vendor risk management€¦ · free vendor risk management tool free access to thousands of...
TRANSCRIPT
Vendor Risk Management: Overcoming Today’s Most Common Security & Privacy Challenges
Drivers & Challenges
Copyright © 2019 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Vendor Risk Management
Adapting to New Regulations(Security & Privacy)
Meeting Public Expectations(Rights & Awareness)
Protecting Against Data Breaches
(Large & Frequent)
What’s Driving the Need for Vendor Risk Management?
NEW REGULATIONS
DATA BREACHES
ONGOING OVERSIGHT
Third-Party Vendor Laws Span Hundreds of
Countries and Jurisdictions
VRM DRIVERS
GDPR
NYDFS Cybersecurity Regulation
Target to Pay $18.5M for 2013
Data Breach that Affected 41
Million Consumers
Security Experts Weigh In On
Massive Data Breach of 150 Million
MyFitnessPal Accounts
Equifax says more privacy data was stolen
in 2017 breach than first revealed
Facebook Security Breach Exposes
Accounts of 50 Million Users
Marriott Says Up to 500 Million Customers’ Data Stolen in Breach
Google+ to shut down after coverup of data-exposing bug
FTC Fines IoT Toy Vendor VTechfor Privacy Breach
Every single Yahoo account was hacked – 3 billion in all
NEW REGULATIONS
DATA BREACHES
PUBLIC EXPECTATIONSVRM DRIVERS
NEW REGULATIONS
DATA BREACHES
PUBLIC EXPECTATIONSVRM DRIVERS
Consumers Now Expect Data Privacy and Protection.
NEW REGULATIONS
DATA BREACHES
PUBLIC EXPECTATIONSVRM DRIVERS
67% of people support major online privacy & security legislation in the U.S.
- HarrisX
Handling the Amount of Information
(Vendors & Data)
Monitoring Vendors On An Ongoing Basis
(Ad Hoc & Manual)
Managing the Communication
Disconnect(External & Internal)
What Challenges Are Most Enterprises Facing?
Data Sprawl Lack of Business Context
Contract/DPA Unaccountability
Greater Risks+ + =
INFORMATION OVERLOAD VENDOR DISCONNECT
ONGOING OVERSIGHTVRM CHALLENGES
Identifying the Right Contact
Validating Assessments
Getting a Vendor Response
Data Sprawl Lack of Business Context
Contract/DPA Unaccountability
Greater Risks
More Work
+ + =
+ + =
INFORMATION OVERLOAD VENDOR DISCONNECT
ONGOING OVERSIGHTVRM CHALLENGES
Identifying the Right Contact
Validating Assessments
Getting a Vendor Response
Data Sprawl Lack of Business Context
Managing Contracts/DPAs
Managing 4th Party Vendors
No Vendor Alerts
Identifying Data Breaches
Greater Risks
More Work
Less Insight
+ + =
+ + =
+ + =
INFORMATION OVERLOAD VENDOR DISCONNECT
ONGOING OVERSIGHTVRM CHALLENGES
+ + =
+ + =
+ + =
INFORMATION OVERLOAD VENDOR DISCONNECT
ONGOING OVERSIGHT
Greater Risks
More Risks
Less Insight
Volume of Vendors
Lack of Business Context
Contract/DPA Unaccountability
Identifying the Right Contact
Validating Assessments
Getting a Vendor Response
Managing 4th Party Vendors
No Vendor Alerts
Identifying Data Breaches
How are enterprises addressing these challenges?
VRM CHALLENGES
The “Excel Hell”
Copyright © 2019 OneTrust LLC. All rights reserved. Proprietary & Confidential.
Methods for Managing Third-Party Security & Privacy Risks
Risk Assessment Automation
Third-Party Risk Exchange
Third-Party Threat Monitoring
ASSESSMENTS
Copyright © 2019 OneTrust LLC. All rights reserved. Proprietary & Confidential.
EXCHANGES MONITORING
Bring Your Own Assessment
Choose an Industry Standard
Managed Services Tiered Assessment Validation
Vendor Privacy & Security Profiles
Pre-completed Assessments
Ongoing Compliance Alerts
Privacy & Security Scanning
Upstream Assessment Updates
15
Third-Party Risk Management Lifecycle
Copyright © 2019 OneTrust LLC. All rights reserved. Proprietary & Confidential.
A Six-Step Approach
Third-Party Risk Management Lifecycle
DUE DILIGENCE
MONITOR OFFBOARDDOCUMENT & DEMONSTRATE
TRIAGE & ASSESS RISKS
ONBOARD
1 2 3 4 5 6
Integrate Existing Systems Into the VRM Lifecycle
Copyright © 2019 OneTrust LLC. All rights reserved. Proprietary & Confidential. 18
GRC
Integrate identified risks between your
VRM and GRC systems
PM TOOLS
Automate the initiation of
assessments from your existing project
management platform
ITSM
Link to your IT Service Management systems to
initiate assessments
CONTRACT
Sync with your contract systems, allowing you to
store up to date contracts
PROCUREMENT
Integrate into your existing procurement
processes and systems
ONBOARD DUE DILIGENCE TRIAGE & ASSESS RISKS
DOCUMENT & DEMONSTRATE MONITOR OFFBOARD
TITLE
ONBOARD
Self-Service Portal
System Integrations
Bulk Import
Enable business owners to add vendors themselves and leverage threshold assessments
Integrate with procurement, ITSM & other systems to auto-add vendors to your inventory
Use existing information and bulk import it into a centralized vendor risk platform
GOAL: MOVE FROM SPREADSHEETS TO SOFTWARE W/ CENTRAL VENDOR INVENTORY
ONBOARD DUE DILIGENCE TRIAGE & ASSESS RISKS
DOCUMENT & DEMONSTRATE MONITOR OFFBOARD
Security & Privacy Certs.
Qualify Adequate Vendors
Leverage Aggregated
ResearchAvoid starting from scratch and leverage databases of third-party research
Use a tool or manually check for cert. by going directly to the cert. website
Leverage third-party research information to sift through non-viable vendors
GOAL: START WITH A DUE-DILIGENCE BASELINE WHEN ADDING NEW VENDORS
ONBOARD DUE DILIGENCE TRIAGE & ASSESS RISKS
DOCUMENT & DEMONSTRATE MONITOR OFFBOARD
Look for Managed Services
Create Workflows
Determine Assessment Approach
Leverage automation technology or create a documented assessment workflow process
Use inherent risk scoring to determine the depth of your vendor assessment
Outsource vendor chasing if necessary with managed services
GOAL: AUTOMATE AS MUCH OF THE ASSESSMENT PROCESS AS POSSIBLE
ONBOARD DUE DILIGENCE TRIAGE & ASSESS RISKS
DOCUMENT & DEMONSTRATE MONITOR OFFBOARD
Hold third-party vendors accountable by linking and tracking data processing agreements
Integrate w/ a data mapping tool to add necessary business context when assessing risks
Bring data into a single tool for better dashboards, reporting templates, and filtering
GOAL: MAINTAIN RECORDS FOR SECURITY & PRIVACY COMPLIANCE/AUDITS
Map Data Flows
Contract & DPA Management
Dashboards & Reporting
ONBOARD DUE DILIGENCE TRIAGE & ASSESS RISKS
DOCUMENT & DEMONSTRATE MONITOR OFFBOARD
Maintain compliance by monitoring subprocessor changes w/ tool or via RSS feeds, etc.
Perform third-party. information reviews to check the validity of security & privacy info.
Schedule re-assessments with an automated tool or via alerting system
Security & Privacy Info. Updates
4th Party/SubProcessor Changes
Scheduled Reassessments
GOAL: TRACK THIRD-PARTY COMPLIANCE OVERTIME FOR ONGOING OVERSIGHT
ONBOARD DUE DILIGENCE TRIAGE & ASSESS RISKS
DOCUMENT & DEMONSTRATE MONITOR OFFBOARD
Run offboarded vendors through a templated checklist for consistency and compliance
Work with all involved parties to track down evidence off proper offboarding
Maintain an auditable activity trail to share with regulators if necessaryTrack
Offboarding Evidence
Offboarding Checklist
Business, Legal and Vendor Confirmations
GOAL: SUNSET VENDORS WITH EASE WHILE MAINTAINING NECESSARY RECORDS
Case Studies
Processor Breach
26Copyright © 2019 OneTrust LLC. All rights reserved.
• Mid-level manager at your chosen vendor accidentally shares PII related to your processing activity
• Sensitive and Special data about your customers have now been compromised and accessed by an unknown number of people
What is the processor’s obligation?
How can you ensure the Processor helps notify Data Subjects
Use of Data
27Copyright © 2019 OneTrust LLC. All rights reserved.
• Vendor in charge of your spring marketing email campaign wants to use your list of engaged email addresses to advertise their services
What right to the data do they have?
Can you sell that data to the vendor?
Is the vendor still a processor?
Contract Failure
28Copyright © 2019 OneTrust LLC. All rights reserved.
• Your regularly scheduled audit of a vendor reveals that they are in violation of multiple agreements in your contract
• This is the first time an audit has found any shortcomings from the vendor
What is your course of action?
Competing Vendors
29Copyright © 2019 OneTrust LLC. All rights reserved.
• You need a new vendor and have found two similarly priced competitors
• Neither are located within the EEA
How do you choose a vendor?
What key differentiators do you look for?
OneTrust Vendor Risk Management Demo
Free Vendor Risk Management Tool
Free Access to Thousands of Completed Vendor Assessments
Ready-to-Use, Easy-to-Customize CAIQ Templates
Automate the Entire Vendor Management Lifecycle
Powered by Vendorpedia™ by OneTrust
Get started with the Free CSA-OneTrust Vendor Risk Management tool and visit
www.onetrust.com/csa-vrm
OneTrust Privacy Management Software Platform
Assessment AutomationPIA | DPIA | PbD | InfoSec
DataGuidance ResearchIn-Depth Law Database
Data MappingDiscovery | ROPA | Inventory
Targeted Data DiscoveryAccess | Deletion | Portability
Maturity & BenchmarkingExecutive Scorecard
Privacy Program Management
Cookie CompliancePowered by Cookiepedia™
Consent & PreferencesUniversal Preference Center
Mobile App ComplianceScanning & Consent
Policies & NoticesCentrally Host, Track & Update
Data Subject RightsFrom Intake to Fulfillment
Privacy & Marketing User Experience
Incident IntakeCentralized Register
Risk AssessmentsRisk and Harms Analysis
DataBreachpedia™300+ Indexed Breach Laws
Notification & Reporting Obligation Tracking
Real-Time Activity FeedBreaches & Enforcements
Incident and Breach Response
Vendor AssessmentsSecurity & Privacy Risk
Contracts & DPAsLegal Document Integration
Vendorpedia™ ExchangeThird-Party Risk Exchange
Ongoing MonitoringPrivacy & Security Threats
Chasing ServicesManaged Services
Vendor Risk Management
Visit Our BoothProduct Demos
Full Text GDPR BooksFree Tools & Templates
GDPR Workshops
@OneTrust | onetrust.com | [email protected]
34 | Copyright © 2019 OneTrust LLC
250+ Events Across 100+ Global Cities
”This was the best GDPR-focused conference I have ever been to.
This was not just a high-level look into requirements, but an in-depth educational experience for myself
and my colleagues.”
AmsterdamDublinLondonParisOslo
StockholmHelsinkiBelfastGenevaZurich
WarsawViennaMilan
MadridAthens
San FranciscoChicago
New YorkWashington DC
AtlantaHoustonTorontoDenverPhoenixBoston
CharlotteSeattle
ColumbusLos AngelesIndianapolis
RomeBrusselsPrague
ManchesterTel AvivLisbon
BudapestStuttgart
BerlinBucharestBarcelonaFrankfurt
DubaiDoha
Abu Dhabi
PhiladelphiaMinneapolis
DetroitPortland
Kansas CityRaleighSt. Louis
San DiegoAustin
ClevelandHong Kong
SydneyMelbourneSingapore
Seoul
Free CCPA & GDPR Workshops5 CPE Credit Hours OneTrust Certification Program in Select Cities
Monthly Privacy Webinar SeriesHosted by Top Tier Law Firms & Consultancies
Local Community ChaptersLatest Privacy News & Events in your City
VIEW FULL SCHEDULEPrivacyConnect.com
Questions?