OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
•Als PPTX, PDF herunterladen•
1 gefällt mir•106 views
This document discusses supply chain compliance and risk management. It begins with an overview of the large scale of third-party partnerships companies have and how this expands their risk exposure. It then discusses how third parties are often involved in data breaches and how visibility and management of third-party risk is important. The rest of the document outlines new regulations like the German Supply Chain Due Diligence Act, strategies for addressing cyber supply chain risk, and how to future-proof third-party risk programs. It concludes with information about OneTrust's compliance platform.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
Ähnlich wie OneTrust: Securing the Supply Chain: What Does Compliance Look Like? (20)
Mehr von Executive Leaders Network
Mehr von Executive Leaders Network (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
OneTrust: Securing the Supply Chain: What Does Compliance Look Like?
- 1. What does Compliance look like? Securing the Supply Chain May 2022
- 2. Joseph Byrne BEng (Hons) Mech Eng Principal Solutions Engineer
- 3. 5 | Copyright © 2022 OneTrust LLC Proprietary/Internal 01 02 03 Agenda What’s going on down there? The Evolution of Risk On the Supply Chain Horizon
- 4. 6 | Copyright © 2022 OneTrust LLC Proprietary/Internal 6 | Copyright © 2022 OneTrust LLC The Supply Chain Slippery Slope What’s going on down there?
- 5. 7 | Copyright © 2022 OneTrust LLC Proprietary/Internal 22% of all companies work with more than 250 third parties Scale of Third-Party Partners Source: 2022, CyberRisk Alliance + OneTrust study of 301 IT professionals 56 82 59 28 31 20 13 22 25 26 10 3 9 22 13 7 1 7 18 3 4 2 6 13 3 2 1 1 15 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% TOTAL Small Medium Large Enterprise More than 250 101-250 50-100 26-50 11-25 1-10
- 6. 8 | Copyright © 2022 OneTrust LLC Proprietary/Internal Third Parties and Data Breaches are often Intertwined of organisations say it was the result of giving too much privileged access to third parties of organisations have experienced a breach within the last 12 months 2021, Ponemon Institute Survey of 627 individuals with involvement in their organization’s approach to managing third-party risks 44% 74%
- 7. 9 | Copyright © 2022 OneTrust LLC Proprietary/Internal Third-Party Visibility Third-Party Risk
- 8. 10 | Copyright © 2022 OneTrust LLC Proprietary/Internal Third-Party Impact on Cybersecurity Risk Trust Third-Party Major Supply Chain Attacks Take advantage of the inherent trust in third-party relationships Business
- 9. 11 | Copyright © 2022 OneTrust LLC Proprietary/Internal 11 | Copyright © 2022 OneTrust LLC The Evolution of Risk
- 10. 12 | Copyright © 2022 OneTrust LLC Proprietary/Internal Risk Definitions Competitive Operational Reputational Financial Security & Fraud Compliance Economic Likelihood that macroeconomic conditions may affect an investment or a company’s prospects domestically or abroad. is an organisation's potential exposure to legal penalties, financial forfeiture and material loss, resulting from its failure to act in accordance with industry laws and regulations, internal policies or prescribed best practices. impact trust and reputation, but a company is also financially liable for any data breaches or identity theft, loss of intellectual property. May involve credit extended to customers or your own company's debt load. Risk that an unhappy customer, product failure, negative press or lawsuit can adversely impact a company's brand reputation. business risk can happen internally, externally or involve a combination of factors that causes you to lose business continuity. Businesses so comfortable with their success and the status quo that they don't look for ways to pivot or make continual improvements.
- 11. 13 | Copyright © 2022 OneTrust LLC Proprietary/Internal Evolution of Risk We are here https://www.123rf.com/photo_23239449_illustration- of-human-evolution-and-mobile-computing.html SH created
- 12. 14 | Copyright © 2022 OneTrust LLC Proprietary/Internal 14 | Copyright © 2022 OneTrust LLC On the Supply Chain Horizon
- 13. 15 | Copyright © 2022 OneTrust LLC Proprietary/Internal What is the German Supply Chain Due Diligence Act? *Includes temporary agency workers on the rolls for more than six months; lowers to 1,000 employees in 2024 15 | Copyright © 2022 OneTrust LLC z Companies with any footprint in Germany and headcount of 3,000 employees* Establish risk management system Implement due diligence with regard to indirect suppliers (4th, Nth level)
- 14. 16 | Copyright © 2022 OneTrust LLC Proprietary/Internal What incentive do we have to work together? Security Ethics Privacy ESG Reduce Risk and Enable the Business
- 15. 17 | Copyright © 2022 OneTrust LLC Proprietary/Internal Critical assets, their location and who has privileged access Vendors on their security program and compliance practices Internal stakeholders on their roles and responsibilities A plan with vendors to coordinate incident response and recovery Vendors through re-assessments and compliance checks Identify Educate Evaluate Prepare Monitor Addressing Cyber Supply Chain Risk
- 16. 18 | Copyright © 2022 OneTrust LLC Proprietary/Internal Future-Proof your Third-Party Risk Program Identify Core Business Competencies, and Business Continuity Processes Commit to Grow Your Program and Awareness Build Broad Management Skillset Across Your GRC Team Collaborate Across Your Team and Your Third Parties Engage Leadership to Make Strategic Decisions Establish Maturity with Standardized Processes
- 17. 19 | Copyright © 2022 OneTrust LLC Proprietary/Internal 19 | Copyright © 2022 OneTrust LLC About OneTrust
- 18. 20 | Copyright © 2022 OneTrust LLC Proprietary/Internal Operationalising Privacy & Data Governance, GRC & Security Assurance, Ethics & Compliance, and ESG & Sustainability in One Platform 12,000 Clients Big & Small, All Industries & Regions, 75% of the Fortune 100 3,000 Employees 40% in Product R&D (200 Patents) Global Prescence: 8 Countries Trust Community 20,000 Members, 125 Chapters 5,000+ Certified Practitioners Pioneering Trust Trust is what we do and where we invest all our resources 20 | Copyright © 2022 OneTrust LLC
- 19. 21 | Copyright © 2022 OneTrust LLC Proprietary/Internal The Trust Management Cloud Data Discovery | Third-Party Exchange Network | Stakeholder Trust Center Real-Time Regulatory Intelligence | Insights & Benchmarking 21 | Copyright © 2022 OneTrust LLC Built for Privacy, Security, Data, Marketing, IT & Legal Teams Privacy & Data Governance Privacy Management Data Governance Consent & Preference Management Built for Infosec, Audit, Risk, Vendor & Compliance Teams GRC & Security Assurance Risk Management Security Assurance Audit & Compliance Management Built for Ethics, Compliance, HR & Legal Teams Ethics & Compliance Ethics Program Management Transparent Culture Management Built for Sustainability, Finance, Legal & Procurement Teams ESG & Sustainability Carbon Management ESG Program Management
- 20. 22 | Copyright © 2022 OneTrust LLC Proprietary/Internal The OneTrust Difference: Unique Technology & Ecosystem Data Discovery Data discovery, classification, detection & policy enforcement Regulatory Intelligence Embedded to automate policies, workflows, templates & more Third-Party Exchange Third-party exchange network to simplify vendor risk management Insights & Benchmarking Business intelligence engine, board KPIs & metrics, and industry benchmarking Trust Centre To demonstrate program value & centrally engage with stakeholders Trusted Architecture 200+ Awarded Patents 12 Global Data Centers BYOK Encryption
- 21. 23 | Copyright © 2022 OneTrust LLC Proprietary/Internal GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. The GARTNER PEER INSIGHTS Logo is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. The GARTNER PEER INSIGHTS CUSTOMERS’ CHOICE badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates. For Peer Insights, as of September 2, 2020 OneTrust has an Overall Rating of 4.7 out of 5 in the IT Risk Management market based on 24 reviews within the past 12 months. Recognised Leader in All Trust Disciplines HIGHEST SCORES IN STRATEGY AND MARKET PRESENCE The Forrester WaveTM: Privacy Management Software, Q4 2021 ONETRUST NAMED A LEADER The Forrester WaveTM: Governance, Risk, and Compliance Q3 2021 ONLY VENDOR EARNING STRONG POSITIVE ACROSS ALL CATEGORIES KuppingerCole Privacy & Consent Management Leadership Compass, 2022 ONETRUST DEBUTS AS OVERALL LEADER KuppingerCole Data Catalogs & Metadata Management Leadership Compass, 2022 MOST WIDELY-USED CMP FOR 10 CONSECUTIVE QUARTERS Kevel Top CMPs Over Time Since Q3 2018 NAMED A LEADER FOR THE THIRD CONSECUTIVE YEAR 2021 Magic Quadrant™ For IT Vendor Risk Management Tools* Privacy Management Privacy & Consent Consent & Preferences GRC & Security Data Governance Third-Party Risk
- 22. 24 | Copyright © 2022 OneTrust LLC Proprietary/Internal 24 | Copyright © 2022 OneTrust LLC Questions? Visit us Online OneTrust.com @OneTrust Visit our Booth
- 23. 25 | Copyright © 2022 OneTrust LLC Proprietary/Internal
Hinweis der Redaktion
- Welcome to our session, Securing the Supply Chain: What Does Compliance Look Like? Today we're going to talk about just how deep and wide the supply chain has grown, why that's become a huge risk factor to your business, and how to make sure you AND your third-party risk management programs stay compliant. -- What's your company gone through in the last 2 years? Make engaging, add key takeaways at beginning and end for audience / resonate
- Joseph Byrne Principal Solutions Engineer Real Engineer CIPP/E CIPM, CIPT Rides motorcycles.
- Our agenda for today will go over three key areas: What's Going on Down There? -Just how far and wide has your supply chain expanded, and how much additional risk has come as a result The Evolution of Risk -How should we be defining risk and what does it mean to the cyber security of your business And finally, what's on the Supply Chain Horizon -We'll talk about the German Supply Chain Due Diligence Act, what do new regulations mean to the business as a whole, and where does security fit in.
- Setting the tone: Two years of pandemic-fueled digital innovation has lead to a farther-reaching supply chain. -22% of all companies contract with more than 250 third parties -The majority (55%) of all companies contract with more than 50 third parties According to the CyberRisk Alliance and OneTrust survey, 59% of businesses can't see their most critical third-party direct dependencies, and 74% can't see the full map of interdependencies across all tiers of the supply chain -- Add in Gartner stat about 5,000 as median
- Check in to see if there are more breaches / up to date
- It's simple: What companies can see is just not enough to understand what's beneath the surface. In this case it's the potential for you organization to be clipped in a number of ways – through cybersecurity, non-compliance, ethics issues, and brand reputation.
- -Implement contractual liability -Integrate information security and business processes -Prioritize building quality business relationships -Build strong vetting processes for evaluating new vendors
- What does risk look like across all third-party factors?
- We can survive, but how can we become the most evolved version of ourselves – it’s not because we don’t know how to do it… technology has been accelerating faster than any time in history but has also opened businesses up to a wider risk landscape. That means we need to evolve – and more quickly – than the risk factors we're likely to face. -- Computer guy evolution graphic Evolution depends on industry; big biz may be human size and suppliers may be at far left
- If organizations haven’t done so already, the Act requires all companies within the defined parameters to: Establish a risk management system; Identify and minimize human rights and environment-related risks; Name a position or person responsible for monitoring risk management; Conduct an annual risk analysis and communicate it internally; If an enterprise identifies a risk prior to the annual analysis, immediate preventative measures are required Issue a policy statement on its human rights strategy that is subsequently adopted by the enterprise A statement for the company’s own internal use as well as for its direct suppliers is required The policy’s effectiveness must be evaluated annually Implement due diligence with regard to risks at indirect suppliers Documentation and reporting with regard to fulfillment of due diligence obligations
- Supply chain due diligence and third-party risk management are dovetailing, and must include all segments within the business.
- What does this mean for the cybersecurity aspect of due diligence? Conduct and maintain business impact assessments (BIAs): This will allow your organization to understand the risk associated with a vendor in the event that it is compromised. Develop situational questionnaires: In the face of an unexpected crisis (health, natural disaster, geopolitical conflict), it’s important to understand exactly how your vendors are responding to prepare to any incidents that might stem from the crisis. This will provide visibility into what your vendors are anticipating, and give you an opportunity to understand their own continuity plan. Include resilience plans in vendor contracts: It's critical to your organization’s resiliency plan that each vendor contract includes a list of business resilience requirements that can be referenced if your vendor faces a crisis. Tier vendors and evaluate risk tolerance: Identify and tier your vendors by risk level, referencing your organization’s overall appetite and tolerance. This requires you to understand your internal capacities, external vulnerabilities, and encourages you to assess risk across domains, including IT and operational risk. Create an evergreen reporting resource: A key part in establishing a resilience strategy is moving reporting away from static and manual formats. Extract key terms from contracts, making them yes/no, and pull a report based on these answers to understand a vendor’s business resilience. This allows the creation of an evergreen resource to report on information like expiration dates, service requirements and other key resilience information, and is critical to streamlining the resiliency process and ensuring efficient incident management. -- Make graphic into a circle with key points**
- Knowledge sharing and two-way communications are necessary to future-proof third-party risk programs. Regulations will continue to evolve, and compliance for your business – and the businesses you collaborate with – will have changing parameters. How are you taking next steps to ensure proactive compliance rather than reactive protocols? -- Cut slides 15 and 16
- Pioneered the trust software platform, unifying and operationalising Privacy, Governance, Ethics and Environment. Portfolio of 12,000 clients across all verticals. 3,000 employee’s in the team, 40% of which work in research and development OneTrust community and ecosystem has twenty thousand members collaborating and driving the future of this market.
- This trust platform represents a unified cloud application across 4 key disciplines – Privacy & Data Gov Etc. All on top of a single application, a single view of data so you can share data and information across these activities and discipline, get insights from the combined data sets automate the workstreams and activities you need to do POINTS: We’ve heard from our customers that they don’t care to invest in different products. They want a true platform that can accommodate all of their needs across the organization. That’s why we build the way we do. OneTrust is investing in the first trust platform to enable organizations to establish trust as a key competitive differentiator. We think about trust across four main pillars – Privacy & Data Governance, including consent and preferences for Marketing Teams, GRC & Security Assurance, including third-party due diligence and risk management, Ethics & Compliance, to help establish a culture that’s enabled to speak-up, not out, and ESG & Sustainability, to help organizations become the leaders in saving our planet. All of these pillars are connected through powerful data and analytics, the largest team of researchers and regulators who help to establish guidelines based on the environments you operate within, and proactive data discovery to focus teams on the areas the are the absolute most important for the development of the organization. TRANSITION: - Today, we’re of course here to speak about [segment that the customer was initially interested in], and we recognize that building a brand of trust is a maturity journey.
- Hard problem to solve Takes many years to solve it We’re ahead of the game