Third Party Network Webinar Slide Deck 110718 FINAL
1 like126 views
The document outlines the establishment and operation of a third-party network aimed at collaboratively managing vendor relationships and risks for various industries. It emphasizes the transition from manual assessment methods to automated processes for vendor evaluation, monitoring, and reporting, thereby improving efficiency and compliance. Key components include continuous risk management, sharing of assessment data, and a focus on collaborative governance among network members.
Third Party Network Webinar Slide Deck 110718 FINAL
- 1. Third Party Network 2018 11th July 2018 Purpose-Built. Proven. Powerful. Ā© Copyright 2018
- 2. 2 Purpose-Built. Proven. Powerful. Ā© Copyright 2018 Brenda Ferraro, ITIL, CPM, CTPRP, vBSIMM Chief Third Party Evangelist & Senior Director ā Networks & CYBERFITĀ® PROPERTY OF NH-ISAC Phone: +1 813-404-8371 Email: bferraro@prevalent.net Sean OāBrien, CTPRP Managing Director DVV Solutions Phone: +44 (0) 161 476 8700 Email: sobrien@dvvs.co.uk
- 3. What is a Vendor Network The purpose of a Network is to build a membership based community of customers that share collaboratively with unique needs amongst peers. SIG SIG SIG SIG HCQ Third Party Network Channel Partner Driven Governed by member participation LEGAL ITLACON Driven FINANCIAL FS-ISAC Driven CPG Prevalent Driven HEALTHCARE NH-ISAC Governed with CISO participation and requirements. BEST PRACTICES & CERTIFICATIONS: SOC2 / SCA / PCI / NIST / ISO AUTHORITATIVE DOCUMENTS GDPR NY STATE APPENDIX J OCC GDPR NY STATE APPENDIX J OCC GDPR NY STATE GDPR NY STATE APPENDIX J OCC GDPR NY STATE HIPAA ACA
- 4. 4 Purpose-Built. Proven. Powerful. Ā© Copyright 2018 HISTORIC VIEW OF THIRD-PARTY RISK MANUAL Spreadsheet or GRC driven GRC IMPLEMENTATION Takes years MULTIPLE PRODUCTS Used for assessment and monitoring VENDOR UNIVERSE Not sure who vendors are ASSESSMENT COMPLETION Not able to complete assessments and meet compliance against regulations and internal policies ASSESSMENT TIMELINESS Not able to assess prior to business decision to bring on a new vendor/service
- 5. 5 Purpose-Built. Proven. Powerful. Ā© Copyright 2018 REGULATORY SCRUTINY THEMES PCI 3.2+ OUTSOURCER ACCOUNTABILITY Third-Party security and data protection by way of management of vendor outsourcing activity and coordination of business resiliency programs. ROBUST TPRM PROGRAM Greater scrutiny of āfourthā parties, the need for collaboration and standardization to achieve regulatory compliance, and vendor risk operational processes. GDPR SYCS 8.1
- 6. MATURE TPRG PROCESS SALES PROCESS & CONTRACTING OPERATIONS TOOL SETUP THIRD PARTY LAUNCH & CONTENT SUBMITTED CONTENT VALIDATED & PUBLISHED RISK EVALUATED & IDENTIFIED RISK ACCEPTED, TRACKED OR DECLINED THIRD PARTY CONTINUOUS EVALUATION Signed Contract Initial Third Party Universe List Customer Maturity Assessment Service Risk Framing Setup Control Standards Identified Compensating Control Library Uploaded Supplemental Questionnaires Added Notifications Setup Customer Risk Ranking Setup Risk Remediation Tracking Setup Customer Reporting & Categories Setup Setup Automated Assessment Kickoffs Third Party Launch Schedule Customer Professional Services Kickoff and Setup Meeting(s) Conducted Request for Response Questionnaire / Evidence Submitted Completed Questionnaire Evidence Provided Completed Questionnaire Evidence Available for Validation Validation Follow Up with Tracking Questionnaire & Evidence Completeness Published Evidence into Shared Repository Inherent (Initial) Risk Score Applied by Industry Available for Request and Risk Identification Evidence Available for Request to Evaluate Industry Applied Inherent Risk Score Industry Standard āMetā / āDoes NOT Meetā Identified Assessor Compensating Control and Guidance Available Business Risk Acceptance Risk Acceptance Steering Committee Compensating Control Acceptance Risk Remediation Plan Acceptance Risk Accepted Risk Declined Risk Acceptance Remediation Tracking Residual Risk Score Adjusted Environmental Risk Situational Risk Incident Response Threat Monitoring Fraud, Waste, Abuse Regulatory Requirements Industry Security Injects Real Time Risk Evaluation Data Based Risk Decisions Industry Reporting Industry Security MaturationQuestionnaire Evaluated Compensating Control Applied Third Party Negotiation Implemented for IDād Risk Customer Risk Ranking Applied Risk Remediation Recommendations and Tracking Residual Risk Score Applied by Industry
- 7. 8 Purpose-Built. Proven. Powerful. Ā© Copyright 2018 MATURE THIRD-PARTY PROGRAM SETUP AUTOMATED VALIDATION RISK REMEDIATION DIRECTLY WITH THIRD-PARTY VENDORS REAL TIME SCORECARD & COMPLIANCE REPORTING CONTINUOUS ASSESSMENTS & MONITORING WHERE THIRD-PARTY RISK IS HEADING
- 8. 9 Purpose-Built. Proven. Powerful. Ā© Copyright 2018 UNIFIED THIRD-PARTY RISK MANAGEMENT ASSESS SHAREMONITOR Automate the vendor assessment process, including tiering, based on the access level to sensitive information. Obtain access to open source Cyber and Business Intel feeds to validate security controls are effective and in force. Collect once, share with many saving both time and money in the assessment process.
- 9. 10 Purpose-Built. Proven. Powerful. Ā© Copyright 2018 ASSESS Assessment data collection takes time and money Automate the vendor assessment process, including the critical vendor tiering process, based on the access level they have to your sensitive information ā¢ Controls Mapping ā¢ Risk Scoring ā¢ Service Framing ā¢ Standardized Risk Assessment Content ā SIG, SIG-Lite, CSA, DDQ ā¢ Risk Base Assessments ā¢ Automate Evidence Collection, Findings Review, and Risk Mitigation Workflows ā¢ Full Audit Tracking ā¢ Comprehensive Analytics & Reporting
- 10. 11 Purpose-Built. Proven. Powerful. Ā© Copyright 2018 MONITOR One and done assessments are a thing of the past Data | Brand | Financial | Operational | Regulatory ā¢ Filling a gap: āOutside Inā continuous assessments provides real-time risk management ā¢ Never be in the dark: Potential risk events should be surfaced, scored, and delivered to users continuously ā¢ Comprehensive scoring: Data and business risk scoring combined with āInside Outā assessment scoring provides insight into vendor investments
- 11. 12 Purpose-Built. Proven. Powerful. Ā© Copyright 2018 SHARE Collect once, share with many ā reduces cost and time in the assessment process ā¢ Many industry verticals use the same vendors and want similar security controls information about those vendors ā¢ Collecting questionnaire evidence on behalf of Network members reduces the time and money spent on data collection and validation ā¢ Allows assessment programs ability to focus on risk management ā¢ Increases security maturity across the third party ecosystem
- 12. 13 Purpose-Built. Proven. Powerful. Ā© Copyright 2018 ASSESS MONITOR SHARE Third Party Assessment Automation, including Prioritization, based on data access level Continuous & Holistic Risk View across 5 key areas: Data, Brand, Financial, Operational, & Regulatory Collect once and share with many to reduce cost and time SITUATIONAL INHERENT MANAGED RESIDUAL RISK CONTINUOUS THIRD-PARTY RISK LIFECYCLE Reliance on static scheduled assessments is no longer sufficient to monitor the rapidly changing third party risk environment
- 13. 14 Purpose-Built. Proven. Powerful. Ā© Copyright 2018 VENDOR NETWORK (XVN) ā VENDOR LAUNCH & EVIDENCE COLLECTION & REPOSITORY POPULATION SUBPROCESSESCUSTOMER CUSTOMERSUPPORT MANAGEMENT THIRDPARTY COLLECTION PROCESS ESCALATION PROCESS MEMBER TO VENDOR LETTER (M2V) SENT V1 V7 V8 V11 6 DAYS 5 DAYS 3 DAYS 2 DAYS PREVALENT CC D RECEIVE MEMBER TO VENDOR (M2V) LETTER V2 PREVALENT TO VENDOR (P2V) LETTER SENT V3 RECIEVE PREVALENT TO VENDOR (P2V) LETTER LAUNCH ASSESSMENT PROCESS V4 V5 RECEIVE REGISTRATION NOTIFICATION V6 REGISTERED? N Y NEED TOOL ASSISTANCE? N PROVIDE TOOL ASSISTANCE V9 INTERNAL COMMUNICATION PROCESS EVIDENCE COLLECTION REVIEW V10 TIMELY RESPONSE? N ASSESSMENT INTO TENANT PROCESS V11 RECEIVE TENANT UPDATE NOTIFICATION RESPOND TO IDENTIFIED RISKS AND CONTROL STANDARD GAPS RISK EVALUATION PROCESS 3 DAYS Reduce Assessment Data Content Gathering Readily Available Assessments in the Shared Network Repository Focus on Risk Identification and Mitigation
- 14. 15 Purpose-Built. Proven. Powerful. Ā© Copyright 2018 ONLINE THIRD-PARTY PROCESSING & MONITORING EVENT DRIVEN Quick and interactive access to accumulated data and will receive a decision supporting analysis result to reduce risk to the enterprise. SHARE Remove work duplication by completing assessment questionnaires and uploading authoritative documentation once to share with many.
- 15. 16 Purpose-Built. Proven. Powerful. Ā© Copyright 2018 NETWORK VISION & COMMITMENT Answer Questionnaires Store Evidence Manage Access Assist in Compliance Conduct Assessments Identify Risk Clarifying Observations Create Findings/Remediation VENDOR MANAGEMENT ASSESSMENT DASHBOARDING & SCORING Monitor Cyber & Business Intel, Manage Risk, Measure Key Performance Indicators WHAT IS THE ROLE AND RESPONSIBILITY OF THE NETWORK COMMUNITY ļ± Overall Governance Input ļ± Content Management ļ± Control Standard Requirements & Recommendation ļ± Best Practice / Thought Leadership ļ± Risk Landscape Awareness ļ± Early Adoption of Leading Edge Methodology and Framework
- 16. 17 Purpose-Built. Proven. Powerful. Ā© Copyright 2018 JOINING THE THIRD PARTY NETWORK HOW TO GET INVOLVED ā¢ Steering Committee Members (1 Day per Qtr) ā¢ Require Licensing Contract with DVV Solutions WHAT IS THE COST ā¢ DVV Solutions will contact you WHAT IS THE PROCESS ā¢ Reach-out by end of week ā¢ Call scheduled by 20 July 2018 ā¢ First Steering Committee Mtg by 24 September 2018
- 17. 18 Purpose-Built. Proven. Powerful. Ā© Copyright 2018 Q & A
- 18. 19 Purpose-Built. Proven. Powerful. Ā© Copyright 2018 Brenda Ferraro, ITIL, CPM, CTPRP, vBSIMM Chief Third Party Evangelist & Senior Director ā Networks & CYBERFITĀ® PROPERTY OF NH-ISAC Phone: +1 813-404-8371 Email: bferraro@prevalent.net Sean OāBrien, CTPRP Managing Director DVV Solutions Phone: +44 (0) 161 476 8700 Email: sobrien@dvvs.co.uk