3rd party risk review process
play

3rd Party Risk Review Process June 15, 2018 Computing Services and - PowerPoint PPT Presentation

Sep 25, 2022 •124 likes •298 views

Computing Services and Systems Development 3rd Party Risk Review Process June 15, 2018 Computing Services and Systems Development Agenda Use of third party vendors Need to assess risk Assessment methodologies Challenges

  1. Computing Services and Systems Development 3rd Party Risk Review Process June 15, 2018

  2. Computing Services and Systems Development Agenda • Use of third party vendors • Need to assess risk • Assessment methodologies • Challenges • PITT’s process (past, now, future) • Recommendations • Questions

  3. Computing Services and Systems Development Use of third party vendors Support scientific work on cyberinfrastructure Examples: Globus Fisher Scientific Qualtrics AWS/Google/Azure Electronic Lab Notebooks Bill & Ted’s Excellent Web Developers

  4. Computing Services and Systems Development Need to assess risk • Everyone has breaches • Will the vendor protect your information? • Does your vendor have sufficient security to detect if/when they have a breach? • Can you trust your vendor to notify you if/when they have a breach involving your information?

  5. Computing Services and Systems Development Goals of security assessment • Be affordable • Ensure all vendors are regularly assessed • Provide reliable results that that support risk- based decisions

  6. Computing Services and Systems Development Assessment Methodologies • Vendor self-assessment (SIG, HECVAT, NIST RMF, OCTAVE) • Security ratings (BitSight/SecurityScorecard) • Security Audit/Certification (SOC2, ISO, NIST 800-53/171, COBIT, FedRAMP) • Vulnerability assessments • Questionnaires

  7. Computing Services and Systems Development Pitt’s process - Past • Questionnaire based off ISO 27001 controls (loosely) • Word Document • All vendors got the same questionnaire

  8. Computing Services and Systems Development Pitt’s process – Past (continued) Not risk based – low risk engagements were treated the same as high risk Process not formalized, publicized or enforced No recurring assessments No formal scoring

  9. Computing Services and Systems Development Pitt’s process - Current • Questionnaire - Based on NIST 800-171 • Online (Qualtrics) • Risk based – low risk vs high risk • Different assessment based on risk • More formal scoring • Onboarding process more formalized

  10. Computing Services and Systems Development

  11. Computing Services and Systems Development

  12. Computing Services and Systems Development

  13. Computing Services and Systems Development Pitt’s process - Future • Formal University Procurement Policy • Better data management • Continuous vs point in time assessments • Automated scoring “Weak but continuous assessment processes are more reliable than rigorous assessments conducted once” - Gartner

  14. Computing Services and Systems Development Recommendations • Develop ‘some’ process • Decide what you want to accomplish • Risk based – level of effort to assess and remediate risk should be commensurate with the threat to your institution

  15. Computing Services and Systems Development Questions???

  16. Computing Services and Systems Development Thank You

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Implementing a Consistent and Efficient Third-Party Due Diligence Process Practical insight into

Implementing a Consistent and Efficient Third-Party Due Diligence Process Practical insight into

Implementing a Consistent and Efficient Third-Party Due Diligence Process Practical insight into technology deployment and review to ensure ongoing compliance Paul Hommes Risk & Compliance Specialist LexisNexis June 2016 Agenda

466 views • 43 slides
Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done Party!!!!!! Party!!!!!! Curling Orientation Party!!!!!! Party!!!!!! Party!!!!!! National day parade Airport picking-uping Party!!!!!!

1.18k views • 69 slides
OCC Mutual Savings Association Advisory Committee Third-Party Relationships: Risk Management

OCC Mutual Savings Association Advisory Committee Third-Party Relationships: Risk Management

OCC Mutual Savings Association Advisory Committee Third-Party Relationships: Risk Management Guidance Overview April 29, 2014 Kim Cahill and John Eckert Operational Risk Division OCC Chief National Bank Examiner Office 1 Third-Party

100 views • 6 slides
Investor Community Conference Call Q1 2008 2008 2008 2008 Risk Review Risk Review Risk

Investor Community Conference Call Q1 2008 2008 2008 2008 Risk Review Risk Review Risk

Investor Community Conference Call Q1 2008 2008 2008 2008 Risk Review Risk Review Risk Review Risk Review Bob McGlashan Executive Vice President and Chief Risk Officer, Enterprise Risk and Portfolio Management March 4 2008 Forward

488 views • 10 slides
2008 2008 2008 2008 Investor Community Conference Call Risk Review Risk Review Risk

2008 2008 2008 2008 Investor Community Conference Call Risk Review Risk Review Risk

2008 2008 2008 2008 Investor Community Conference Call Risk Review Risk Review Risk Review Risk Review Bob McGlashan Executive Vice President and Chief Risk Officer, Enterprise Risk and Portfolio Management March 4 2008 Forward

469 views • 19 slides
Innovations in Third-Party Risk Management 2019 Risk Summit Nonprofit Risk Management Center

Innovations in Third-Party Risk Management 2019 Risk Summit Nonprofit Risk Management Center

Innovations in Third-Party Risk Management 2019 Risk Summit Nonprofit Risk Management Center Lansdowne Resort & Spa Leesburg, VA October 21, 2019 T odays Speakers T om Rogers, CPA Jeff T enenbaum, Esq. Founder & CEO Chair

563 views • 40 slides
MOU LAY-UP SEMINAR Oslo, Norway THIRD PARTY REVIEW Andrew Pointing 12 December 2016 A TYPICAL

MOU LAY-UP SEMINAR Oslo, Norway THIRD PARTY REVIEW Andrew Pointing 12 December 2016 A TYPICAL

CEFOR: MOU LAY-UP SEMINAR Oslo, Norway THIRD PARTY REVIEW Andrew Pointing 12 December 2016 A TYPICAL THIRD PARTY REVIEW A mixed case study for verification of MOU / vessel lay- up Consultation Third Party Review with owner (and his

142 views • 13 slides
The Risk Assessment/Risk Management Process What is risk assessment? The process of evaluating

The Risk Assessment/Risk Management Process What is risk assessment? The process of evaluating

Risk Assessment 101 Scott D. Dwyer, PhD, DABT Practice Leader Risk Analysis and Toxicology Kleinfelder 14710 NE 87 th Street, Suite 100 Redmond WA 98074 425-636-7910 sdwyer@kleinfelder.com The Risk Assessment/Risk Management Process What

378 views • 12 slides
THIRD-PARTY RISK MANAGEMENT For your website Protect your most valuable asset - your web

THIRD-PARTY RISK MANAGEMENT For your website Protect your most valuable asset - your web

1 THIRD-PARTY RISK MANAGEMENT For your website Protect your most valuable asset - your web presence Idan Cohen, Q3 2019 The untold supply-chain challenge: THIRD-PARTIES ON WEBSITES 3 Let s understand What is a web third-party

338 views • 15 slides
Post Rating Factors Past Performance Review and Selection Assessing Applicant Process Risk 2

Post Rating Factors Past Performance Review and Selection Assessing Applicant Process Risk 2

Fiscal Year (FY) 2020 Indian Housing Block Grant (IHBG) Competitive Program Training 1 Post Rating Factors Past Performance Review and Selection Assessing Applicant Process Risk 2 Applicant Selection Process Review and Selection

440 views • 32 slides
VENDOR MANAGEMENT AND THIRD PARTY RISK Amy J Butler Legal & General America May 18, 2018

VENDOR MANAGEMENT AND THIRD PARTY RISK Amy J Butler Legal & General America May 18, 2018

VENDOR MANAGEMENT AND THIRD PARTY RISK Amy J Butler Legal & General America May 18, 2018 Todays Presentation ! Definitions ! Why do we need Vendor Risk Management ! Risks Posed by Third Party / Vendor Relationships ! Vendor Risk

346 views • 24 slides
A competitive advantage for your company through Third Party Monitoring ODIS THIRD PARTY

A competitive advantage for your company through Third Party Monitoring ODIS THIRD PARTY

A competitive advantage for your company through Third Party Monitoring ODIS THIRD PARTY (CONTRACT) MANAGEMENT (TPM) Index Introduction Complexity, governance and risk Past, Present and Future, where are you in the evolution?

295 views • 15 slides
Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk

Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk

FREE Lifelong Learning Event for Fasset Members Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk assessment control matrix management process Governance Risk appetite Agenda for and risk Risk

1.28k views • 105 slides
RECALLS Mitigating the Risk and Managing the Process October 9, 2019 Agenda Managing the Risk

RECALLS Mitigating the Risk and Managing the Process October 9, 2019 Agenda Managing the Risk

RECALLS Mitigating the Risk and Managing the Process October 9, 2019 Agenda Managing the Risk Managing the Process Q & A Session Risk Assessment Process Reporting Requirements Risk Management Tools Recall Preparedness Product Life

879 views • 65 slides
Risk Rule Revisions Kevin Sarb Risk Revisions The following criteria were revised as part of the

Risk Rule Revisions Kevin Sarb Risk Revisions The following criteria were revised as part of the

2015 Record Review Training-Formula Approval Risk Rule Revisions Kevin Sarb Risk Revisions The following criteria were revised as part of the routine cyclical review process by USDA and will be implemented with the May 18, 2016 Release. 201 Low

468 views • 17 slides
EVALUATING THIRD PARTY RELATIONSHIPS OVERVIEW BENEFITS Gain expertise Gain

EVALUATING THIRD PARTY RELATIONSHIPS OVERVIEW BENEFITS Gain expertise Gain

EVALUATING THIRD PARTY RELATIONSHIPS OVERVIEW BENEFITS Gain expertise Gain efficiencies Reach new members Provide more products and services RISKS Reputation Risk Operational Risk Transaction Risk

361 views • 19 slides
1 Basic Info n Breakfast, coffee breaks n Meals n Lunch provided both days n Supported by

1 Basic Info n Breakfast, coffee breaks n Meals n Lunch provided both days n Supported by

1 Basic Info n Breakfast, coffee breaks n Meals n Lunch provided both days n Supported by University of Pittsburgh Provosts Office, SCI n n Dinner on your own n WiFi Wyndham Pittsburgh <v93j3q> n Need help? n Kelly Shaffer,

1.09k views • 94 slides
Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT CSAIL Why yet another sandbox for desktop applications? There are many existing sandbox mechanisms Chroot / Lxc (Unix/Linux) Jail (Freebsd)

515 views • 48 slides
1 Scale space representation Scale space representation Keypoint detection Keypoint detection

1 Scale space representation Scale space representation Keypoint detection Keypoint detection

Introduction Introduction Distinctive Image Features from Distinctive Image Features from Scale Scale- -Invariant Invariant Keypoints Keypoints Invariance Invariance Intensity Intensity Scale Scale David G. Lowe

394 views • 5 slides
Programming Exercise 2: Logistic Regression Machine Learning October 26, 2011 Introduction In

Programming Exercise 2: Logistic Regression Machine Learning October 26, 2011 Introduction In

Programming Exercise 2: Logistic Regression Machine Learning October 26, 2011 Introduction In this exercise, you will implement logistic regression and apply it to two different datasets. Before starting on the programming exercise, we strongly

350 views • 13 slides
LinSim Linear Accelerator Simulation Framework with PLACET and GUINEA-PIG Jochem Snuverink (JAI,

LinSim Linear Accelerator Simulation Framework with PLACET and GUINEA-PIG Jochem Snuverink (JAI,

LinSim Linear Accelerator Simulation Framework with PLACET and GUINEA-PIG Jochem Snuverink (JAI, Royal Holloway) Jrgen Pfingstner (CERN) 8 th of October 2014 J. Snuverink and J. Pfingstner LinSim Content 1. Introduction 2. LinSim 3.

325 views • 20 slides
Advanced Higher Literacy What do you need to know? Identifying/inserting chords to cadence points

Advanced Higher Literacy What do you need to know? Identifying/inserting chords to cadence points

Advanced Higher Literacy What do you need to know? Identifying/inserting chords to cadence points under Augmented triad melodies Enharmonic equivalent rewriting at same pitch Diminished 7 th Scales and key signatures up to 2 accidentals

1.03k views • 72 slides
Oct Octopus: a an R RDMA-en enab abled led Di Distri tributed ed Pe Persistent Memory

Oct Octopus: a an R RDMA-en enab abled led Di Distri tributed ed Pe Persistent Memory

Oct Octopus: a an R RDMA-en enab abled led Di Distri tributed ed Pe Persistent Memory File System Yo Youyou Lu Lu 1 , , Ji Jiwu Sh Shu 1 , , Yo Youmin Ch Chen en 1 , , Ta Tao Li Li 2 1 Ts Tsinghua University 2 Uni University of

428 views • 21 slides
Unit 5: Inference for categorical variables Lecture 1: Inference for proportions Statistics 101

Unit 5: Inference for categorical variables Lecture 1: Inference for proportions Statistics 101

Unit 5: Inference for categorical variables Lecture 1: Inference for proportions Statistics 101 Thomas Leininger June 12, 2013 Single population proportion Single population proportion 1 Identifying when a sample proportion is nearly normal

996 views • 76 slides

More recommend