third-party assessments: not just a questionnaire (166285911)
TRANSCRIPT
7/29/2019 Third-Party Assessments: Not Just a Questionnaire (166285911)
http://slidepdf.com/reader/full/third-party-assessments-not-just-a-questionnaire-166285911 1/8
Tuesday, 2013-04-16
• lots of orgs have adopted a questionnaire; we're going to talk about the processsurrounding it• overview • I'll talk about IU's process
• I'll ask for volunteer institutions for us to create processes for• we'll split into groups and create those processes
• a sprint, not a marathon• IU is a Public University • Enrollment: 110,000 • Endowment: $1.57 billion • Basic Carnegie Classification: very high research • we're not the biggest, but we're very big; other processes will obviously dif er
7/29/2019 Third-Party Assessments: Not Just a Questionnaire (166285911)
http://slidepdf.com/reader/full/third-party-assessments-not-just-a-questionnaire-166285911 2/8
Word clouds created with Tagxedo
Tuesday, 2013-04-16
• In most presentations on this topic, you'll hear the first thing you need is a dataclassification system • This presentation is no exception • But you might want to figure out how to function until you get one
• At IU we have 4 data classifications with the most regulated data (SSNs, credit card data,health data) being Critical• Most organizations have anywhere from 3 to 5• If you don't have data classification • you'll need to get it, but that can take awhile • meanwhile, you'll need a way to scope your assessments • maybe it's your own made-up classification scheme, or maybe it's some other heuristic
• In the exercise, write down what your institution does, or if nothing, make up a heuristic
7/29/2019 Third-Party Assessments: Not Just a Questionnaire (166285911)
http://slidepdf.com/reader/full/third-party-assessments-not-just-a-questionnaire-166285911 3/8
Governance
Tuesday, 2013-04-16
• As much as we'd sometimes like to rule everything, IT and infosec should not be decidingwhether an agreement or purchase should go forward• Institutional Data Stewards: authorities on various types of data student, human resources, alumni & foundation, library, purchasing & travel, facilities,
financial & budget, international programs, contracts & grants, faculty, medical• Compliance Committees PCI DSS, HIPAA, research, future regulations?• Legal Counsel• For the exercise, are there people with central decision-making authority at the volunteerinstitution? If not, how will this be handled? Maybe consensus.
7/29/2019 Third-Party Assessments: Not Just a Questionnaire (166285911)
http://slidepdf.com/reader/full/third-party-assessments-not-just-a-questionnaire-166285911 4/8
Stakeholders
Tuesday, 2013-04-16
• When developing any process, you'll need to get buy-in from the major players it will af ect• Procurement• Data Stewards, Compliance Committees, Legal Counsel• Security, Policy
• Compliance, Risk Management, Internal Audit• Key Vendors, Frequent Purchasers, Departmental IT• In the exercise, list all the applicable stakeholders at the volunteer institution• Remember, 3rd-party assessments slow down business. There will be pushback, so youneed support wherever appropriate.
7/29/2019 Third-Party Assessments: Not Just a Questionnaire (166285911)
http://slidepdf.com/reader/full/third-party-assessments-not-just-a-questionnaire-166285911 5/8
No
Risks &Recommendations
Decision
Workflow
Critical
Data?
Yes
Tuesday, 2013-04-16
• IU only does an assessment if Critical data is involved. I would of course like to do them forRestricted data, too, and so would some data stewards, but I would need more staf for that.• We still involve the data stewards for any data sharing• The questionnaire is home-grown, but it could be something like the Cloud Security
Alliance's GRC stack (which is what Internet2 is using to vet Net+ services now)• A very important piece not shown is contract language that we put into every agreementholding the vendor responsible for safeguarding institutional and personal data• In the exercise, use everything you've listed in the previous panels to determine what yourworkflow will be
7/29/2019 Third-Party Assessments: Not Just a Questionnaire (166285911)
http://slidepdf.com/reader/full/third-party-assessments-not-just-a-questionnaire-166285911 6/8
0
23
45
68
90
2009 2010 2011 2012 2013
Assessment Activity
Tuesday, 2013-04-16
When designing your process, keep in mind the number of 3rd-party assessments is likelyonly to increase. We project we'll have done about 80 by the end of this year (we've onlydone 15 so far, but the first quarter is typically light). I expect it to plateau eventually, whichwill be a good time to implement what's next.
7/29/2019 Third-Party Assessments: Not Just a Questionnaire (166285911)
http://slidepdf.com/reader/full/third-party-assessments-not-just-a-questionnaire-166285911 7/8
What’s Next?
Tuesday, 2013-04-16
• IU still has a long way to go• Streamlining & refactoring the workflow• Achieving ongoing third-party management• Capturing untracked agreements
7/29/2019 Third-Party Assessments: Not Just a Questionnaire (166285911)
http://slidepdf.com/reader/full/third-party-assessments-not-just-a-questionnaire-166285911 8/8
What’s Next?
Tuesday, 2013-04-16
• IU still has a long way to go• Streamlining & refactoring the workflow• Achieving ongoing third-party management• Capturing untracked agreements