Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.

Slides:

Advertisements

Similar presentations

Reflections on the White House Privacy Office Peter P. Swire Ohio State University Center for American Progress N.C. State Privacy Day January 29, 2008.

Advertisements

Module N° 3 – ICAO SARPs related to safety management

Organizational Governance

External Quality Assessments Frequently Occurring Findings Observed by The IIA QA Teams.

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

So You Want to Break Into the Industry… SAS No. 94 Requirements and Issues Related to IT Audits for Not-for-Profit Organizations.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

Chapter 10 Accounting Information Systems and Internal Controls

Auditing Corporate Information Security John R. Robles Tuesday, November 1, Tel:

Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.

Audit Committee in Albania Legal framework Law 9226 /2006 “On banks in Republic of Albania” Law 9901/2008 “On entrepreneurs and commercial companies” Corporate.

1 Outsourcing Contract and Service Level Issues Sharon O’Bryan Week 5 November 2, 2004.

Security Controls – What Works

ISS IT Assessment Framework

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.

IS Audit Function Knowledge

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.

Legal & Administrative Oversight of NGOs Establishing and Monitoring Performance Standards.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

SAS 70 (Statement on Auditing Standards No. 70) Kelley Piner Charles Roberts Ashley Walker.

IT Service Delivery And Support Week Eight IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA CISA CISSP) 1.

IT Outsourcing Andy Darnell Jennifer Lawrence Jessica Pruitt.

Vendor Risk: Effective Management is Essential

IT Assurance and Reliability Why Should You Care? Richard Oppenheim, CPA, CITP President, SysTrust Services Corporation Presented to ISACA Regional Meeting.

Internal Auditing and Outsourcing

Chapter Nine Conducting the IT Audit. Audit Standards AICPA — Statements of Auditing Standards (SASs) AICPA — Statements of Auditing Standards (SASs)

© ITGI, ISACA - not for commercial use. John R. Robles Guidance for Information.

The Value of Experience 5/12/08 IT Auditing So easy, a caveman can do it… Lee Barken, CPA, CISSP, CISA, CCNA, MCP

Fiduciary & Investment Risk Management Association

PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,

Section Topics Establish a framework for assessing risk

Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.

GRC - Governance, Risk MANAGEMENT, and Compliance

Chapter Three IT Risks and Controls.

Enterprise Risk Management & IT Compliance March 30, 2010 Presented by: Ken Rowe, Director Enterprise Systems Assurance & Chief Security Officer University.

1 Copyright © 2014 M. E. Kabay. All rights reserved. CSH5 Chapter 67 “Developing Classification Policies for Data” Karthik Raman & Kevin Beets Classification.

Corporate Governance at CDS Ian A. Gilhooley President and CEO.

1 © 2012 John Wiley & Sons, Ltd, Accounting for Managers, 4th edition, Chapter 2 Accounting and its Relationship to Shareholder Value and.

1 Information Technology (IT) Auditing & Control Instructor: Dr. Princely Ifinedo Cape Breton University (CBU)

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.

The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association.

SAM for Virtualizatio n Presenter Name. Virtualization: a key priority for business decision makers Technavio forecasts that the global virtualization.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

QUALITY ASSURANCE MANAGEMENT CONTROLS Chapter 9. Quality Assurance (QA) Management is concerned with ensuring: 1) The information system produced by the.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

Bank Audit. Internal Audit Internal audit is an independent, objective assurance activity and can give valuable insight in providing assurance that major.

1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.

1 © 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.

Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.

Chapter 8 Auditing in an E-commerce Environment

Internal Control Chapter 7. McGraw-Hill/Irwin © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. 7-2 Summary of Internal Control Definition.

178, 178, , 108, , 208, 80 67, 184, 211 0, 99, 178 STAR-Transition Project October 2011.

IT auditing in practice Marc Verdonk Eindhoven, November 27 th 2008.

Developing an Audit Program By Rodney Kocot President Systems Control and Security Incorporated Copyright © 2005 Rodney Kocot.

Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.

COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.

Module 6: Business Application Software Audit Chapter 1: Business Application Software Audit 1.

Information Security Program

Introduction What is IS Audit

Service Organization Control (SOC)

Reinsurance and Other Forms of Risk Transfer Risk Based Supervision of Reinsurers and Insurer’s Reinsurance Coverage - Case Study – Possible Responses.

SOFE CDS – Monday, July 16th, 2018

Presentation transcript:

Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA

Overview Introduction Introduction Reasons for Outsourcing Reasons for Outsourcing Due Diligence Due Diligence Risk Considerations Risk Considerations Management Considerations Management Considerations Conclusion Conclusion References References

Philip Romero, CISSP, CISA Vice President, ISSA-SVC Vice President, ISSA-SVC Information Systems Auditor Information Systems Auditor

What is an Outsourced Service Provider? Any person or entity that maintains, processes, or otherwise is permitted access to perform services for a company, but is not directly employed by the company.

Responsibilities … …senior management should establish and approve risk- based policies to govern the outsourcing process. The policies should recognize the risk to the institution from outsourcing relationships and should be appropriate to the size and complexity of the institution. – FFIEC

Due Diligence Company financial & business standing Company financial & business standing Review of audits (SAS 70 or others) Review of audits (SAS 70 or others) Client interviews or visits Client interviews or visits Risk assessment Risk assessment

Company Financial & Business Standing How long has the company been in business? How long has the company been in business? Have they been profitable? Have they been profitable?

Review of Independent Audits SAS 70 Type I & II SAS 70 Type I & II Six Sigma Six Sigma Others (e.g. Pen Testing) Others (e.g. Pen Testing)

Client Interviews or Site Visits Did the company deliver what they said they would? Did the company deliver what they said they would? Does the product or service function as described? Does the product or service function as described? Did the implementation go as planned? Did the implementation go as planned? Do the security controls operate as defined? Do the security controls operate as defined?

Risk Considerations Application Security Application Security Network Security Network Security Physical Security Physical Security System Administration System Administration Business Continuity & Disaster Recovery Planning Business Continuity & Disaster Recovery Planning

Management Considerations Contract Negotiations Contract Negotiations Statement of Work Statement of Work IT Strategic Impact IT Strategic Impact Benefits Realization Benefits Realization High Level Monitoring High Level Monitoring Customer Satisfaction Customer Satisfaction Data Security Data Security Network Connectivity & Security Network Connectivity & Security Regulatory Compliance Regulatory Compliance

Outsourcing Management Study A 2000 study of 29 major outsourcing engagement over eight years reported that 35% of the arrangements failed. A 2000 study of 29 major outsourcing engagement over eight years reported that 35% of the arrangements failed.

Management Considerations Contract Negotiations Contract Negotiations Get it in writing Get it in writing It does not have to be business as usual It does not have to be business as usual Statement of Work Statement of Work Clearly define roles and expectations Clearly define roles and expectations

Management Considerations IT Strategic Impact IT Strategic Impact How does the outsourced service effect goals? How does the outsourced service effect goals? Do strategic goals need to be re- evaluated do to the outsourcing of services? Do strategic goals need to be re- evaluated do to the outsourcing of services? Benefits Realization Benefits Realization Are the goals of outsourcing being achieved? Are the goals of outsourcing being achieved?

Management Considerations High Level Monitoring High Level Monitoring Review corporate news Review corporate news Review updated audit reports Review updated audit reports Customer Satisfaction Customer Satisfaction Are customers satisfied with the outsourced arrangements Are customers satisfied with the outsourced arrangements Have the arrangements increased or hindered profits? Have the arrangements increased or hindered profits?

Management Considerations Data security Data security Has your company classified the information used and managed by the outsourced company? Has your company classified the information used and managed by the outsourced company? Has the appropriate protection been defined? Has the appropriate protection been defined?

Management Considerations Network connectivity & security Network connectivity & security How do your companies exchange information? How do your companies exchange information? Are data circuits encrypted? Are data circuits encrypted?

Management Considerations Regulatory compliance Regulatory compliance HIPAA HIPAA GLB GLB SOX SOX CA Civil Code – (SB1386) CA Civil Code – (SB1386)

Conclusion Reasons for Outsourcing Reasons for Outsourcing Due Diligence Due Diligence Risk Considerations Risk Considerations Management Considerations Management Considerations

References IT Governance Institute IT Governance Institute Information Systems Audit and Control Association Information Systems Audit and Control Association NIST Computer Security Resource Center NIST Computer Security Resource Center Federal Financial Institution Examination Council Federal Financial Institution Examination Council