apply What You Heard Today Understand that third party risk management is not a competitive issue Form cooperative relationships and open the lines of communication with your counterparts at other organizations Get involved in industry associations and public-private partnerships Adopt a standardized framework to keep current with new regulatory requirements and changing risk control areas Outsourcers: Consider working collaboratively with other companies to perform collaborative onsite assessments Service Providers: Understand what organizations share common services and encourage them to perform a collaborative onsite assessment 15

Questions? 16

For More Information Contact: Robin Slade EVP & COO 972-347-1627 robin@santa-fe-group.com

Appendix 18

Shared Assessments Program Setting the standard in U.S. vendor risk assurance since 2005, now expanding internationally Created by leading financial institutions, the Big 4 accounting firms, and key service providers to: Standardize an objective framework for outsourcers to gather service provider information through a repeatable and consistent evaluation process Raise the bar on third party risk management by creating a comprehensive onsite security evaluation process, regardless of who performs the assessment (CPA, independent assessment firm, internal assessor) Ensure a means for keeping current with the latest regulations, standards and new risk control areas Create efficiencies and reduce costs for all stakeholders 19

Shared Assessments Program Tools Methodologies for managing the vendor risk lifecycle Two complementary tools to document service provider management of information security controls Standardized Information Gathering (SIG) questionnaire Agreed Upon Procedures (AUP) standardized testing procedures for onsite assessments Trust, but verify approach to conducting third party assessments Trust = SIG: Uses industry best practices to gather and assess information technology, operating and data security risks (and their corresponding controls) in an information technology environment Verify= AUP: Used by companies to evaluate the controls their service providers have in place for information data security, privacy and business continuity 20

Shared Assessments Program Tools The Program Tools are aligned to: ISO 27001, 27002 COBIT NIST Cyber Security Framework (CSF); Computer Security Incident Handling Guide (NIST.SP.800-61r2) PCI-DSS OCC-2013-29; Merchant Processing Handbook Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) FFIEC Appendix J DOJ Breach Procedures AICPA Incident Response Procedures HIPAA Incident Response Reporting Procedures US CERT Federal Incident Notification Guidelines CMS Medicare and Medicaid EHR Incentive Program, Meaningful Use 21

Shared Assessments Program Tools International add on components under development to align with international regulatory standards and guidance, including: Hong Kong Monetary Authority (HKMA) European Central Bank (ECB) Asia-Pacific Economic Cooperation (APEC) Monitory Authority of Singapore (MAS) German Federal Financial Supervisory Authority (BaFIN) Bundesbank/Central Bank of Germany (BuBA) Financial Conduct Authority (FCA) Financial Services Authority (FSA) Financial Market Supervision Act (FINMA) Commission de Surveillance du Secteur Financier (CSSF) EU Data Protection Directive 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback