SlideShare une entreprise Scribd logo

Privacy & Security Controls In Vendor Management Al Raymond

Télécharger en tant que PPTX, PDF
S
spencerharry

Discussion of controls in place at vendors both locally and remotely to ensure that privacy and confidentiality of customer data is given top priority. Discussion of the audit and oversight program in place to ensure above

TechnologieActualités & Politique
1  sur  36
Privacy & Security Controls in Vendor Management Al Raymond Chief Privacy Officer PHH Corporation
Background PHH Corporation One of the top five originators of retail residential mortgages in the United States Largest private label mortgage company 2nd largest fleet vehicle management company 300+ of the country’s largest financial institutions as clients – banks, thrifts, S&L’s, credit unions
Use vendors in and outside the U.S. Audited by everyone, every day Background
Agenda Discussion of controls in place at vendors both locally and remotely to ensure that privacy and confidentiality of customer data is given top priority. Discussion of the audit and oversight program in place to ensure above.
Challenges Heightened visibility and profile of vendor management, particularly offshore vendors is causing many companies to finally formalize and document their vendor management program. Banking institution clients and especially legislation is requiring companies to ensure that they have ‘oversight’ of their vendors – and their vendor’s vendors. So, how do you put that program in place and ensure its “operating effectively”?
Why do it? ‘Cause Regulation says so: Gramm-Leach-Bliley: FTC Rule requires financial institutions to ensure the safeguards of their affiliates and take steps to oversee their service providers’ safeguards. Oversee service providers, by: Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information; and (2) Requiring your service providers by contract to implement and maintain such safeguards.
More Regulation says: HIPAA Privacy Rule says: “a covered entity must obtain satisfactory assurances from its business associate that they will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity”.  
Governance To be or not to be… in compliance? What’s needed? What should be in place?
The Prerequisites….
The Prerequisites….
The Prerequisites….
The Prerequisites….
The Prerequisites….
The Prerequisites……….not kidding nowContract Provisions (examples) Dictate how vendors and suppliers are securing information and protecting customer privacy Language should included to enforce compliance in all contracts “Upon reasonable notice, we may perform audits and security tests of vendor’s environment that may include, but are not limited to, interviews of relevant personnel, review of documentation, or technical inspection of systems, as they relate to the receipt, maintenance, use, retention, and authorized destruction of vendor Confidential Information” Steer clear of vendors that do not have secure practices US court of law in case of disputes
Governance Approach – Define ‘risk’ Prioritizing On-Site Reviews – Determine who must be seen High Risk ProvidersService provided is either business critical, deals with sensitive PII/NPI/PHI data, or both. On-site reviews should be conducted every 24 months at least, ideally annually. Reviews should focus on significant changes in security stance and risk management, and following up on any issues. Regular review of monitoring and oversight by management and end user groups. Medium Risk ProvidersService provided may be critical, but not as time sensitive. May involve some level of PII/NPI/PHI data. On-site reviews should be conducted at least every 36 months. Discussions with company management, limited scope visits, reviews of significant security and service issues. Low Risk ProvidersService provided is not critical, or time sensitive. Does not involve any PII/NPI/PHI data. Infrequent on-site reviews. Governance strategy may call for an initial on-site visit or limited scope examination. Periodic (generally at least every 24 months) off-site or informal reviews to confirm the risk ratings and obtain any information for security / service review documents.
Annual due diligence questionnaire submitted to Vendor Review of existing company security stance, security program, controls Evaluate new and/or proposed changes to infrastructure, any new facilities, any new procedures, etc. that may be relevant Evaluate financials Review independent controls assessments Governance Approach………...continued
On the Ground…….In Country Additional information to uncover prior to production: Review any use of third-parties/partners that is used to support the outsourced operation Consideration of additional systems, data conversions, or connections Evaluate ability to respond to service disruptions If the nature of the data is PII/NPI/PHI then a site visit to review both the physical security of their data center or call center should be strongly considered
The conundrum: Onshore vs. Nearshore vs. Offshore Are all controls the same everywhere? Risk Based? Or just Perception of risk? Information Security & Physical Controls
(dreaming)
Information Security & Physical Controls Back to reality: What controls are put in place and ultimately validated by inspection, observation and corroborative inquiry?
Information Security & Physical Controls – continued… Physical and Environmentals Physically separated VLAN – separate switch, router and firewall (ideally) Vendor employees to handle sensitive information in a secure production area only Geographically diverse facilities to ensure recovery in case of disaster No physical storage of data locally Thin client configuration (Citrix) to access company network and resources – all controlled / monitored by company
Information Security & Physical Controls – continued… Secured Connectivity Data connectivity through MPLS nodes to ensure business continuity Secondary B2B VPN connectivity for high availability
Vendor environment Enterprise anti-virus / personal firewall deployed No USB access, CD-RW, floppy drives or similar devices allowed on workstations Access to facility limited to authorized personnel, on-site security guards, and CCTV. Information Security & Physical Controls – continued…
Information Security & Physical Controls – continued… System Access Control Unique username and password, enforced access control at Active Directory Role-based, profile based access to system resources
Information Security & Physical Controls – continued… Operational Management – why I’m loved worldwide No printers or fax allowed in production area No paper, pens or cell phones allowed in production area Clipboard (cut and paste) feature disabled on both sides Web E-mail access blocked Limited Internet URL Access – ‘white list’ defined by Company Monthly reconciliation process of new, existing and terminated employee accounts
Information Security & Physical Controls –continued… Personnel Security Hiring protocols: criminal background check, signed NDA; signed acceptable usage policy, Company awareness training Access card Lockers for employee use outside of production area – no personal items on production floor Drug tests administered for all employees traveling to Company (e.g. training)
Country Risk – quantify risk by assessing foreign political and economic conditions. Risk management procedures should evaluate contingency, service continuity, and exit strategies in the event of unexpected disruptions in service. Monitor and analyze the following specific risks: Economic Environment Political & Overall Legal Environment Privacy & security laws (if any) Cultural Environment Developments in new geographic locations of vendor Additional Risk Management
The Audit and Oversight Process The ultimate objective is to: “provide reasonable assurance to the Audit Committee and Management that appropriate control procedures are in place relative to the scope of outsourced services and operations, thus safeguarding our overall business, security and continuity interests”.
Audit and Oversight Process Key aspects of the audit process include: Evaluate the adequacy and effectiveness of the vendors’ internal control systems Identify security lapses and/or Client contractual non-compliance. Evaluate the procedures used by Vendor management to monitor key controls applicable to the project and the related vendor operations.
Audit and Oversight Process…..continued Provide a work product that can be relied upon for Company’s internal compliance objectives. Schedule and conduct audits in-line with Company’s Annual Audit Plan as directed by Internal Audit charter.
Audit and Oversight Process…..continued Audit scope/concerns include: IT General Controls Business Continuity Planning (BCP) and related activities Additional Security related controls as deemed necessary based on risks
Audit and Oversight Process…..continued All offshore facilities of Vendor are subject to semi-annual visits by Internal Audit resource / annual Mgmt team IA Reports are presented to VP of Internal Audit, Audit Committee and Board of Directors Findings are reported to InfoSec and/or Vendor Relations to begin remediation process with Vendor
Conclusions Heightened visibility and profile of vendor management You either do it, and do it right or your clients will do it for you (hint: you don’t want this) You must show due care and a level of reasonable risk assessment You are always liable
Privacy & Security Controls in Vendor Management Thank You! Questions? Al Raymond PHH Mortgage 856.917.5499 Albert.Raymond@PHHMortgage.com

Recommandé

Information system control and audit
Information system control and auditInformation system control and audit
Information system control and auditAstri Stiawaty
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems Jeffrey Paulette
 
Internal controls in an IT environment
Internal controls in an IT environment Internal controls in an IT environment
Internal controls in an IT environment Chris Nicole Apat-Orcullo, CPA
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDITRos Dina
 
6 benefits of internal auditing
6 benefits of internal auditing6 benefits of internal auditing
6 benefits of internal auditingSALIH AHMED ISLAM
 
Use Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditUse Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditManoj Agarwal
 
Information System audit
Information System auditInformation System audit
Information System auditPratapchandra
 
Auditing
AuditingAuditing
AuditingPardhasaradhi ch
 

Recommandé

Information system control and audit
Information system control and auditInformation system control and audit
Information system control and auditAstri Stiawaty
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems Jeffrey Paulette
 
Internal controls in an IT environment
Internal controls in an IT environment Internal controls in an IT environment
Internal controls in an IT environment Chris Nicole Apat-Orcullo, CPA
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDITRos Dina
 
6 benefits of internal auditing
6 benefits of internal auditing6 benefits of internal auditing
6 benefits of internal auditingSALIH AHMED ISLAM
 
Use Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditUse Of Techniques And Technology In Internal Audit
Use Of Techniques And Technology In Internal AuditManoj Agarwal
 
Information System audit
Information System auditInformation System audit
Information System auditPratapchandra
 
Auditing
AuditingAuditing
AuditingPardhasaradhi ch
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Sap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoftSap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoftPennonSoft
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECVendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECControlCase
 
Life of the software - SDLC
Life of the software - SDLCLife of the software - SDLC
Life of the software - SDLCBharath Rao
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems AuditRajeswaran Muthu Venkatachalam
 
008.itsecurity bcp v1
008.itsecurity bcp v1008.itsecurity bcp v1
008.itsecurity bcp v1Mohammad Ashfaqur Rahman
 
Compliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCompliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCorporater
 
Audit ratings guide
Audit ratings guideAudit ratings guide
Audit ratings guideCenapSerdarolu
 
Sod remediation best practices for isaca
Sod remediation best practices for isacaSod remediation best practices for isaca
Sod remediation best practices for isacapooshu
 
Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2Yasir Khan
 
IS Audit and Internal Controls
IS Audit and Internal ControlsIS Audit and Internal Controls
IS Audit and Internal ControlsBharath Rao
 
Business continuity planning guide
Business continuity planning guideBusiness continuity planning guide
Business continuity planning guideCenapSerdarolu
 
it grc
it grc it grc
it grc 9535814851
 
Internal controls
Internal controlsInternal controls
Internal controlsappan_k
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
Simplifying IT GRC
Simplifying IT GRCSimplifying IT GRC
Simplifying IT GRCanand choudhary
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804James W. De Rienzo
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
Internal quality mgmt system audit checklist (iso 9000 2000)
Internal quality mgmt system audit checklist (iso 9000 2000)Internal quality mgmt system audit checklist (iso 9000 2000)
Internal quality mgmt system audit checklist (iso 9000 2000)Carlos Serra
 

Contenu connexe

Tendances

IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Sap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoftSap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoftPennonSoft
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECVendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECControlCase
 
Life of the software - SDLC
Life of the software - SDLCLife of the software - SDLC
Life of the software - SDLCBharath Rao
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
Compliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCompliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCorporater
 
Sod remediation best practices for isaca
Sod remediation best practices for isacaSod remediation best practices for isaca
Sod remediation best practices for isacapooshu
 
Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2Yasir Khan
 
IS Audit and Internal Controls
IS Audit and Internal ControlsIS Audit and Internal Controls
IS Audit and Internal ControlsBharath Rao
 
Business continuity planning guide
Business continuity planning guideBusiness continuity planning guide
Business continuity planning guideCenapSerdarolu
 
Internal controls
Internal controlsInternal controls
Internal controlsappan_k
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 

Tendances (19)

IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 
Sap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoftSap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoft
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIECVendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
Vendor Management - PCI DSS, ISO 27001, E13PA,HIPPA & FFIEC
 
Life of the software - SDLC
Life of the software - SDLCLife of the software - SDLC
Life of the software - SDLC
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information System
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems Audit
 
008.itsecurity bcp v1
008.itsecurity bcp v1008.itsecurity bcp v1
008.itsecurity bcp v1
 
Compliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCompliance Management | Compliance Solutions
Compliance Management | Compliance Solutions
 
Audit ratings guide
Audit ratings guideAudit ratings guide
Audit ratings guide
 
Sod remediation best practices for isaca
Sod remediation best practices for isacaSod remediation best practices for isaca
Sod remediation best practices for isaca
 
Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2
 
IS Audit and Internal Controls
IS Audit and Internal ControlsIS Audit and Internal Controls
IS Audit and Internal Controls
 
Business continuity planning guide
Business continuity planning guideBusiness continuity planning guide
Business continuity planning guide
 
it grc
it grc it grc
it grc
 
Internal controls
Internal controlsInternal controls
Internal controls
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
Simplifying IT GRC
Simplifying IT GRCSimplifying IT GRC
Simplifying IT GRC
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detail
 

En vedette

(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804James W. De Rienzo
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
Internal quality mgmt system audit checklist (iso 9000 2000)
Internal quality mgmt system audit checklist (iso 9000 2000)Internal quality mgmt system audit checklist (iso 9000 2000)
Internal quality mgmt system audit checklist (iso 9000 2000)Carlos Serra
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapWAJAHAT IQBAL
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architectureVladimir Jirasek
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 

En vedette (8)

(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
Internal quality mgmt system audit checklist (iso 9000 2000)
Internal quality mgmt system audit checklist (iso 9000 2000)Internal quality mgmt system audit checklist (iso 9000 2000)
Internal quality mgmt system audit checklist (iso 9000 2000)
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 

Similaire à Privacy & Security Controls In Vendor Management Al Raymond

Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk ManagementEC-Council
 
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...cveiga12
 
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...cveiga12
 
Vendor Management - Compliance Checklist Manifesto Series
Vendor Management - Compliance Checklist Manifesto SeriesVendor Management - Compliance Checklist Manifesto Series
Vendor Management - Compliance Checklist Manifesto SeriesContinuity Control
 
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdfCyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdfCyber Security Experts
 
Continous Audit and Controls with Brainwave GRC
Continous Audit and Controls with Brainwave GRCContinous Audit and Controls with Brainwave GRC
Continous Audit and Controls with Brainwave GRCGraeme Hein
 
Brainwave GRC - Continuous Audit and Controls at ISACA event
Brainwave GRC - Continuous Audit and Controls at ISACA eventBrainwave GRC - Continuous Audit and Controls at ISACA event
Brainwave GRC - Continuous Audit and Controls at ISACA eventBrainwave GRC
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke PatchlinkBen Rothke
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Managementbanerjeerohit
 
Data Analytics for Auditors Analysis and Monitoring
Data Analytics for Auditors Analysis and MonitoringData Analytics for Auditors Analysis and Monitoring
Data Analytics for Auditors Analysis and MonitoringJim Kaplan CIA CFE
 
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to KnowWhat the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to KnowChris Mullins
 
Cost benefit analysis vs confidentiality
Cost benefit analysis vs confidentialityCost benefit analysis vs confidentiality
Cost benefit analysis vs confidentialityPrithvi Ghag
 
The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysislearfield
 

Similaire à Privacy & Security Controls In Vendor Management Al Raymond (20)

Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Management
 
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
 
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
 
Vendor Management - Compliance Checklist Manifesto Series
Vendor Management - Compliance Checklist Manifesto SeriesVendor Management - Compliance Checklist Manifesto Series
Vendor Management - Compliance Checklist Manifesto Series
 
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdfCyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
 
Continous Audit and Controls with Brainwave GRC
Continous Audit and Controls with Brainwave GRCContinous Audit and Controls with Brainwave GRC
Continous Audit and Controls with Brainwave GRC
 
Brainwave GRC - Continuous Audit and Controls at ISACA event
Brainwave GRC - Continuous Audit and Controls at ISACA eventBrainwave GRC - Continuous Audit and Controls at ISACA event
Brainwave GRC - Continuous Audit and Controls at ISACA event
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSA
 
Testing
TestingTesting
Testing
 
It62015 slides
It62015 slidesIt62015 slides
It62015 slides
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke Patchlink
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Management
 
Security audit
Security auditSecurity audit
Security audit
 
Data Analytics for Auditors Analysis and Monitoring
Data Analytics for Auditors Analysis and MonitoringData Analytics for Auditors Analysis and Monitoring
Data Analytics for Auditors Analysis and Monitoring
 
What the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to KnowWhat the Cloud Vendors Don't Want You to Know
What the Cloud Vendors Don't Want You to Know
 
Data Protection & GDPR Health Check Service Overview
Data Protection & GDPR Health Check Service OverviewData Protection & GDPR Health Check Service Overview
Data Protection & GDPR Health Check Service Overview
 
Cost benefit analysis vs confidentiality
Cost benefit analysis vs confidentialityCost benefit analysis vs confidentiality
Cost benefit analysis vs confidentiality
 
The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysis
 

Dernier

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 

Dernier (20)

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 

Privacy & Security Controls In Vendor Management Al Raymond

  • 1. Privacy & Security Controls in Vendor Management Al Raymond Chief Privacy Officer PHH Corporation
  • 2. Background PHH Corporation One of the top five originators of retail residential mortgages in the United States Largest private label mortgage company 2nd largest fleet vehicle management company 300+ of the country’s largest financial institutions as clients – banks, thrifts, S&L’s, credit unions
  • 3. Use vendors in and outside the U.S. Audited by everyone, every day Background
  • 4. Agenda Discussion of controls in place at vendors both locally and remotely to ensure that privacy and confidentiality of customer data is given top priority. Discussion of the audit and oversight program in place to ensure above.
  • 5. Challenges Heightened visibility and profile of vendor management, particularly offshore vendors is causing many companies to finally formalize and document their vendor management program. Banking institution clients and especially legislation is requiring companies to ensure that they have ‘oversight’ of their vendors – and their vendor’s vendors. So, how do you put that program in place and ensure its “operating effectively”?
  • 6. Why do it? ‘Cause Regulation says so: Gramm-Leach-Bliley: FTC Rule requires financial institutions to ensure the safeguards of their affiliates and take steps to oversee their service providers’ safeguards. Oversee service providers, by: Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information; and (2) Requiring your service providers by contract to implement and maintain such safeguards.
  • 7. More Regulation says: HIPAA Privacy Rule says: “a covered entity must obtain satisfactory assurances from its business associate that they will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity”.  
  • 8. Governance To be or not to be… in compliance? What’s needed? What should be in place?
  • 14. The Prerequisites……….not kidding nowContract Provisions (examples) Dictate how vendors and suppliers are securing information and protecting customer privacy Language should included to enforce compliance in all contracts “Upon reasonable notice, we may perform audits and security tests of vendor’s environment that may include, but are not limited to, interviews of relevant personnel, review of documentation, or technical inspection of systems, as they relate to the receipt, maintenance, use, retention, and authorized destruction of vendor Confidential Information” Steer clear of vendors that do not have secure practices US court of law in case of disputes
  • 15. Governance Approach – Define ‘risk’ Prioritizing On-Site Reviews – Determine who must be seen High Risk ProvidersService provided is either business critical, deals with sensitive PII/NPI/PHI data, or both. On-site reviews should be conducted every 24 months at least, ideally annually. Reviews should focus on significant changes in security stance and risk management, and following up on any issues. Regular review of monitoring and oversight by management and end user groups. Medium Risk ProvidersService provided may be critical, but not as time sensitive. May involve some level of PII/NPI/PHI data. On-site reviews should be conducted at least every 36 months. Discussions with company management, limited scope visits, reviews of significant security and service issues. Low Risk ProvidersService provided is not critical, or time sensitive. Does not involve any PII/NPI/PHI data. Infrequent on-site reviews. Governance strategy may call for an initial on-site visit or limited scope examination. Periodic (generally at least every 24 months) off-site or informal reviews to confirm the risk ratings and obtain any information for security / service review documents.
  • 16. Annual due diligence questionnaire submitted to Vendor Review of existing company security stance, security program, controls Evaluate new and/or proposed changes to infrastructure, any new facilities, any new procedures, etc. that may be relevant Evaluate financials Review independent controls assessments Governance Approach………...continued
  • 17. On the Ground…….In Country Additional information to uncover prior to production: Review any use of third-parties/partners that is used to support the outsourced operation Consideration of additional systems, data conversions, or connections Evaluate ability to respond to service disruptions If the nature of the data is PII/NPI/PHI then a site visit to review both the physical security of their data center or call center should be strongly considered
  • 18. The conundrum: Onshore vs. Nearshore vs. Offshore Are all controls the same everywhere? Risk Based? Or just Perception of risk? Information Security & Physical Controls
  • 20. Information Security & Physical Controls Back to reality: What controls are put in place and ultimately validated by inspection, observation and corroborative inquiry?
  • 21. Information Security & Physical Controls – continued… Physical and Environmentals Physically separated VLAN – separate switch, router and firewall (ideally) Vendor employees to handle sensitive information in a secure production area only Geographically diverse facilities to ensure recovery in case of disaster No physical storage of data locally Thin client configuration (Citrix) to access company network and resources – all controlled / monitored by company
  • 22. Information Security & Physical Controls – continued… Secured Connectivity Data connectivity through MPLS nodes to ensure business continuity Secondary B2B VPN connectivity for high availability
  • 23. Vendor environment Enterprise anti-virus / personal firewall deployed No USB access, CD-RW, floppy drives or similar devices allowed on workstations Access to facility limited to authorized personnel, on-site security guards, and CCTV. Information Security & Physical Controls – continued…
  • 24. Information Security & Physical Controls – continued… System Access Control Unique username and password, enforced access control at Active Directory Role-based, profile based access to system resources
  • 25. Information Security & Physical Controls – continued… Operational Management – why I’m loved worldwide No printers or fax allowed in production area No paper, pens or cell phones allowed in production area Clipboard (cut and paste) feature disabled on both sides Web E-mail access blocked Limited Internet URL Access – ‘white list’ defined by Company Monthly reconciliation process of new, existing and terminated employee accounts
  • 26. Information Security & Physical Controls –continued… Personnel Security Hiring protocols: criminal background check, signed NDA; signed acceptable usage policy, Company awareness training Access card Lockers for employee use outside of production area – no personal items on production floor Drug tests administered for all employees traveling to Company (e.g. training)
  • 27.
  • 28. Country Risk – quantify risk by assessing foreign political and economic conditions. Risk management procedures should evaluate contingency, service continuity, and exit strategies in the event of unexpected disruptions in service. Monitor and analyze the following specific risks: Economic Environment Political & Overall Legal Environment Privacy & security laws (if any) Cultural Environment Developments in new geographic locations of vendor Additional Risk Management
  • 29. The Audit and Oversight Process The ultimate objective is to: “provide reasonable assurance to the Audit Committee and Management that appropriate control procedures are in place relative to the scope of outsourced services and operations, thus safeguarding our overall business, security and continuity interests”.
  • 30. Audit and Oversight Process Key aspects of the audit process include: Evaluate the adequacy and effectiveness of the vendors’ internal control systems Identify security lapses and/or Client contractual non-compliance. Evaluate the procedures used by Vendor management to monitor key controls applicable to the project and the related vendor operations.
  • 31. Audit and Oversight Process…..continued Provide a work product that can be relied upon for Company’s internal compliance objectives. Schedule and conduct audits in-line with Company’s Annual Audit Plan as directed by Internal Audit charter.
  • 32. Audit and Oversight Process…..continued Audit scope/concerns include: IT General Controls Business Continuity Planning (BCP) and related activities Additional Security related controls as deemed necessary based on risks
  • 33. Audit and Oversight Process…..continued All offshore facilities of Vendor are subject to semi-annual visits by Internal Audit resource / annual Mgmt team IA Reports are presented to VP of Internal Audit, Audit Committee and Board of Directors Findings are reported to InfoSec and/or Vendor Relations to begin remediation process with Vendor
  • 34.
  • 35. Conclusions Heightened visibility and profile of vendor management You either do it, and do it right or your clients will do it for you (hint: you don’t want this) You must show due care and a level of reasonable risk assessment You are always liable
  • 36. Privacy & Security Controls in Vendor Management Thank You! Questions? Al Raymond PHH Mortgage 856.917.5499 Albert.Raymond@PHHMortgage.com