Vendor risk management webinar 10022019 v1

© 2019 ControlCase All Rights Reserved
Your IT Compliance Partner –
Go Beyond the Checklist
Vendor Response
Management

Our Agenda 2
4
2
3
Your IT Compliance
Partner –
Go beyond the
checklist
ControlCase Introduction
About Vendor Risk Management
Common Challenges
Techniques To Increase Efficiencies
Why ControlCase5
1

ControlCase Introduction1

ControlCase Snapshot 4
Certification and ContinuousCompliance Services
Go beyond the auditor’s checklist to:
Dramatically cut the time, cost and burden from becoming certified and
maintaining IT compliance
• Demonstrate compliance more efficiently
and cost effectively (cost certainty)
• Improve efficiencies
• Do more with less resources and gain
compliance peace of mind
• Free up your internal resources to focus
on their priorities
• Offload much of the compliance burden
to a trusted compliance partner
1000+
Clients
300+
Security Experts
10,000+
IT Security Certifications

Solution 5
Certification and Continuous Compliance Services
Automation
-DrivenSkyCAM
Partnership
Approach
IT Certification
Services
Continuous Compliance
Services
“I’ve worked on both sides of
auditing. I have not seen any
other firm deliver the same
product and service with the
same value. No other firm
provides that continuous
improvement and the level of
detail and responsiveness.”
Security and Compliance
Manager, Data Center

Certification Services 6
OneAudit – Collect Once, Certify Many
PCI DSS ISO 27001 &
27002
SOC 1, SOC 2, SOC 3,
& SOC for Cybersecurity HITRUST CSF
HIPAA PCI P2PE GDPR NIST 800-53
PCI PIN PCI PA-DSS SCA PCI 3DS
“You have 27 seconds to make a
first impression. And after our
initial meeting, it became clear
that they were more interested
in helping our business and
building a relationship, not just
getting the business.”
Sr. Director, Information Risk &
Compliance, Large Merchant
Automation-
DrivenSkyCAM
Partnership
Approach
IT Certification
Services
Continuous Compliance
Services

About Vendor Risk Management2

Vendor Risk Management 8
 Vendor risk management is the process organizations use to understand
the risks that exist and the risks that they assume due to their business
relationships with third-party vendors.
 Vendor risk management is now a standard practice
 As a result, organizations are increasingly required to respond to their
customers requests
 59% of companies experienced a third-party breach in 2018 (Ponemon
Survey) – which costs millions of dollars and reputational damage to
large companies

Common Process Used To Manage Vendors 9
Register/Inventory
vendors
Categorize vendors
Map controls to
categories
Create vendor risk
assessment
questionnaire
Create master control
checklist
Distribute
questionnaire to
vendors
Analyze responses
and attachments
Track exceptions to
closure
Provide a Data
Security Rating

Common Challenges3

Current Status 11
 Organizations receive multiple vendor risk questionnaires from their
customers
 Each customer uses their own templates, processes and requirements -
making it challenging to respond to all customers in a timely manner
 Vendor response management is being done manually.
Vendor Response Management is increasingly taking valuable time and
resources for already busy security/compliance experts.

Common Challenges to Vendor Response Management 12
Time
• The process of responding to vendor risk management is time
consuming.
Resources
• Lack of resources to manage the process.
Cost
• Cost of hiring additional resources and complying to multiple
regulations.
Risk of Business Loss
• Risk of loosing business if you cannot comply with customer process

Techniques To Increase Efficiencies5

Multi-Threaded Approach 14
Continuous
Improvement
Identify
Common
Categories
Create
Repository
Integrate IT
Assessments
with Vendor
Response
Process
Have
“Standardized”
Verbiage

Identify Common Categories 15
 Scoping
 Anti-Malware
 Application Security
 BCP/DR
 Change Management
 Configuration Management
 Data Encryption At Rest
 Data Encryption In Transit
 Governance And Compliance
 HR
 Incident Response
 Logging & Monitoring
 Logical Access
 Network
 Physical Security
 Policies & Procedures
 Privacy
 Processing Integrity
 Risk Assessment
 Security Testing
 Third Party Management

Create
Repository for
“Single
Assessment
Data &
Responses”
16
16

Integrate Vendor Response Management With Assessments 17
Consolidated
Repository for all
assessment data
• Consolidated Repository
• Using Technology and Integrated Checklist
HIPAA
Assessment
PCI DSS
Assessment
Deliverables
a. HIPAA Assessment Report
b. PCI DSS Report on
Compliance
c. Vendor Responses
Vendor
Responses

Standardized Verbiage (Examples) 18
 “ControlCase tests its annual BCP/DR plan semi-annually. The last time it was
tested was July 15, 2019”
 “ControlCase protects all PII related to its credit card processing system
using AES-256 encryption”
 “ControlCase performs monthly vulnerability scanning. The last scan on July
5, 2019 found 2 medium and 1 low risk vulnerabilities. These were corrected
and retested on July 12, 2019. New scan results verified that the
vulnerabilities were addressed appropriately”

Why ControlCase5

Multi-Threaded Approach 20
Vendor
Responses
Skilled personnel to
document responses
Technology/Dataroom
for IT Responses
integrated with IT
Assessments
Process that includes
automation to collect
and maintain evidence

ControlCase Vendor Response Management Solution 21
01 02
0304
STEP 2
Questionnaire completed
Small/Medium questionnaire (3 business days)
Medium/Large questionnaire (5 business days)
STEP 3
Document Quality Assurance
(2 business days)
REPEATABLE PROCESS
PHASE 4
Delivery within defined SLA
STEP 1
Assessment Received and Assigned

ControlCase Certification Outcomes 22
“It’s a challenge keeping up with the
changing compliance landscape. Given
that we had GDPR and now the
California data privacy law, not to
mention HIPAA and others, there are a
lot of regulations and frameworks to
keep up with and a lot of time spent
preparing for audits. That puts a lot of
overhead and strain on me and my
team. We just don’t have the expertise
or time to keep up.
Before
ControlCase
“We cut audit prep time by 70% using
ConrolCase. It was their partner approach to us;
a combination of their expertise, their
responsiveness and automation. They brought us
great ideas on how to streamline our process,
and we were able to take advantage of
automated data collection. And, their IT
Compliance Portal gave us visibility throughout
the entire process.
Another thing - We don’t look at compliance as a
once a year event, and now, with ControlCase’s
Continuous Compliance services, we have the
visibility into what’s in compliance and what’s not
all year long. We can quickly remediate an issue
before it becomes a security threat.”
With ControlCase
Cut audit prep time by 70%

Summary – Why ControlCase 23
“They provide excellent service, expertise and technology. And, the
visibility into my compliance throughout the year and during the audit
process provide a lot of value to us.”
Dir. of Compliance, SaaS company
Your IT Compliance Partner –
Go beyond the auditor’s checklist
Partnership
Approach
SkyCAM
IT
Compliance
Portal
Automation
driven Continuous Compliance
Services

Email
contact@controlcase.com
Telephone
Americas +1.703-483-6383
India: +91.22.50323006
Social Media
Conection Suport
www.facebook.com/user
www.linkin.com/user
Visit our website
www.controlcase.com
THANK YOU FOR THE OPPORTUNITY TO
CONTRIBUTE TO YOUR
IT COMPLIANCE PROGRAM

Vendor risk management webinar 10022019 v1

More Related Content

What's hot (20)

Similar to Vendor risk management webinar 10022019 v1 (20)

More from ControlCase (16)

Recently uploaded (20)

Vendor risk management webinar 10022019 v1

Editor's Notes