Risk management, compliance, and security are a shared burden between your organization and your vendors. Standards such as NIST (Publication 500-292) and regulations like HIPAA and PCI-DSS provide considerations for compliance and security but do not account for the nuances of your unique business or your infrastructure. Guidelines are written as though one party is responsible for compliance and security, but you rely on multiple vendors. Outsourcing can lead to ambiguous delegation of compliance responsibilities, lack of data governance and security practices, and difficulty in achieving data protection—ultimately risking non-compliance and leaving your infrastructure vulnerable. Join our expert panel as they share insights into closing the gap on who’s responsible for what in data security and best practices for improving your security posture. Takeaways: Who owns the responsibility of compliance and security? How to find and mitigate hidden risks in a 3rd party ecosystem How to map your requirements to owners, policies, and controls Expert recommendations for PCI, HIPAA, FERPA, FISMA and more.

1. Overcoming Hidden Risks in a Shared
Security Model

2. Agenda
• Introduction
• Compliance and Security Landscape
• Evolution to a 3rd Party Ecosystem
• Data Risks and Challenges
• Deep Dive Into Shared Responsibilities
• Best Practices
• Q&A

3. Speakers
Chad Kissinger
Founder
OnRamp
OnRamp is a leading HITRUST-certified data center
services company that guides businesses through
the complexities of data security and compliance.
Our solutions help organizations in healthcare,
financial services and education services meet
compliance standards.
OnRamp operates multiple enterprise-class
SSAE16/AICPA SOC 2 Type 2 and SOC 3 data
centers, where we deploy hybrid computing
solutions that enable our customers to blend
secure cloud computing, managed hosting, and
colocation service to best meet their unique
requirements. Our team’s consultative approach
helps you develop the right mix of solutions to
free your resources to focus on agility and
differentiation in your industry.

4. Speakers
Maria Horton
CEO
EmeSec
EmeSec uses cybersecurity and privacy practices to
build competitive advantage in today’s connected
world for clients.
Our intuitive, adaptive and game-changing
solutions are designed to help organizations
protect their reputation and growth engines while
harnessing the power of security and automated
technologies. The company is an accredited Third
Party Assessor (3PAO) under the Federal Risk and
Authorization Management Program (FedRAMP).
EmeSec Incorporated is a Woman-Owned Service
Disabled Veteran Owned Small Business (SDVOSB),
founded in 2003. EmeSec holds certifications in ISO
9001:2015, ISO 20000-1:2011, ISO/IEC 27001:2013,
ISO/IEC 17020:2012.

5. Speakers
Michael Casey
Managing Director & Chief
Payments Officer
EPMG Advisors
EPMG Advisors was founded in 2008 with
the purpose of providing clients the best
payments management and advisory
services with boutique customer care. Our
firm is driven to provide our clients with the
understanding and ability to build and
maintain a truly transparent payments
environment.
Whether your objective is to identify new
opportunities for growth or to maximize
profits from existing operations, EPMG
Payment Advisors can deliver the
enterprise-wide solutions you require.

6. Current Landscape
Ponemon Institute, Cost of Data Breach Study: 2017 Global Analysis
https://healthitsecurity.com/news/mobile-security-at-center-of-2.5m-ocr-hipaa-settlement
The average consolidated cost of a data
breach reached $3.62 million in 2017
50%
$4M
2017
The risk of non-compliance is
significant. Ignorance is not
excused.
Pennsylvania-based
CardioNet agreed to a $2.5 million
OCR HIPAA settlement stemming
from improper safeguards of PII
data.
50% of organizations don’t know who has access to their data, how
they’re using it, or what safeguards are in place to mitigate a security
incident.

7. Multi-Vendor
Management
Agility and
Responsiveness
Retaining Talent
Patient or
Customer
Engagement
Team Skillsets
Cybersecurity
Managing
Budgets
Evolution to 3rd Party Ecosystem
Ability to Innovate &
Differentiate
Leadership offloads
their IT infrastructure
and computing
needs in order to:
• Increase
Operational
Efficiency
• Rely on Subject
Matter Experts
• Gain a
Competitive
Advantage
• Reduce Costs
C-LEVEL RESPONSIBILITIES

8. Compliance regulations are written as though
one party is responsible for compliance and
security.
Regulators Leadership Talent
Providers/
Suppliers
THE PLAYERS
Where is the Breakdown?

9. Data Risks and Top Challenges with Shared
Responsibilities
• Confusing Guidance
• Insufficient Policies and Processes
• Unclear Roles and Responsibilities
• No Accountability
• Lack of Due Diligence (Choosing &
Monitoring 3rd Parties)
• Insufficient Technology
THE FUMBLES

10. Guidance is Not Prescriptive
www.hhs.gov;
https://www.pcicomplianceguide.org/faq/http
s://www2.ed.gov/
NIST publications
(800-145, 800-66,
800-52); FIPS 140-2
Office for Civil Rights
(OCR)
HIPAA
FISMA
Cloud Council
Security Rule
Breach Notification Rule
PCI Data Security
Standards (DSS)
U.S. Department of
Education- FERPA (20
U.S.C. § 1232g; 34 CFR
Part 99)
The Privacy Act
FedRAMP
THE PLAYBOOK: GOVERNING BODIES AND FRAMEWORKS
Guidance is vague and up
for interpretation.
(i.e. "reasonable and
appropriate ” measures
for HIPAA
Certain regulations do not
require or recognize
audits or certifications.
(i.e. FERPA)

11. Establishing the Right Policies and Processes
• Aren’t able to determine the number of
3rd parties with access to confidential
information.
• Lack of confidence in third parties’ data
safeguards, security policies and
procedures.
• Rarely conduct reviews of vendor
management policies and procedures to
ensure they address 3rd party data risk.
• Rely on contractual agreements instead
of audits and assessments to evaluate
the security and privacy practices of
their vendors.
Standard Policies
• Information Classification
Policy
• Risk Management Policy
• Information Systems
Security Policy
• Ongoing Management
• Clearly Defined Roles
Symptoms

12. Why Are Companies Unable to Determine Who Has
Access to Their Data?
• No accountability
for 3rd party risk
management
• No one
department or
function owns this
responsibility
• Not a priority
• Lack of resources
to track third
parties
• Complexity in
vendor
relationships
• Frequent turnover
in partners
Ponemon Institute, Data Risk in the Third Party Ecosystem

13. Roles, Responsibility, & Accountability
Senior leadership and boards of directors are rarely involved
in third-party risk management.
36%
of CEOs play a key role
in security &
compliance strategy
79%
Of CEOs cited over-
regulation as a top
threat to their
organizations’ growth.
PWC State of Compliance 2016
Only 16% of respondents indicated that they view their CEO as the compliance and
champion at their organizations.

14. Roles, Responsibility, & Accountability
INTERNAL – SHARED ACROSS DEPARTMENTS

15. Shared Responsibility Varies by Model
Responsibility Colocation IaaS PaaS SaaS
Data
Classification
End-point
Protection
Identity &
Access
Management
Application
Controls
Network
Controls
Infrastructure
Physical Security
Customer
Customer
Customer
Customer
Provider Provider
Provider
Customer Customer Customer
Customer Customer Customer Both Parties
Both Parties
Both Parties
Both Parties
Customer
Customer
Both Parties
Provider Provider
Both Parties
Provider
Provider
Provider
Both Parties
Provider

16. Accountability and Ownership
Organizations admit they are sharing sensitive data with third
parties that might have poor security policies.
Ponemon Institute, Data Risk in the Third Party Ecosystem
Figure 2: Perceptions about vendors’ security policies and procedures

17. Beware of These 3rd Party Risk Indicators
• Turnover of the vendor’s key personnel
• IT glitches, operational failures and
stoppages
• Outdated IT systems and equipment
• History of frequent data breach
incidents
• Legal actions against the vendor
• Poorly written security and privacy
policies and procedures

18. Case Studies
• Target breach due to HVAC vendor hack. Ultimately, two-
factor authentication and anti-malware would have mitigated
the breach.
• Hackers breach Equifax’s portal, stealing W-2 data. Only a PIN
code was used to protect sensitive data.
• Uber pays hackers $100,000 to hide year-old breach of 57
million users. Hackers accessed Github.com, a third-party
cloud storage website used by Uber software engineers.
Employee training could have prevented passwords from
being published on a public forum.
ZDN
Forbes.com
USA today.com

19. Best Practices: Risk Management Life Cycle
DUE
DILLIGENCE
CONTRACT
ONGOING
MONITORING
TERMINATION
PLANNING
OVERSIGHT AND ACCOUNTABILITY

20. Best Practices: Technology, People, Processes
Technology
• Data encryption in transit and at rest
• Firewalls
• Multi-factor authentication
• Cloud encryption
• Audit logs showing access to data
• Vulnerability scanning, intrusion
detection/prevention
• Hardware and OS patching
• Security Audits
• Contingency Planning
People & Processes
• Audit operational and business
processes
• Audit access management
• Enforce privacy policies
• Ensure cloud networks and connections
are secure
• Evaluate security controls: physical
infrastructure and facilities
• Data decommissioning process
• Be prepared for incidents
1 -Risk
Assessment
3-Vendor Security
Alignment
2 –Assign
Owners

21. Best Practices: Choosing a Vendor
Understands Your
Business Goals
Credentials &
Certifications
Service Level
Agreements (SLAs)
& Business Associate
Agreements (BAAs)
Security
Availability &
Scalability
Expertise in Your
Industry

22. Questions?

23. Thank you! Contact Us:
Sales@onr.com 888.667.2660 www.onr.com