vendor risk management€¦ · free vendor risk management tool free access to thousands of...

Vendor Risk Management: Overcoming Today’s Most Common Security & Privacy Challenges

Drivers & Challenges

Copyright © 2019 OneTrust LLC. All rights reserved. Proprietary & Confidential.

Vendor Risk Management

Adapting to New Regulations(Security & Privacy)

Meeting Public Expectations(Rights & Awareness)

Protecting Against Data Breaches

(Large & Frequent)

What’s Driving the Need for Vendor Risk Management?

NEW REGULATIONS

DATA BREACHES

ONGOING OVERSIGHT

Third-Party Vendor Laws Span Hundreds of

Countries and Jurisdictions

VRM DRIVERS

GDPR

NYDFS Cybersecurity Regulation

Target to Pay $18.5M for 2013

Data Breach that Affected 41

Million Consumers

Security Experts Weigh In On

Massive Data Breach of 150 Million

MyFitnessPal Accounts

Equifax says more privacy data was stolen

in 2017 breach than first revealed

Facebook Security Breach Exposes

Accounts of 50 Million Users

Marriott Says Up to 500 Million Customers’ Data Stolen in Breach

Google+ to shut down after coverup of data-exposing bug

FTC Fines IoT Toy Vendor VTechfor Privacy Breach

Every single Yahoo account was hacked – 3 billion in all

NEW REGULATIONS

DATA BREACHES

PUBLIC EXPECTATIONSVRM DRIVERS

NEW REGULATIONS

DATA BREACHES


Consumers Now Expect Data Privacy and Protection.

NEW REGULATIONS

DATA BREACHES


67% of people support major online privacy & security legislation in the U.S.

- HarrisX

Handling the Amount of Information

(Vendors & Data)

Monitoring Vendors On An Ongoing Basis

(Ad Hoc & Manual)

Managing the Communication

Disconnect(External & Internal)

What Challenges Are Most Enterprises Facing?

Data Sprawl Lack of Business Context

Contract/DPA Unaccountability

Greater Risks+ + =

INFORMATION OVERLOAD VENDOR DISCONNECT

ONGOING OVERSIGHTVRM CHALLENGES

Identifying the Right Contact

Validating Assessments

Getting a Vendor Response



Greater Risks

More Work

+ + =

+ + =







Managing Contracts/DPAs

Managing 4th Party Vendors

No Vendor Alerts

Identifying Data Breaches

Greater Risks

More Work

Less Insight

+ + =

+ + =

+ + =



+ + =

+ + =

+ + =


ONGOING OVERSIGHT

Greater Risks

More Risks

Less Insight

Volume of Vendors

Lack of Business Context





Managing 4th Party Vendors

No Vendor Alerts

Identifying Data Breaches

How are enterprises addressing these challenges?

VRM CHALLENGES

The “Excel Hell”


Methods for Managing Third-Party Security & Privacy Risks

Risk Assessment Automation

Third-Party Risk Exchange

Third-Party Threat Monitoring

ASSESSMENTS


EXCHANGES MONITORING

Bring Your Own Assessment

Choose an Industry Standard

Managed Services Tiered Assessment Validation

Vendor Privacy & Security Profiles

Pre-completed Assessments

Ongoing Compliance Alerts

Privacy & Security Scanning

Upstream Assessment Updates

15

Third-Party Risk Management Lifecycle


A Six-Step Approach

Third-Party Risk Management Lifecycle

DUE DILIGENCE

MONITOR OFFBOARDDOCUMENT & DEMONSTRATE

TRIAGE & ASSESS RISKS

ONBOARD

1 2 3 4 5 6

Integrate Existing Systems Into the VRM Lifecycle

Copyright © 2019 OneTrust LLC. All rights reserved. Proprietary & Confidential. 18

GRC

Integrate identified risks between your

VRM and GRC systems

PM TOOLS

Automate the initiation of

assessments from your existing project

management platform

ITSM

Link to your IT Service Management systems to

initiate assessments

CONTRACT

Sync with your contract systems, allowing you to

store up to date contracts

PROCUREMENT

Integrate into your existing procurement

processes and systems

ONBOARD DUE DILIGENCE TRIAGE & ASSESS RISKS

DOCUMENT & DEMONSTRATE MONITOR OFFBOARD

TITLE

ONBOARD

Self-Service Portal

System Integrations

Bulk Import

Enable business owners to add vendors themselves and leverage threshold assessments

Integrate with procurement, ITSM & other systems to auto-add vendors to your inventory

Use existing information and bulk import it into a centralized vendor risk platform

GOAL: MOVE FROM SPREADSHEETS TO SOFTWARE W/ CENTRAL VENDOR INVENTORY



Security & Privacy Certs.

Qualify Adequate Vendors

Leverage Aggregated

ResearchAvoid starting from scratch and leverage databases of third-party research

Use a tool or manually check for cert. by going directly to the cert. website

Leverage third-party research information to sift through non-viable vendors

GOAL: START WITH A DUE-DILIGENCE BASELINE WHEN ADDING NEW VENDORS



Look for Managed Services

Create Workflows

Determine Assessment Approach

Leverage automation technology or create a documented assessment workflow process

Use inherent risk scoring to determine the depth of your vendor assessment

Outsource vendor chasing if necessary with managed services

GOAL: AUTOMATE AS MUCH OF THE ASSESSMENT PROCESS AS POSSIBLE



Hold third-party vendors accountable by linking and tracking data processing agreements

Integrate w/ a data mapping tool to add necessary business context when assessing risks

Bring data into a single tool for better dashboards, reporting templates, and filtering

GOAL: MAINTAIN RECORDS FOR SECURITY & PRIVACY COMPLIANCE/AUDITS

Map Data Flows

Contract & DPA Management

Dashboards & Reporting



Maintain compliance by monitoring subprocessor changes w/ tool or via RSS feeds, etc.

Perform third-party. information reviews to check the validity of security & privacy info.

Schedule re-assessments with an automated tool or via alerting system

Security & Privacy Info. Updates

4th Party/SubProcessor Changes

Scheduled Reassessments

GOAL: TRACK THIRD-PARTY COMPLIANCE OVERTIME FOR ONGOING OVERSIGHT



Run offboarded vendors through a templated checklist for consistency and compliance

Work with all involved parties to track down evidence off proper offboarding

Maintain an auditable activity trail to share with regulators if necessaryTrack

Offboarding Evidence

Offboarding Checklist

Business, Legal and Vendor Confirmations

GOAL: SUNSET VENDORS WITH EASE WHILE MAINTAINING NECESSARY RECORDS

Case Studies

Processor Breach

26Copyright © 2019 OneTrust LLC. All rights reserved.

• Mid-level manager at your chosen vendor accidentally shares PII related to your processing activity

• Sensitive and Special data about your customers have now been compromised and accessed by an unknown number of people

What is the processor’s obligation?

How can you ensure the Processor helps notify Data Subjects

Use of Data


• Vendor in charge of your spring marketing email campaign wants to use your list of engaged email addresses to advertise their services

What right to the data do they have?

Can you sell that data to the vendor?

Is the vendor still a processor?

Contract Failure


• Your regularly scheduled audit of a vendor reveals that they are in violation of multiple agreements in your contract

• This is the first time an audit has found any shortcomings from the vendor

What is your course of action?

Competing Vendors


• You need a new vendor and have found two similarly priced competitors

• Neither are located within the EEA

How do you choose a vendor?

What key differentiators do you look for?

OneTrust Vendor Risk Management Demo

Free Vendor Risk Management Tool

Free Access to Thousands of Completed Vendor Assessments

Ready-to-Use, Easy-to-Customize CAIQ Templates

Automate the Entire Vendor Management Lifecycle

Powered by Vendorpedia™ by OneTrust

Get started with the Free CSA-OneTrust Vendor Risk Management tool and visit

www.onetrust.com/csa-vrm

http://www.onetrust.com/csa-vrm

OneTrust Privacy Management Software Platform

Assessment AutomationPIA | DPIA | PbD | InfoSec

DataGuidance ResearchIn-Depth Law Database

Data MappingDiscovery | ROPA | Inventory

Targeted Data DiscoveryAccess | Deletion | Portability

Maturity & BenchmarkingExecutive Scorecard

Privacy Program Management

Cookie CompliancePowered by Cookiepedia™

Consent & PreferencesUniversal Preference Center

Mobile App ComplianceScanning & Consent

Policies & NoticesCentrally Host, Track & Update

Data Subject RightsFrom Intake to Fulfillment

Privacy & Marketing User Experience

Incident IntakeCentralized Register

Risk AssessmentsRisk and Harms Analysis

DataBreachpedia™300+ Indexed Breach Laws

Notification & Reporting Obligation Tracking

Real-Time Activity FeedBreaches & Enforcements

Incident and Breach Response

Vendor AssessmentsSecurity & Privacy Risk

Contracts & DPAsLegal Document Integration

Vendorpedia™ ExchangeThird-Party Risk Exchange

Ongoing MonitoringPrivacy & Security Threats

Chasing ServicesManaged Services

Vendor Risk Management

Visit Our BoothProduct Demos

Full Text GDPR BooksFree Tools & Templates

GDPR Workshops

@OneTrust | onetrust.com | [email protected]

mailto:[email protected]

34 | Copyright © 2019 OneTrust LLC

250+ Events Across 100+ Global Cities

”This was the best GDPR-focused conference I have ever been to.

This was not just a high-level look into requirements, but an in-depth educational experience for myself

and my colleagues.”

AmsterdamDublinLondonParisOslo

StockholmHelsinkiBelfastGenevaZurich

WarsawViennaMilan

MadridAthens

San FranciscoChicago

New YorkWashington DC

AtlantaHoustonTorontoDenverPhoenixBoston

CharlotteSeattle

ColumbusLos AngelesIndianapolis

RomeBrusselsPrague

ManchesterTel AvivLisbon

BudapestStuttgart

BerlinBucharestBarcelonaFrankfurt

DubaiDoha

Abu Dhabi

PhiladelphiaMinneapolis

DetroitPortland

Kansas CityRaleighSt. Louis

San DiegoAustin

ClevelandHong Kong

SydneyMelbourneSingapore

Seoul

Free CCPA & GDPR Workshops5 CPE Credit Hours OneTrust Certification Program in Select Cities

Monthly Privacy Webinar SeriesHosted by Top Tier Law Firms & Consultancies

Local Community ChaptersLatest Privacy News & Events in your City

VIEW FULL SCHEDULEPrivacyConnect.com

Questions?

vendor risk management€¦ · free vendor risk management tool free access to thousands of...

Documents