SlideShare ist ein Scribd-Unternehmen logo

Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marketplace

Resolver Inc.
Resolver Inc.

Did you know that 63% of data breaches are linked to third party access, and this number is on the rise? This presentation explores the increasing priority of Third Party Risk Management (TPRM) in today’s marketplace. Learn why TPRM should play a critical role in your overall Corporate Risk Management Strategy and best practices for how to implement a successful TPRM program in your own organization.

Leadership & Management
1 von 29
Downloaden Sie, um offline zu lesen
Prioritizing Third-Party Risk Management (TPRM) in Today’s Marketplace
Hello! I am David Ksiazek Security Services Director at Alliance Technology Group @davidksiazek david.ksiazek@alliance-it.com
My Background ▪ System Administration ▪ SQL Development ▪ IT and Internal Audit, 2003-2010 ▪ IT Security, 2008 – Present ▪ Worked on team that wrote FedRAMP HIGH Baseline
Why TPRM Now?
Collaboration; often data-driven collaboration.
Collaboration ▪ Collaboration and specialization is driving organizations to connect business processes and therefore IT systems more closely. ▪ Seeking: ▪ Expertise ▪ Economic Advantage
Wait….Risk? What Risk?
“…But I outsourced to transfer the risk…to make it someone else’s problem...
Outsource Risk ▪ Organizations still bear risk even when outsourcing, and especially when integrating: ▪ Supply Chain ▪ Financial Risk ▪ Reputational Risk ▪ Service Delivery Risk ▪ Regulatory Risk ▪ Information Security Risk
Who should be monitoring third parties?
Two Models for Third Party Risk Management (TPRM) Decentralized ▪ Individual functions conduct specialized analysis ▪ Relies on internal information collection, sharing, and coordination ▪ No centralized vendor servicing; Vendor Contact may have 2-5 organizational contacts to work with individually ▪ Does not require dedicated organizational headcount ▪ Often performed with Excel, Word, and e-mail ▪ Timelines and risk treatment can be uneven, as the resources performing the analysis have day-jobs in addition
Two Models for Third Party Risk Management (TPRM) Centralized ▪ Often aligned under procurement or IT ▪ Coordinates Standards internally among various functions ▪ Acts as a central point of collection, reporting and servicing ▪ Can still utilize individual organizational functions for risk analysis ▪ Often requires dedicated organizational headcount ▪ Requires some system or IT infrastructure ▪ Timelines are more uniform ▪ Risk Treatment is approved and often uniform across all analysis
Third Model for Third Party Risk Management (TPRM) Hybrid Hybrid model uses Silos of Centralization ▪ IT collects system data ▪ Purchasing contract or SLA data ▪ Finance collects financial data And they all agree to pretend that they will talk to each other frequently and openly (OK, sometimes I lie a bit…)
How do they do it? A Current Market Overview
On-Site Visits 69.5% In-house Internal Audits 62.7% Control Self- Assessments 39.8% Remote Assessment w/ Direct Access 22.9% Desktop Audits 22% Note: The current mix of Internal controls to detailed transaction testing is estimated at 80/20
View TPRM as a Lifecycle
TPRM is a Lifecycle Selection Onboarding Management Renewal Termination
The Lifecycle in Depth SELECTION Choosing what vendors to assess from the universe of vendors ▪ Most come from business unit requests for specific vendor RENEWAL ▪ Use collected information over previous period of performance in contract renewal process ▪ Reassess vendor risk prior to this effort ONBOARDING ▪ Assess ▪ Rank ▪ Execute Contract TERMINATION ▪ Process of orderly separation ▪ Knowledge Transfer ▪ Return or destruction of information MANAGEMENT ▪ Monitor Compliance ▪ Update Documentation and Certifications ✓ SOC Reports, ✓ Audit Reports, ✓ Licenses or Certifications
Policies Supplier Inventory Procedures Risk Management Framework THIRD PARTY RISK MANAGEMENT Selection ManagementOnboarding Renewal Termination Vendor Ranking Vendor Tier
Vendor Interaction Tips ▪ Interact with Vendors early and often ▪ Vendors should have an idea of the overall process ▪ Introduce Vendors into the RMF process and discuss the process, the framework and what happens when controls not in place (sanctions) o Much of this should be spelled out in a contract ▪ All communications should be in context to the overall process
Introduce Vendors into the RMF process and discuss the process, the framework and what happens when controls not in place (sanctions). Much of this should be spelled out in a contract.
Vendor Categorization Tier Model Tier 1 Strategic Partners – integrated business practices and mutual product/service feedback Tier 2 Material Vendors – Vendor product or service is commodity but is often unique to Vendor and is significant to Organizational Goals and Success. Material Vendors often Tier 3 Vendor - Commodity product or service potentially available from multiple vendors Tier 4 Low Priority Assessment Scope and Frequency Categorization should drive the level of standards compliance required More important/strategic relationships should equal more Risk Management and Compliance
Mature the Effort
Standards Use a common or at least coordinated set of TPRM standards across all business units. Organizations are encouraged to assess across both industry specific standards such as HIPAA (healthcare), PCI (Retail) as well as general standards such as ISO27001, NIST SP800-53, or COBIT In addition to functional standards for processes and technologies, consider monitoring for the governance risks such as Financial, Reputational, and Regulatory, Code of Conduct, and Ethics, Standards requirements are best adopted and required at the highest levels of an organization.
Roughly one-third of organizations use an existing ERP system module to manage TPRM The remaining two-thirds using either a general or third-party specific risk management package, or multiple systems and manual processes. Small organizations can use Word, Excel, and e-mail, but… THIS DOES NOT SCALE Better to use these tools for initial efforts or for mocking up the process and content, not production. Tools
Include the following in the contracting:  Risk Management requirements and provisions  Service Level Monitoring Use Incident Reporting to record instances when Service Level Agreement Terms and Conditions are not met. Contracting
Start with the end in mind by looking at the information the business needs to operate effectively, and work backwards towards compiling, and implementing the collection of that data Reporting Aside from internal RMF compliance:  News – LexisNexis support is invaluable  Tier 1 – Who are their suppliers? Monitor them as well  Breach Incidents  Regulatory Actions (OFAC, SEC, FTC, FCPA) Monitoring
Thanks! Any questions? @davidksiazek david.ksiazek@alliance-it.com

Empfohlen

A compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementA compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementSALIH AHMED ISLAM
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk ManagementEC-Council
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyNICSA
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesCorporater
 
Third Party Vendor Risk Managment
Third Party Vendor Risk ManagmentThird Party Vendor Risk Managment
Third Party Vendor Risk ManagmentPivotPointSecurity
 
Third-Party Risk Management
Third-Party Risk ManagementThird-Party Risk Management
Third-Party Risk ManagementMark Scales
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Managementbanerjeerohit
 
FSI_Third Party Risk Management_Deloitte PoV
FSI_Third Party Risk Management_Deloitte PoVFSI_Third Party Risk Management_Deloitte PoV
FSI_Third Party Risk Management_Deloitte PoVFrederic Girardeau-Montaut
 

Empfohlen

A compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementA compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementSALIH AHMED ISLAM
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk ManagementEC-Council
 
Third-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyThird-Party Risk Management: Implementing a Strategy
Third-Party Risk Management: Implementing a StrategyNICSA
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesCorporater
 
Third Party Vendor Risk Managment
Third Party Vendor Risk ManagmentThird Party Vendor Risk Managment
Third Party Vendor Risk ManagmentPivotPointSecurity
 
Third-Party Risk Management
Third-Party Risk ManagementThird-Party Risk Management
Third-Party Risk ManagementMark Scales
 
Third Party Risk Management
Third Party Risk ManagementThird Party Risk Management
Third Party Risk Managementbanerjeerohit
 
FSI_Third Party Risk Management_Deloitte PoV
FSI_Third Party Risk Management_Deloitte PoVFSI_Third Party Risk Management_Deloitte PoV
FSI_Third Party Risk Management_Deloitte PoVFrederic Girardeau-Montaut
 
Business impact analysis and Cost-benefit Analysis. Risk Assesment
Business impact analysis and Cost-benefit Analysis. Risk AssesmentBusiness impact analysis and Cost-benefit Analysis. Risk Assesment
Business impact analysis and Cost-benefit Analysis. Risk Assesmenterfan7486
 
GRC Fundamentals
GRC FundamentalsGRC Fundamentals
GRC Fundamentals3Sixty Insights
 
Compliance framework
Compliance frameworkCompliance framework
Compliance frameworkManoj Agarwal
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and complianceMagdalena Matell
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
BCP Awareness
BCP Awareness BCP Awareness
BCP Awareness Imad Almurib
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber SecurityFireEye, Inc.
 
Business Continuity - Business Risk & Management
Business Continuity - Business Risk & ManagementBusiness Continuity - Business Risk & Management
Business Continuity - Business Risk & ManagementAndrew Styles
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
BIA - Example of Business Impact Analysis and Dependencies
BIA - Example of Business Impact Analysis and DependenciesBIA - Example of Business Impact Analysis and Dependencies
BIA - Example of Business Impact Analysis and DependenciesRamiro Cid
 
Cyber Security Threats in the Financial Sector
Cyber Security Threats in the Financial SectorCyber Security Threats in the Financial Sector
Cyber Security Threats in the Financial SectorFarook Al-Jibouri
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management SystemDaniel Suchy, CPP, MSyI
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementNada G.Youssef
 
Compliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCompliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCorporater
 
business-continuity-management-awareness-presentation-for-mampu2929
business-continuity-management-awareness-presentation-for-mampu2929business-continuity-management-awareness-presentation-for-mampu2929
business-continuity-management-awareness-presentation-for-mampu2929Andy Willams
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.360factors
 
Third-Party Oversight & Governance
Third-Party Oversight & GovernanceThird-Party Oversight & Governance
Third-Party Oversight & GovernanceEDR
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentGary Bahadur
 
Advantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environmentAdvantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environmentIBM Analytics
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
 

Weitere ähnliche Inhalte

Was ist angesagt?

Business impact analysis and Cost-benefit Analysis. Risk Assesment
Business impact analysis and Cost-benefit Analysis. Risk AssesmentBusiness impact analysis and Cost-benefit Analysis. Risk Assesment
Business impact analysis and Cost-benefit Analysis. Risk Assesmenterfan7486
 
Compliance framework
Compliance frameworkCompliance framework
Compliance frameworkManoj Agarwal
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and complianceMagdalena Matell
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber SecurityFireEye, Inc.
 
Business Continuity - Business Risk & Management
Business Continuity - Business Risk & ManagementBusiness Continuity - Business Risk & Management
Business Continuity - Business Risk & ManagementAndrew Styles
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
BIA - Example of Business Impact Analysis and Dependencies
BIA - Example of Business Impact Analysis and DependenciesBIA - Example of Business Impact Analysis and Dependencies
BIA - Example of Business Impact Analysis and DependenciesRamiro Cid
 
Cyber Security Threats in the Financial Sector
Cyber Security Threats in the Financial SectorCyber Security Threats in the Financial Sector
Cyber Security Threats in the Financial SectorFarook Al-Jibouri
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementNada G.Youssef
 
Compliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCompliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCorporater
 
business-continuity-management-awareness-presentation-for-mampu2929
business-continuity-management-awareness-presentation-for-mampu2929business-continuity-management-awareness-presentation-for-mampu2929
business-continuity-management-awareness-presentation-for-mampu2929Andy Willams
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.360factors
 
Third-Party Oversight & Governance
Third-Party Oversight & GovernanceThird-Party Oversight & Governance
Third-Party Oversight & GovernanceEDR
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentGary Bahadur
 

Was ist angesagt? (20)

Business impact analysis and Cost-benefit Analysis. Risk Assesment
Business impact analysis and Cost-benefit Analysis. Risk AssesmentBusiness impact analysis and Cost-benefit Analysis. Risk Assesment
Business impact analysis and Cost-benefit Analysis. Risk Assesment
 
GRC Fundamentals
GRC FundamentalsGRC Fundamentals
GRC Fundamentals
 
Compliance framework
Compliance frameworkCompliance framework
Compliance framework
 
Governance risk and compliance
Governance risk and complianceGovernance risk and compliance
Governance risk and compliance
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
 
BCP Awareness
BCP Awareness BCP Awareness
BCP Awareness
 
The Board and Cyber Security
The Board and Cyber SecurityThe Board and Cyber Security
The Board and Cyber Security
 
Business Continuity - Business Risk & Management
Business Continuity - Business Risk & ManagementBusiness Continuity - Business Risk & Management
Business Continuity - Business Risk & Management
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
BIA - Example of Business Impact Analysis and Dependencies
BIA - Example of Business Impact Analysis and DependenciesBIA - Example of Business Impact Analysis and Dependencies
BIA - Example of Business Impact Analysis and Dependencies
 
Cyber Security Threats in the Financial Sector
Cyber Security Threats in the Financial SectorCyber Security Threats in the Financial Sector
Cyber Security Threats in the Financial Sector
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management System
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident Management
 
Compliance Management | Compliance Solutions
Compliance Management | Compliance SolutionsCompliance Management | Compliance Solutions
Compliance Management | Compliance Solutions
 
business-continuity-management-awareness-presentation-for-mampu2929
business-continuity-management-awareness-presentation-for-mampu2929business-continuity-management-awareness-presentation-for-mampu2929
business-continuity-management-awareness-presentation-for-mampu2929
 
Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.Cyber Security IT GRC Management Model and Methodology.
Cyber Security IT GRC Management Model and Methodology.
 
Third-Party Oversight & Governance
Third-Party Oversight & GovernanceThird-Party Oversight & Governance
Third-Party Oversight & Governance
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security Assessment
 

Ähnlich wie Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marketplace

Advantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environmentAdvantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environmentIBM Analytics
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
 
Vendor risk management 2013
Vendor risk management 2013Vendor risk management 2013
Vendor risk management 2013Nidhi Gupta
 
Vendor risk management 2013
Vendor risk management 2013Vendor risk management 2013
Vendor risk management 2013Nidhi Gupta
 
CM Introduction 081414
CM Introduction 081414CM Introduction 081414
CM Introduction 081414aidanc5
 
Big data governance as a corporate governance imperative
Big data governance as a corporate governance imperativeBig data governance as a corporate governance imperative
Big data governance as a corporate governance imperativeGuy Pearce
 
Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007David Cunningham
 
Bpo risk management 2013
Bpo risk management 2013Bpo risk management 2013
Bpo risk management 2013Nidhi Gupta
 
Bpo risk management 2013
Bpo risk management 2013Bpo risk management 2013
Bpo risk management 2013Nidhi Gupta
 
It and business risk alignment guide
It and business risk alignment guideIt and business risk alignment guide
It and business risk alignment guideAstalapulosListestos
 
Applying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsApplying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsSubhajit Bhuiya
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAPPECB
 

Ähnlich wie Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marketplace (20)

Advantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environmentAdvantages of an integrated governance, risk and compliance environment
Advantages of an integrated governance, risk and compliance environment
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
Government and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsGovernment and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP Systems
 
Vendor risk management 2013
Vendor risk management 2013Vendor risk management 2013
Vendor risk management 2013
 
Vendor risk management 2013
Vendor risk management 2013Vendor risk management 2013
Vendor risk management 2013
 
Vendor risk management 2013
Vendor risk management 2013Vendor risk management 2013
Vendor risk management 2013
 
Vendor risk management 2013
Vendor risk management 2013Vendor risk management 2013
Vendor risk management 2013
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
 
CM Introduction 081414
CM Introduction 081414CM Introduction 081414
CM Introduction 081414
 
Big data governance as a corporate governance imperative
Big data governance as a corporate governance imperativeBig data governance as a corporate governance imperative
Big data governance as a corporate governance imperative
 
Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007
 
Bpo risk management 2013
Bpo risk management 2013Bpo risk management 2013
Bpo risk management 2013
 
Bpo risk management 2013
Bpo risk management 2013Bpo risk management 2013
Bpo risk management 2013
 
Bpo risk management 2013
Bpo risk management 2013Bpo risk management 2013
Bpo risk management 2013
 
Bpo risk management 2013
Bpo risk management 2013Bpo risk management 2013
Bpo risk management 2013
 
Bpo risk management 2013
Bpo risk management 2013Bpo risk management 2013
Bpo risk management 2013
 
It and business risk alignment guide
It and business risk alignment guideIt and business risk alignment guide
It and business risk alignment guide
 
Applying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_effortsApplying risk management_to_your_business_continuity_management_efforts
Applying risk management_to_your_business_continuity_management_efforts
 
Governance Risk and Compliance for SAP
Governance Risk and Compliance for SAPGovernance Risk and Compliance for SAP
Governance Risk and Compliance for SAP
 

Mehr von Resolver Inc.

How to Prove the Value of Security Investments
How to Prove the Value of Security InvestmentsHow to Prove the Value of Security Investments
How to Prove the Value of Security InvestmentsResolver Inc.
 
ERM Benchmarking Survey Results
ERM Benchmarking Survey ResultsERM Benchmarking Survey Results
ERM Benchmarking Survey ResultsResolver Inc.
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementResolver Inc.
 
Taking a Data-Driven Approach to Business Continuity
Taking a Data-Driven Approach to Business ContinuityTaking a Data-Driven Approach to Business Continuity
Taking a Data-Driven Approach to Business ContinuityResolver Inc.
 
Terrorism in a Corporate Setting
Terrorism in a Corporate SettingTerrorism in a Corporate Setting
Terrorism in a Corporate SettingResolver Inc.
 
Reporting to the Board on Corporate Compliance
Reporting to the Board on Corporate ComplianceReporting to the Board on Corporate Compliance
Reporting to the Board on Corporate ComplianceResolver Inc.
 
An Intro to Resolver's Compliance Application
An Intro to Resolver's Compliance ApplicationAn Intro to Resolver's Compliance Application
An Intro to Resolver's Compliance ApplicationResolver Inc.
 
Information Security Best Practices: Keeping Your Company's Data Safe
Information Security Best Practices: Keeping Your Company's Data SafeInformation Security Best Practices: Keeping Your Company's Data Safe
Information Security Best Practices: Keeping Your Company's Data SafeResolver Inc.
 
Security Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk ManagementSecurity Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk ManagementResolver Inc.
 
Modelling your Business Processes with Resolver Core
Modelling your Business Processes with Resolver CoreModelling your Business Processes with Resolver Core
Modelling your Business Processes with Resolver CoreResolver Inc.
 
How Resolver Uses Resolver
How Resolver Uses ResolverHow Resolver Uses Resolver
How Resolver Uses ResolverResolver Inc.
 
Scammed: Defend Against Social Engineering
Scammed: Defend Against Social EngineeringScammed: Defend Against Social Engineering
Scammed: Defend Against Social EngineeringResolver Inc.
 
A Peek at adidas Group's Integrated Risk & Security Management Strategy
A Peek at adidas Group's Integrated Risk & Security Management StrategyA Peek at adidas Group's Integrated Risk & Security Management Strategy
A Peek at adidas Group's Integrated Risk & Security Management StrategyResolver Inc.
 
An Intro to Resolver's Resilience Application
An Intro to Resolver's Resilience ApplicationAn Intro to Resolver's Resilience Application
An Intro to Resolver's Resilience ApplicationResolver Inc.
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk AssessmentResolver Inc.
 
How to Achieve a Fully Integrated Approach to Business Resilience
How to Achieve a Fully Integrated Approach to Business ResilienceHow to Achieve a Fully Integrated Approach to Business Resilience
How to Achieve a Fully Integrated Approach to Business ResilienceResolver Inc.
 
An Intro to Resolver's Risk Application
An Intro to Resolver's Risk ApplicationAn Intro to Resolver's Risk Application
An Intro to Resolver's Risk ApplicationResolver Inc.
 
Keeping Your Data Clean
Keeping Your Data CleanKeeping Your Data Clean
Keeping Your Data CleanResolver Inc.
 
An Intro to Resolver's InfoSec Application (RiskVision)
An Intro to Resolver's InfoSec Application (RiskVision)An Intro to Resolver's InfoSec Application (RiskVision)
An Intro to Resolver's InfoSec Application (RiskVision)Resolver Inc.
 
Leveraging Change Leadership to Find Success in your IRM Program
Leveraging Change Leadership to Find Success in your IRM ProgramLeveraging Change Leadership to Find Success in your IRM Program
Leveraging Change Leadership to Find Success in your IRM ProgramResolver Inc.
 

Mehr von Resolver Inc. (20)

How to Prove the Value of Security Investments
How to Prove the Value of Security InvestmentsHow to Prove the Value of Security Investments
How to Prove the Value of Security Investments
 
ERM Benchmarking Survey Results
ERM Benchmarking Survey ResultsERM Benchmarking Survey Results
ERM Benchmarking Survey Results
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
 
Taking a Data-Driven Approach to Business Continuity
Taking a Data-Driven Approach to Business ContinuityTaking a Data-Driven Approach to Business Continuity
Taking a Data-Driven Approach to Business Continuity
 
Terrorism in a Corporate Setting
Terrorism in a Corporate SettingTerrorism in a Corporate Setting
Terrorism in a Corporate Setting
 
Reporting to the Board on Corporate Compliance
Reporting to the Board on Corporate ComplianceReporting to the Board on Corporate Compliance
Reporting to the Board on Corporate Compliance
 
An Intro to Resolver's Compliance Application
An Intro to Resolver's Compliance ApplicationAn Intro to Resolver's Compliance Application
An Intro to Resolver's Compliance Application
 
Information Security Best Practices: Keeping Your Company's Data Safe
Information Security Best Practices: Keeping Your Company's Data SafeInformation Security Best Practices: Keeping Your Company's Data Safe
Information Security Best Practices: Keeping Your Company's Data Safe
 
Security Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk ManagementSecurity Trends: From "Silos" to Integrated Risk Management
Security Trends: From "Silos" to Integrated Risk Management
 
Modelling your Business Processes with Resolver Core
Modelling your Business Processes with Resolver CoreModelling your Business Processes with Resolver Core
Modelling your Business Processes with Resolver Core
 
How Resolver Uses Resolver
How Resolver Uses ResolverHow Resolver Uses Resolver
How Resolver Uses Resolver
 
Scammed: Defend Against Social Engineering
Scammed: Defend Against Social EngineeringScammed: Defend Against Social Engineering
Scammed: Defend Against Social Engineering
 
A Peek at adidas Group's Integrated Risk & Security Management Strategy
A Peek at adidas Group's Integrated Risk & Security Management StrategyA Peek at adidas Group's Integrated Risk & Security Management Strategy
A Peek at adidas Group's Integrated Risk & Security Management Strategy
 
An Intro to Resolver's Resilience Application
An Intro to Resolver's Resilience ApplicationAn Intro to Resolver's Resilience Application
An Intro to Resolver's Resilience Application
 
Data Driven Risk Assessment
Data Driven Risk AssessmentData Driven Risk Assessment
Data Driven Risk Assessment
 
How to Achieve a Fully Integrated Approach to Business Resilience
How to Achieve a Fully Integrated Approach to Business ResilienceHow to Achieve a Fully Integrated Approach to Business Resilience
How to Achieve a Fully Integrated Approach to Business Resilience
 
An Intro to Resolver's Risk Application
An Intro to Resolver's Risk ApplicationAn Intro to Resolver's Risk Application
An Intro to Resolver's Risk Application
 
Keeping Your Data Clean
Keeping Your Data CleanKeeping Your Data Clean
Keeping Your Data Clean
 
An Intro to Resolver's InfoSec Application (RiskVision)
An Intro to Resolver's InfoSec Application (RiskVision)An Intro to Resolver's InfoSec Application (RiskVision)
An Intro to Resolver's InfoSec Application (RiskVision)
 
Leveraging Change Leadership to Find Success in your IRM Program
Leveraging Change Leadership to Find Success in your IRM ProgramLeveraging Change Leadership to Find Success in your IRM Program
Leveraging Change Leadership to Find Success in your IRM Program
 

Kürzlich hochgeladen

Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime SiliguriSiliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siligurimeghakumariji156
 
Information Technology Project Management, Revised 7th edition test bank.docx
Information Technology Project Management, Revised 7th edition test bank.docxInformation Technology Project Management, Revised 7th edition test bank.docx
Information Technology Project Management, Revised 7th edition test bank.docxssuserf63bd7
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentNimot Muili
 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxAaron Stannard
 
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalW.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalWilliam (Bill) H. Bender, FCSI
 
Marketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxMarketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxssuserf63bd7
 
Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field ArtilleryKennethSwanberg
 
The Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownThe Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownSandaliGurusinghe2
 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdfAlejandromexEspino
 
internship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamrainternship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamraAllTops
 
digital Human resource management presentation.pdf
digital Human resource management presentation.pdfdigital Human resource management presentation.pdf
digital Human resource management presentation.pdfArtiSrivastava23
 
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot ModelGautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNitya salvi
 
Persuasive and Communication is the art of negotiation.
Persuasive and Communication is the art of negotiation.Persuasive and Communication is the art of negotiation.
Persuasive and Communication is the art of negotiation.aruny7087
 

Kürzlich hochgeladen (14)

Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime SiliguriSiliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
Siliguri Escorts Service Girl ^ 9332606886, WhatsApp Anytime Siliguri
 
Information Technology Project Management, Revised 7th edition test bank.docx
Information Technology Project Management, Revised 7th edition test bank.docxInformation Technology Project Management, Revised 7th edition test bank.docx
Information Technology Project Management, Revised 7th edition test bank.docx
 
Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptx
 
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalW.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
 
Marketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxMarketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docx
 
Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field Artillery
 
The Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownThe Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard Brown
 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdf
 
internship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamrainternship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamra
 
digital Human resource management presentation.pdf
digital Human resource management presentation.pdfdigital Human resource management presentation.pdf
digital Human resource management presentation.pdf
 
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTECAbortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
 
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot ModelGautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Gautam Buddh Nagar Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Persuasive and Communication is the art of negotiation.
Persuasive and Communication is the art of negotiation.Persuasive and Communication is the art of negotiation.
Persuasive and Communication is the art of negotiation.
 

Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marketplace

  • 1. Prioritizing Third-Party Risk Management (TPRM) in Today’s Marketplace
  • 2.
  • 3. Hello! I am David Ksiazek Security Services Director at Alliance Technology Group @davidksiazek david.ksiazek@alliance-it.com
  • 4. My Background ▪ System Administration ▪ SQL Development ▪ IT and Internal Audit, 2003-2010 ▪ IT Security, 2008 – Present ▪ Worked on team that wrote FedRAMP HIGH Baseline
  • 7. Collaboration ▪ Collaboration and specialization is driving organizations to connect business processes and therefore IT systems more closely. ▪ Seeking: ▪ Expertise ▪ Economic Advantage
  • 9. “…But I outsourced to transfer the risk…to make it someone else’s problem...
  • 10. Outsource Risk ▪ Organizations still bear risk even when outsourcing, and especially when integrating: ▪ Supply Chain ▪ Financial Risk ▪ Reputational Risk ▪ Service Delivery Risk ▪ Regulatory Risk ▪ Information Security Risk
  • 11. Who should be monitoring third parties?
  • 12. Two Models for Third Party Risk Management (TPRM) Decentralized ▪ Individual functions conduct specialized analysis ▪ Relies on internal information collection, sharing, and coordination ▪ No centralized vendor servicing; Vendor Contact may have 2-5 organizational contacts to work with individually ▪ Does not require dedicated organizational headcount ▪ Often performed with Excel, Word, and e-mail ▪ Timelines and risk treatment can be uneven, as the resources performing the analysis have day-jobs in addition
  • 13. Two Models for Third Party Risk Management (TPRM) Centralized ▪ Often aligned under procurement or IT ▪ Coordinates Standards internally among various functions ▪ Acts as a central point of collection, reporting and servicing ▪ Can still utilize individual organizational functions for risk analysis ▪ Often requires dedicated organizational headcount ▪ Requires some system or IT infrastructure ▪ Timelines are more uniform ▪ Risk Treatment is approved and often uniform across all analysis
  • 14. Third Model for Third Party Risk Management (TPRM) Hybrid Hybrid model uses Silos of Centralization ▪ IT collects system data ▪ Purchasing contract or SLA data ▪ Finance collects financial data And they all agree to pretend that they will talk to each other frequently and openly (OK, sometimes I lie a bit…)
  • 15. How do they do it? A Current Market Overview
  • 16. On-Site Visits 69.5% In-house Internal Audits 62.7% Control Self- Assessments 39.8% Remote Assessment w/ Direct Access 22.9% Desktop Audits 22% Note: The current mix of Internal controls to detailed transaction testing is estimated at 80/20
  • 17. View TPRM as a Lifecycle
  • 18. TPRM is a Lifecycle Selection Onboarding Management Renewal Termination
  • 19. The Lifecycle in Depth SELECTION Choosing what vendors to assess from the universe of vendors ▪ Most come from business unit requests for specific vendor RENEWAL ▪ Use collected information over previous period of performance in contract renewal process ▪ Reassess vendor risk prior to this effort ONBOARDING ▪ Assess ▪ Rank ▪ Execute Contract TERMINATION ▪ Process of orderly separation ▪ Knowledge Transfer ▪ Return or destruction of information MANAGEMENT ▪ Monitor Compliance ▪ Update Documentation and Certifications ✓ SOC Reports, ✓ Audit Reports, ✓ Licenses or Certifications
  • 20. Policies Supplier Inventory Procedures Risk Management Framework THIRD PARTY RISK MANAGEMENT Selection ManagementOnboarding Renewal Termination Vendor Ranking Vendor Tier
  • 21. Vendor Interaction Tips ▪ Interact with Vendors early and often ▪ Vendors should have an idea of the overall process ▪ Introduce Vendors into the RMF process and discuss the process, the framework and what happens when controls not in place (sanctions) o Much of this should be spelled out in a contract ▪ All communications should be in context to the overall process
  • 22. Introduce Vendors into the RMF process and discuss the process, the framework and what happens when controls not in place (sanctions). Much of this should be spelled out in a contract.
  • 23. Vendor Categorization Tier Model Tier 1 Strategic Partners – integrated business practices and mutual product/service feedback Tier 2 Material Vendors – Vendor product or service is commodity but is often unique to Vendor and is significant to Organizational Goals and Success. Material Vendors often Tier 3 Vendor - Commodity product or service potentially available from multiple vendors Tier 4 Low Priority Assessment Scope and Frequency Categorization should drive the level of standards compliance required More important/strategic relationships should equal more Risk Management and Compliance
  • 25. Standards Use a common or at least coordinated set of TPRM standards across all business units. Organizations are encouraged to assess across both industry specific standards such as HIPAA (healthcare), PCI (Retail) as well as general standards such as ISO27001, NIST SP800-53, or COBIT In addition to functional standards for processes and technologies, consider monitoring for the governance risks such as Financial, Reputational, and Regulatory, Code of Conduct, and Ethics, Standards requirements are best adopted and required at the highest levels of an organization.
  • 26. Roughly one-third of organizations use an existing ERP system module to manage TPRM The remaining two-thirds using either a general or third-party specific risk management package, or multiple systems and manual processes. Small organizations can use Word, Excel, and e-mail, but… THIS DOES NOT SCALE Better to use these tools for initial efforts or for mocking up the process and content, not production. Tools
  • 27. Include the following in the contracting:  Risk Management requirements and provisions  Service Level Monitoring Use Incident Reporting to record instances when Service Level Agreement Terms and Conditions are not met. Contracting
  • 28. Start with the end in mind by looking at the information the business needs to operate effectively, and work backwards towards compiling, and implementing the collection of that data Reporting Aside from internal RMF compliance:  News – LexisNexis support is invaluable  Tier 1 – Who are their suppliers? Monitor them as well  Breach Incidents  Regulatory Actions (OFAC, SEC, FTC, FCPA) Monitoring