Description
Examine the cuttingedge issues in designing and executing privacy and security risk assessments.This topic will focus on the fundamentals of creating and implementing a riskbased vendor management program designed to address the increasing threat of cybersecurity incidents. The risk to the privacy and security of an organization’s sensitive, personally identifiable, proprietary, and financial information continues to grow as cybersecurity attacks become more sophisticated. A growing number of these attacks occur through third parties, vendors, service providers, or the supply chain. Traditional vendor management programs may not be adequate for identifying and minimizing these risks. We will take a look at the threat landscape, review basic elements of a cybersecurityfocused vendor management program, identify best practices, and discuss program ownership and available resources. Whether your organization purchases software products, connected devices, or SaaS outsources services or engages managed service providers, this information will help you create or update your vendor management program to address cybersecurity risks posed by third parties, vendors, services providers, or the supply chain.
Date: 2021-10-18 Start Time: End Time:
Learning Objectives
Risk-Based, Cybersecurity-Focused Vendor Management and Why Organizations Need It
• The Cybersecurity Threat Landscape
• Understanding Cybersecurity Risks Posed by Third Parties, Vendors, Service Providers, and the Supply Chain
• The Potential Impact on Organizations
• Regulatory and Contractual Compliance Obligations
Assembling an Interdisciplinary Vendor Management Team
• Identifying Appropriate Stakeholders
• Identifying Team Responsibilities
• Creating or Updating a Cybersecurity-Focused Vendor Management Program
• Monitoring Internal Program Compliance
• Auditing Third-Party Compliance
• Performing Vendor On and Offboarding
• Assuming Responsibility for Vendor Communications, Data Breach Response
• Identifying Appropriate Method of Performance • Manual, Automated
Developing an Appropriate Risk-Based Vendor Management Program
• Creating a Third-Party, Vendor, and Service Provider Inventory
• Identifying Regulatory and Contractual Compliance Obligations
• Identifying Potential Risks to Data and Systems; Assign Risk Levels
• Creating Scalable Standards
• Creating Risk Assessment Questionnaire
• Developing Internal Policies and Procedures for Implementing, Reviewing, and Monitoring the Program
Performing Due Diligence
• Assessing and Evaluating Responses to Risk Assessment
• Conducting Onsite Audits
• Obtaining Required Certifications
• Validating Vendor Representations
Executing Vendor Contracts
• Drafting Contractual Obligations
• Addressing Reasonable Safeguards
• Allocating Risk
• Performing Internal Contract Management
• Reviewing and Updating Contracts as Necessary
Best Practices
• Maintaining Documentation of Risk Assessments and Supporting Documents
• Limiting Vendor Access to Data and Systems
• Implementing Internal Incident Response and Business Continuity Plans
• Segmenting Systems
• Monitoring Vendor’s Cybersecurity Controls
• Training Internal Staff
• Minimizing Data Collection; Adhering to Appropriate Date Retention Schedules
• Assembling a Truly Interdisciplinary Team
Available Resources
CLE (Please check the Detailed Credit Information page for states that have already been approved) ,ISM ,Additional credit may be available upon request. Contact Lorman at 866-352-9540 for further information.
Mary T. Costigan-Jackson Lewis P.C.
