Recorded: Septmeber 10, 2015, September 17, 2015 and September 24, 2015
Join us for a 3-part series on Cyber Risks & Third Party Service Providers
The value that third party service providers (TSP) bring can quickly be eroded by the associated cyber risks, and the FFIEC expects that TSPs be subject to the same risk management, security, privacy, and other requirements - as if the financial institution were conducting the activities in-house. Regulatory expectations related to cyber resilience as well as the additional complexity inherent in using multiple TSPs require more diligence by financial institution management.
In this three-part series, you'll learn how to effectively manage TSPs, reduce cyber risk, and ensure compliance with a variety of regulations, including the new Appendix J of the BCP Service Booklet.
Part 1: Navigating Vendor Management
In Part One, Navigating Vendor Management, we'll cover the different regulations and updates, and how they all map together to ensure that TSPs are properly governed.
Topics addressed:
- How is Cloud Computing examined?
- What are the differences/similarities between SSAE 16 and SOC 2 reports?
- How does the new Appendix J of the BCP Services Booklet address vendor management and cyber security?
- What you need to ensure, when your TSP subcontracts to another vendor.
- Understanding your responsibilities when using a Managed Security Service Provider (MSSP).
Part 2: How to Develop and Implement a Sound Vendor Managemen Program
In Part Two, we'll take a closer look at vendor risks and requirements, selection, and monitoring. You'll learn how to design and implement a sound vendor management program in accordance with different FFIEC regulations including Appendix J with new requirements related to business continuity planning and cybersecurity.
Topics addressed:
- How to perform a risk assessment.
- What due diligence should be performed on TSPs prior to selection?
- How should new contract terms and conditions be addressed with respect to cyber security?
- What new elements of the relationship should be monitored?
- Why and how to expand my Incident Response Plan?
Part 3: Effective Monitoring in Vendor Managment
In Part Three, we'll delve deeply into advanced techniques for monitoring vendors and what constitutes an effective monitoring program.
Topics addressed:
- How do the recent and upcoming changes in regulations affect my vendor management program?
- How do I address my vendor's VM program?
- What monitoring changes are required for SLAs?
- What assistive tools are available?
- How to review SOC reports.
Speaker: Karen Livingstone, InfoSight, Inc.
Karen is a contemplative and passionate executive with 20+ years' experience in providing risk management, audit, and regulatory compliance services. Karen has helped numerous financial service organizations design and implement cost-effective risk management and compliance programs and solutions. She has extensive experience in the IT assurance profession and understands audit and examination requirements.
Karen's knowledge of financial regulations is comprehensive. She has practical experience in helping financial institutions comply with the various aspects of FFIEC, OCC, FDIC and NACHA regulations impacting controls and processes related to the integrity and security of IT systems, processes, and people. Karen also has expertise with other best practice guidelines and frameworks provided by NIST, ISO, COSO and COBIT.
Karen holds designations as a CPA, CISA, CIA, CRMA, and AMLCA, is an alumnus of Florida Atlantic U