Uploads Contact
/
Login Upload
Top 10 Tips for Effectively Assessing Top 10 Tips for Effectively Assessing

Top 10 Tips for Effectively Assessing - PowerPoint Presentation

liane-varnes
liane-varnes . @liane-varnes
Follow
343 views
Uploaded On 2019-11-23
About Share Download

Top 10 Tips for Effectively Assessing - PPT Presentation

Top 10 Tips for Effectively Assessing ThirdParty Vendors Tom Garrubba CISA CRISC CIPPIT Senior Privacy Manager Information Governance amp Privacy Legal CVS Caremark   Office 4129678196 ID: 767259

amp data top assessment data amp assessment top vendor tips determine scope risk fit isn

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Top 10 Tips for Effectively Assessing" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

Top 10 Tips for Effectively Assessing Third-Party VendorsTom Garrubba, CISA, CRISC, CIPP/ITSenior Privacy Manager, Information Governance & Privacy - Legal | CVS Caremark   Office 412.967.8196 | Cell 724.689.6386 620 Epsilon Drive, Pittsburgh PA 15238 thomas.garrubba@cvscaremark.com 

2 Top 10 Tips One size doesn’t fit all … and it isn’t free

3 Top 10 Tips 1. One size doesn’t fit all … and it isn’t free! The Role Players Regulators & Standard Setters CustomersThe Corporation and the Business UnitsThe Vendor Subcontractors/down stream vendorsWho does the real work?Employees, 3rd party, mix, other …Program Initiation and Alignment Formula for Implementation Centralized Decentralized Who pays for it

4 Top 10 Tips One size doesn’t fit all … and it isn’t free Determine what data is in-scope for assessment

5 Top 10 Tips 2. Determine what data is in-scope for assessment Who? Regulators (FTC, Federal Reserve, HHS, FDIC, etc.) Industry (PCI) Customers Own criteriaWhat Information? Customer Information Employee informationWhy? You are compelled to perform due diligence by law, regulation, standard Your customers demand it as you are putting their info at risk by giving it to another company.

6 Top 10 Tips One size doesn’t fit all … and it isn’t free Determine what data is in-scope for assessment Accurately & thoroughly describe how the data will flow

7Top 10 Tips3. Accurately & thoroughly describe how the data flows Precisely and completely, describe: Services the vendor will provide; Customer, employee, & company data and information the vendor will collect and/or have access to What the vendor will do with this data and information. Where this data and information will be processed & stored How the data will get to the vendor Any subcontractors to be used

8 Top 10 Tips One size doesn’t fit all … and it isn’t free Determine what data is in-scope for assessment Accurately & thoroughly describe how the data will flow Triage risk – High, Medium, & Low

9Top 10 Tips4. Triage Risk - High, Medium, & Low Why? Focus limited resources Reduce vendor’s efforts How? Short questionnaire – 10 + questionsWho? Business owner & vendorOther Benefits Shape/reduce longer assessment

10 Top 10 Tips One size doesn’t fit all … and it isn’t free Determine what data is in-scope for assessment Accurately & thoroughly describe how the data will flow Triage risk – High, Medium, & LowStart with an assessment & data collection instrument

11Top 10 Tips5. Start with an assessment and data collection instrument Assessment - A due diligence activity to gain a level of comfort with the overall security, privacy, data protection posture of the vendorSend a questionnaire to them and have it returned for analysis Use an existing questionnaire such as the Shared Assessments SIG “Standard Information Gathering”; Industry standard questionnaire developed by members of the Shared Assessments (www.sharedassessments.org) program Covers all domains of ISO 27002 as well as HIPAA-HITRUST, PCS- DSS, CoBIT, NIST, GLBA, Privacy & Cloud, and BYOD Develop & send your own questionnaireHave qualified people assess their responses CISA, CRISC, CISSP, CIPP/US/G/C/IT/IT, …

12Top 10 Tips5. Start with an assessment and data collection instrument VAP Phase 1: Pre-Assessment Obtain all information regarding the scope of work Find out the data that will be CSTUPID ’ed Collect Store Transmit Use Process Interface Destroy Converse with the assigned BU and/or the vendor contacts to fully understand what, where, and how’s If applicable, determine if the assessment will be handled by an internal or external assessor Send the vendor the questionnaire to be completed

13 Top 10 Tips5. Start with an assessment and data collection instrument

14 Top 10 Tips One size doesn’t fit all … and it isn’t free Determine what data is in-scope for assessment Accurately & thoroughly describe how the data will flow Triage risk – High, Medium, & Low?Start with an assessment & data collection instrumentTrust but Verify - Collect evidence

15 Top 10 Tips 6. Trust but Verify – Collect evidence! VAP Phase 2: Assessment Have a meeting with the BU and vendor to discuss contacts, deliverables, and timelines Request/Review pertinent documentation from: The BU - Contracts, SOW’s, NDA’s, BAA’s The Vendor - SSAE-16 Type II documents; ISO 27001/2 cert, CMM level, NAID, … Review the returned questionnaire responses Note “contingent items” (non-compliant items, findings, etc.) Update BU and Vendor Management Track Contingent Items Compose the assessment report File BU/Vendor Documents Track through remediation all contingent items

16 Top 10 Tips One size doesn’t fit all … and it isn’t free Determine what data is in-scope for assessment Accurately & thoroughly describe how the data will flow Triage risk – High, Medium, & Low?Start with an assessment & data collection instrumentTrust but Verify - Collect evidenceAccept or remediate non-compliant findings

17Top 10 Tips7. Accept or remediate non-compliant items VAP Phase 3: Assessment Contingent Items (aka: issues, findings, observations, etc.) You can accept the risk associated with a particular item or… You can require remediation of the item – Require remediation by the vendor or business unit Risk-rate and prioritize as such Actively monitor until they are closed Escalate to appropriate levels of management if timelines are not met Adjust the timelines if the vendor cannot reasonably meet the target dates Contingent Items – 3 Types of CI’s Contractual Contracts, SOW’s, NDA’s, BAA’s; DPSR’s, DSA’s; Med-D Waivers; IRB Waivers These are usually incomplete or out of date HR-Related Drug testing; Background checks; Credit checks Technical/Operations Typical IT/operations-related issues/findings/observations

18 Top 10 Tips One size doesn’t fit all … and it isn’t free Determine what data is in-scope for assessment Accurately & thoroughly describe how the data will flow Triage risk – High, Medium, & Low?Start with an assessment & data collection instrumentTrust but Verify - Collect evidenceAccept or remediate non-compliant findingsIdentify & assess critical, downstream vendors/subcontractors

19Top 10 Tips8. Identify and assess critical, downstream vendors, and subcontractorsDown Stream Vendors/Subcontractors If you have a contract with them… See if you’ve already assessed them; if not…then assess them! Request the same documentation as if they were a primary vendor If you don’t have a contract with them… Work with the primary vendor to obtain documentation Have the primary vendor set up a call to see what the DSV/subcon is willing to provide Use the same assessor if possible (they know the scope of work)!

20Top 10 TipsOne size doesn’t fit all … and it isn’t free Determine what data is in-scope for assessment Accurately & thoroughly describe how the data will flow Triage risk – High, Medium, & Low? Start with an assessment & data collection instrumentTrust but Verify - Collect evidenceAccept or remediate non-compliant findingsIdentify & assess critical, downstream vendors/subcontractorsDetermine if/when an on-site review is necessary

21Top 10 Tips9. Identify and assess critical, downstream vendors, and subcontractors Have the Primary vendor identify its vendors that: Will process, have access to or potential access to, transport, store, … protected data Are in another country Determine how the vendor assesses, contracts with, and monitors these vendors You might have to do some work here – Conference call interview, other Q & A’s, …Determine if your staff or External Assessors will be needed!

22Top 10 TipsOne size doesn’t fit all … and it isn’t free Determine what data is in-scope for assessment Accurately & thoroughly describe how the data will flow Triage risk – High, Medium, & Low? Start with an assessment & data collection instrumentTrust but Verify - Collect evidenceAccept or remediate non-compliant findingsIdentify & assess critical, downstream vendors/subcontractorsDetermine if/when an on-site review is indicatedDetermine when a reassessment should be performed

23 Top 10 Tips 10. Determine when a reassessment should be performed VAP Phase 4: Re-assessment Start planning by determining “what criteria”? Based on type of data (PCI, PHI, etc.)? Suggestions include: PCI = Annual PHI = Annual PII = Annual (?) Company confidential (i.e., strategic) = ??? Based on the geographic location? Onshore Offshore Offshore but with safe harbor agreements Based via scoring system? Risk Rating (“Scholastic Score”) SIG Other GRC tool In house tool Combination of the above?

24Top 10 Tips

25Top 10 TipsOne size doesn’t fit all … and it isn’t free Determine what data is in-scope for assessment Accurately & thoroughly describe how the data will flow Triage risk – High, Medium, & Low? Start with an assessment & data collection instrumentTrust but Verify - Collect evidenceAccept or remediate non-compliant findingsIdentify & assess critical, downstream vendors/subcontractorsDetermine if/when an on-site review is indicatedDetermine when a reassessment should be performed and … 11. Retain all assessment data, decisions, & records

26 Top 10 Tips 11. Retain all assessment data, decisions and records Why? You are going to need them later! Regulatory, internal or other audit Something goes wrong (e.g., negative assessment) Reassessment How? GRC system, SharePoint, or some other centralized system.Back It Up (Murphy’s Law!)

27Top 10 TipsAnd if you call right now…

28 Top 10 Tips BONUS # 1: Manage Your External Assessors They are an extension of your VAP team and should be treated as such Discuss their progress at least weekly Ensure they pull you in when the assessment begins to “look bad” - no surprises! Participate in closing meetings for key/offshore vendorsMake sure vendors will accept their NDA’s Be prepared for the legal departments to red-line the document! Be prepared to adjust start/end dates

29 Top 10 Tips BONUS #2: Use Operational Metrics VRB status monitoring Assessments assigned to assessors Internal/external assessments open Pre-assessment reviewStage gates monitoring Assessor kickoff How long it takes to get the questionnaire back How long it takes to resolve AUP items (questions, documentation) Assessments in management review Contingencies due in the past 30/60/90/>120 Days

30 Top 10 Tips

Related Contents


Effectively Leading in a
Effectively Leading in a PowerPoint Presentation
396 views
Tips for chairing ffective eetings
Tips for chairing ffective eetings PowerPoint Presentation
386 views
Listening Effectively
Listening Effectively PowerPoint Presentation
417 views
SOFT SKILLS: COMMUNICATING EFFECTIVELY
SOFT SKILLS: COMMUNICATING EFFECTIVELY PowerPoint Presentation
400 views
Assessing the Value and Benefits of GroundworkMain Report
Assessing the Value and Benefits of GroundworkMain Report PowerPoint Presentation
412 views
When assessing organisations that are looking for capital investment f
When assessing organisations that are looking for capital investment f PowerPoint Presentation
472 views
EFFECTIVELY TREATING THE DREADFULBLIGHT OF FILE BLOAT BY MARCSTAIMER P
EFFECTIVELY TREATING THE DREADFULBLIGHT OF FILE BLOAT BY MARCSTAIMER P PowerPoint Presentation
415 views
Assessing Activities & Academics
Assessing Activities & Academics PowerPoint Presentation
345 views
Migraine diary cards which record information about the attacks of migraine and other
Migraine diary cards which record information about the attacks of migraine and other PowerPoint Presentation
567 views
Download this presentation from
Download this presentation from PowerPoint Presentation
342 views
Are you a litter lout?Year 7 writing task Assessing pupils
Are you a litter lout?Year 7 writing task Assessing pupils PowerPoint Presentation
451 views
Good communication skills are among the most important ingr
Good communication skills are among the most important ingr PowerPoint Presentation
385 views
Next Show more