Jeff Miller Tamra Pawloski

2014 IT Procurement Summit headline news…

Cybersecurity is evolving and dynamic

Program elements• Policy – program framework

• Prevention - anticipate risks & safeguards assets

• Detection - test & attempt to penetrate your own fortress

• Communication – awareness and understanding of risk & benefits

• Collaborate, adapt, and innovate with time…

Cybersecurity Maturity Path It’s a Journey…

Opposing risk & benefit objectives• Emerging technologies / outsourcing

• Increased threats & attacks

Tactical reactive silos to risk practice• Information technology / sourcing / legal

• Collaborative team work

• Risk Management - human Capital

• Global scope & process integration

Risk Management Human Capital (beyond policies)

Vendor Risk Management (IT) Vendor Risk Committee (IT, Legal, Sourcing

and Business Continuity Certified Specialists• Information Systems Professional (CISSP)

• Information Privacy Professional (CIPP)

• Risk & Information Systems Control (CRISC) Chief Security Officer (IT) Chief Privacy Officer (Legal)

Emerging need for Cyber Risk skills are growing…

Traditional Skills• Spend Analytics

• Evaluations

• RFX’s

• Negotiations

• Term’s & Condition’s

• SOW & SLA

• Asset & Vendor Management

Taming the Maintenance Monster

Additional Skills• Risk Management

• Technology and data security assessments

• Outsourcing Specialist

• Office of Foreign Assets (OFAC) Monitoring

• Data Privacy

• Business Continuity

“Defense in Depth”Internal Systems and Solutions

Various Supplier Relationship Models Containing Data

• Applications Services Providers (ASP’s)

• Software-As-A-Service (SaaS)

• Business Process Outsourcing (BPO’s)

• Benefit contractors (health insurance, 401k, ...)

• Treasury contractors (banks, transfer agents, …)

• Third-Party Administrators (TPA’s)

• Global IT Outsourcers

• Programing outsourcers

• Program managers

“Defense in Depth” External Service Providers

Cybersecurity - Collaborative Effort

Technology• Platform compliance, system & access controls,

vulnerability testing, and system monitoring Vendor Risk Management• Performs “assessments” / recommends options

Legal• Regulatory, privacy and confidentiality T&C’s

Strategic Sourcing• Sourcing compliance, and negoitations.

Supplier & Business Assessment “Risk Profile”

Data Protection Agreements and Provisions

If possible part of RFX process along with your standard agreement template

Holds supplier accountable to safeguard your data

Contains requirements which are more than what is required by law

Part of our Sourcing Cyber Security process

Data Protection Agreements Contents

Data Restriction (what supplier can and cannot do with our data)

Complies with federal, state, provincial and local laws and regulations

Physical Security Controls Location (alarm systems, visitor access, security guards,

fire & water HVAC, video surveillance, etc.) Trash disposal program Security and environmental controls over all computer

rooms and equipment used to process, file, store, or transmit data.

Data Protection Agreements Contents (continued)

Data Security Controls• Logical access controls

• User sign on identification and authentication

• Password protection of system applications, data files, databases, repositories, and libraries

• Accountability tracking

• Anti-virus software

• Secured printers

• Restricted ability to download to disk / devices

• No logically shared environments with others…

Data Protection Agreements Contents (continued)

Supplier Representatives• Background checks once a year

• Citizenship check & Social Security check

• OFAC Specially Designated National check

• Criminal felony and misdemeanor check

• Education / prior employment check

• Credit / financial check

• Must attend confidentiality and security awareness training (including monitoring)

• Must advise of any international handling

Data Protection Agreements Contents (continued)

Audits and Inspections permitted Security Administration :access records Access : no shared ID’s, need to know

job function basis Supplier System Security (adequate

network protection, logically secured…) Operation Procedures (security patches

and escalation procedures)

Data Protection Agreements Contents (continued)

Encryption (any exchange of data across Internet or removable media)

Network Security (detection / prevention sensors & firewalls / vulnerability tests)

Web Application Security (same above) Breach Notification (procedures, escalation,

investigations & liabilities) Call Recording and Monitoring (secured

consent, and access to recordings) More…?

Data Protection AgreementsTypes

IT Vendor Risk Management completes “Risk Profile” & determines agreement

Earlier in the process, more success! Various types• Long standalone - comprehensive

• Short form – limited or no risk

• Custom Cyber Insurance where & when required Part of our standard sourcing process

Data Protection Agreement Process

Taming the Maintenance Monster

Master Services Agreement•Terms & Conditions•Statement of Work•Data Protection•Service Level Agreement

Data Protection Agreement•Long form - comprehensive•Custom•Short form – limited risk

Data Protection Agreement Process – Who?

Strategic SourcingLegal

Vendor RiskManagement & IT

Vendor RiskManagement &Strategic Sourcing

Legal & Vendor RiskManagement &Strategic Sourcing

Strategic SourcingLegal & IT

Summary

Threats are on the rise – be vigilant! Technology expands and cyber risk

mitigation is a journey… Risk management skills will become

critical for everyone! Hold your suppliers accountable when

handling your data and information! Make cyber security part of your standard

process!

Questions?

Thank you…