www.pwc.

com

Third Party Risk

Management
ISACA Central
Maryland chapter
December 9, 2015
Here with you today

Ellen Ozderman Stephanie Hardt Danny Wuckovich

Director Manager Senior Associate
Cybersecurity, Privacy Cybersecurity, Privacy Cybersecurity, Privacy
& IT Risk & IT Risk & IT Risk
M: 240.750.5669 M: 202.365.0033 M: 571.213.8308
E: ellen.ozderman@pwc.com E: stephanie.l.hardt@pwc.com E: danny.w.wuckovich@ pwc.com

December 9, 2015
PwC 2
Agenda

Third Party Risk Management

Questions to Consider
Why is Third Party Risk Management important?
What is Third Party Risk Management/Security and Privacy Considerations
Cloud Reliance
Common Challenges and Lessons Learned
Appendix

December 9, 2015
PwC 3
Learning objectives

A deep dive into Third Party Risk Management Programs and the information security
and privacy over third parties
• Describe the Third Party Risk Management lifecycle and why it is important
• Highlight the importance of TPRM as demonstrated by current events and news headlines
• Identify where Third Party Risk Management typically impacts Vendor Management events
• Identify key stakeholders, how they interact, and their roles and responsibilities of typical Third
Party Risk Management programs
• Identify the three lines of defense and how each apply to a Third Party Risk Management program
• Identify how Third Party Risk Management programs work to mitigate security and privacy risks
originating at our third party vendors
• Explain the process for identifying and monitoring third party vendors’ security postures
• Share common information security and privacy challenges surrounding TPRM
• Explain the benefits of Third Party Risk Management
• Highlight the key TPRM, information security, and privacy considerations for cloud
service providers

December 9, 2015
PwC 4
Questions to consider

Planning/Governance
• Do you have an inventory of Third Parties?
- Is it by service?
- Is it risk ranked?
- Do you have current contracts related to the service being provided?
• Do Third Parties go beyond traditional vendors and suppliers (e.g., affiliates)?
• Are there standardized risk profiling methodologies with defined assessment frequencies and types
in place?
• Who is accountable for overseeing your TPRM Program? and managing it?
Due Diligence and Third Party Selection
• Are due diligence assessments performed prior to contracting?
- Are they around privacy?
- Are they around security?

December 9, 2015
PwC 5
Questions to consider (continued)

Due Diligence and Third Party Selection

• Do you know which of your third parties have access to data?
• Do you know which subcontractors are used by your third parties, and what work they are
performing for you?
Contract Negotiation
• Do contract clauses include the authority to audit the Third Parties processes over the service
provided?
• Are contracts for similar services consistent and contain Service Level Agreement’s?
Ongoing Monitoring
• Do monitoring processes include both risk AND performance concerns?
Termination
• Do you have exit strategies in place for significant Third Party relationships?

December 9, 2015
PwC 6
Reputational drivers
Sample headlines involving third parties
A bank points outage finger at its technology provider
A bank says a failure on its technology provider’s part to
correctly fix an identified instability within the bank's storage
system led to the seven-hour service outage last week.
– ZDNet Asia on July 14, 2010
Vendor mistake causes breach of 32,000 patients’ data. The
vendor was hired to transcribe care notes on what was
supposed to be a secure website. However, the information
remained publicly accessible because the vendor apparently
failed to activate a firewall.
– Healthcare Business & Technology, August 2013
Breach at a large merchant processor cost approximately
$94 million and removal from the global registry of a major
card issuer.
–CNN, March 2012
PwC
FTC Data Security Settlement Highlights Need for Third
Party Vendor Management and Oversight
Federal Trade Commission (FTC) announced a settlement with
a translation services providers following the public exposure of
thousands of medical transcript files containing personal
medical information.
– HL Chronicle of Data Protection, January 2014
The hackers who stole 40 million credit and debit card
numbers from a large discount retailer appear to have breached
the discounter’s system by using credentials stolen from
a vendor.
– Wall Street Journal, January 2014
3.6 million personal income tax returns and 657,000
business filings exposed due to third party data breach.
– Washington Post, October 2012
December 9, 2015
7
Recent breaches involving third-party vendors

“Home Depot disclosed that hackers stole 53

million e-mail addresses, on top of the data for 56
million credit cards.”
http://www.bloomberg.com/bw/articles/2014-11-
06/home-depot-hackers-got-in-via-a-vendor-
took-53-million-e-mails-too
“Home Depot said the crooks initially broke in
using credentials stolen from a third-party vendor.
The company said thieves used the vendor’s user
name and password to enter the perimeter of
Home Depot’s network, but that these stolen
credentials alone did not provide direct access to
the company’s point-of-sale devices. For that, they
had to turn to a vulnerability in Microsoft
Windows that was patched only after the breach
occurred...”
http://krebsonsecurity.com/tag/
home-depot-breach/

December 9, 2015
PwC 8
Recent breaches involving third-party
vendors (continued)
“…the source of the Target intrusion traces back to
network credentials that Target had issued
to Fazio Mechanical, a heating, air conditioning
and refrigeration firm in Sharpsburg, Pa. Multiple
sources close to the investigation now tell this
reporter that those credentials were stolen in an
email malware attack at Fazio that began at least
two months before thieves started stealing card
data from thousands of Target cash registers.”
• 40 million customer credit cards stolen
• 70 million customer records (name, address,
email, phone)
• 46% decrease in Q4 2013 profits vs Q4 2012
http://krebsonsecurity.com/tag/target-data-
breach/

December 9, 2015
PwC 9
Recent breaches involving third-party
vendors (continued)
“Experian said the compromise of an internal
server exposed names, dates of birth, addresses,
Social Security numbers and/or drivers’ license
numbers, as well as additional information used in
T-Mobile’s own credit assessment.”
“…the breach lasted for two years from Sept. 1,
2013 to Sept. 16, 2015…Experian detected the
breach on Sept. 15, 2015, and confirmed the theft
of a single file containing the T-Mobile data on
Sept. 22, 2015.”
• Over 15 million customer records (name, dob,
address, ssn, driver’s license number)

December 9, 2015
PwC 10
Regulatory considerations

Apr, 2003
Jan, 2010
Jul, 2010
Revised OCR Oct, 2013
Aug, 2013
HIPAA Business NRS 603A, NV
Associates Data Security Law Wash. H.B. OCC
1149, WA Data PCI-DSS Bulletin
Security Law v3.0 2013-29
May, 2002 Mar, 2010
Aug, 2003
Jan, 2013 Dec, 2013
OCC Bulletin 2002-16, California 201 Mass.
Foreign 3rd Party Privacy Bill Code Regs.
17, Data Omnibus,
Service Providers SB 1386 FRB SR 13-19
Security Law HIPAA

May, 2007 Jan, 2011 Apr, 2015

Jul, 2001 PCI-DSS
H.F.1758, MN Payment Card
Aug, 1996 v3.1
Plastic Card Industry Data
Gramm-Leach
Security Act Security Standard,
Bliley Act,
PCI-DSS v2.0
GLBA
Health Insurance Proposed by
Portability and Nov, 2007 Dec, 2015
Accountability Nov, 2001 Mar, 2012
Act, HIPAA HITECH Act
CFPB European Union –
OCC Bulletin 2001-47, Data Protection
Bulletin
Oversight and Directive
2012-03
Management of Third-
Party Relationships

Financial State European

Healthcare
Services Regulations Union

December 9, 2015
PwC 11
PwC’s global state of information security
survey results

Inventory of third parties that handle personal data of

customers and employees

50%

Perform risk assessments Policy requiring third parties to comply with their
privacy & security policies

50% 54%

December 9, 2015
PwC 12
Third party risk management framework

Third Party risk management is focused on understanding and managing risks associated with third
parties with which the company does business and/or shares data.
Third Parties The PwC TPRM Framework Risk Considerations

Vendors Reputational Concentration

Suppliers Regulatory/
Operational
Compliance

Joint Ventures Financial Termination

TPRM Program
Components
Business • Governance Business
Channels Subcontractor
• Framework Continuity
• Policy & Procedures
Marketing • Inventory
Partners • Stratification Country Technology
• Issues Management
Affiliates Information
Privacy
Security

Broker Dealers

Regulated
Entities

December 9, 2015
PwC 13
TPRM – Security and privacy considerations

Third Party security lifecycle:

• On-boarding, approval, and renewal –
Collaborating with Procurement, OGC, and
Relationship Managers to obtain required
documentation (e.g., Security &
Confidentiality Agreement, Inherent Risk
Questionnaires, etc.) and perform a precursory
review of third parties’ security postures
during on-boarding and renewal of contractual On-boarding Risk
services with third parties. & Renewal Assessments

• Risk assessments – Performing TSP due

diligence on third-parties to assess whether
Company data and systems are safeguarded Monitoring &
Compliance
appropriately.
• Monitoring and compliance – TSP
operational activities, including monitoring
third party risk profile, remediation tracking,
communication and awareness, and
monitoring and reporting status.
December 9, 2015
PwC 14
Vendor Management (VM) vs. Third party
risk management
TPRM Contract
Planning Due Diligence Ongoing Monitoring Termination
Lifecycle Negotiation
VM
Third Party Ongoing Relationship
Lifecycle Business Case Sourcing Analysis Contracting
Selection monitoring exit

1. Document Need 1. Sourcing Approach 1. Conduct RFI/ 1. Contract Vehicle 1. Transition Pre- 1. Finalize Exit
2. Cost Benefit - Competitive Bid RFP/RFQ - MSA Contract to Post- Strategy
Analysis ◦ RFP/RFI/ 2. Competitive - SoW Contract 2. Provide Notifications
3. Determine business RFQ Bid/Proposal 2. Source paper 2. Track open issues 3. Risk Exposure
requirements - Sole Source Evaluation to closure assessment
3. Standard clauses
4. Determine ROI 3. Short List vs 3. Ongoing 4. Continuity
2. Identify Third 4. Clauses to address
Single Finalist performance & risk Planning
5. Determine Third Parties open Issues
4. Selection Criteria monitoring
Party Base - Existing 5. SLAs 5. Transition
6. Determine 5. Price vs Value 4. Ongoing due Planning and
- Potential 6. Training diligence
inherent risk 6. Due Diligence Execution
3. Third Party 7. Fee Structure &assessments
7. Document Assessments 6. Transfer of assets
Rationalization 8. Determine 5. Ongoing site visits
Source/No-Source 7. Nature, Location and Information
4. Single vs. Multiple residual risk and reviews
Decision Third Parties and Ownership of 7. Legal confirmation
Controls 9. Contract 6. Oversight and of transition
8. Obtain Approval 5. Validation Management Supervision
9. Assign owners 8. Number of third 8. Payments,
- Proof of parties to use 10. A/P Setup 7. Customer Penalties and final
10. Stakeholders Concepts Complaint
11. Stakeholders billings
- Pilot Handling
12. Subcontractor
requirements 8. Third Party
Contingency Plans
9. Re-certification
10. Spend Management
11. Monitoring and
Reporting
Cadence
12. Contract
Administration

Third Party Risk Management (TPRM) activities in BLUE BOLD

December 9, 2015
PwC 15
Third party risk management – Program
governance

Board of Directors
Third Line of Defense
Internal Audit • Independently test, verify and evaluate risk
management controls against internal policies
Governance • Report upon effectiveness of the program
Enterprise Risk Committee Enterprise Management
Legal & Compliance
Second Line of Defense
Management & Oversight
• Independent compliance framework, policy &
Third Party Management Office Operational Risk Oversight oversight
• Design and assist in implementing company-
Sourcing wide risk framework and oversee enterprise
Procurement Contracts Management risks
• Provide independent risk oversight across all
Subject Matter Specialists risk types, business units and locations
Sourcing Contracts
InfoSec Privacy PhySec BCM TP Compliance TPRM HR
First Line of Defense
Credit/Finance Reputational Risk Technology Operational Risk • Primary responsibility for compliance and
owner of risk
Business Unit • BU managers and third party relationship
owners are responsible for identifying,
Business Unit Sponsor Third Party Risk Manager
assessing and mitigating risk associated with
their business
Third Parties • Promote a strong risk culture and sustainable
risk-return decision making
Subcontractors

December 9, 2015
PwC 16
Planning and risk stratification

The Planning stage facilitates maintenance of the third party inventory, and enables management to
focus resources and efforts on those services that present greater risk to the organization.

On-board Oversee & Monitor

Pre- Sourcing Pre-Contract

Post-Contract
Inherent risk assessment Pre-contract due diligence Nature, timing and extent &
& residual risk On-going monitoring and
due diligence
Residual risk
maturity Standard risk definition
ranking
Inherent risk ratin g

Maintained Third
Segment 1 –”Criti cal” Segment 2 – “Hi gh Risk” Segmen t 3 – “M oder ate Segm en t 4 – “L ow Ris k”
Ri sk”
Na ture Timing Extent Nature Timing Extent Nature Timing E xtent Nature Timing E xtent
1 Controls do not exist/are not in place
Sco ped Scoped 18 Scoped 24 Scoped
1 Onsite Annual Onsite Annual Onsite Remote
Test ing Testing Months Testing Mo nths Inquiry

Controls are in place but are not documented appropriately or

Residual r isk rating

Ref resh & Re-rank
Sco ped 12-16 Scoped Scoped 36 Scoped
2 currently are not reviewed/ tested; controls are not consistently 2 Onsite Annual
Test ing
Onsite
Mo nths Testing
R emot e Annual
Inquiry
Remote
Month Inquiry
f ollowed

Party Inventory
12-16 Sco ped 18 Scoped 18 Scoped Self- 36 Scoped
3 Onsite Onsite R emot e
Mo nths Test ing Mo nths Testing Months Inquiry Assess Mo nths Inquiry
Controls are in place and are documented and rev iewed; manual or
3
partial automation
18 Sco ped 24 Scoped 24 Scoped Self- 48 Scoped
4 Onsite Onsite R emot e
Mo nths Test ing Mo nths Testing Months Inquiry Assess Mo nths Inquiry

Controls are in place, are documented appropriately , are rev iewed

4 on a periodic basis, hav e continuous control monitoring and f ully
automated if available

Metrics & Reporting

Third Party Program

Scorecards Dashboards

December 9, 2015
PwC 17
Inherent risk assessment – Service level
stratification

The inherent risk assessment process allows for the sorting of third party services/products inherent risk
scores and inherent risk ratings.
Inherent risk assessment Risk stratification structure
1 – “High Risk” These third parties
Pre-Sourcing Example Stakeholders are handling high risk services,
have a critical level of disruption,
Legal access to highly restricted types of
“High data and are client facing.
Risk”
2 – “Moderate Risk”
Third Party Risk These third parties are handling
Office high or medium risk services, have
“Moderate high level of disruption, access to
Risk” restricted data and may be client
facing.
Subject Matter
Inherent Risk drives Specialists 3 – “Low Risk”
SMS input and due These third parties are handling
diligence medium risk services, have a
Business Unit moderate level of disruption, have
requirements “Low Risk”
Sponsor access to restricted data and are
not client facing.

4 –”Very Low Risk”

Compliance These third parties are handling low
risk services, have a low level of
disruption, do not have access to
“Very Low Risk” restricted data and are not client
Sourcing & Other facing.
Key Stakeholders

December 9, 2015
PwC 18
Planning – TPRM security and privacy

What Third Party risk factors qualify for security and privacy assessments
by the TPRM program?
On-boarding,
Risk
approval,
Assessments
and renewal

Monitoring and
1 2 Compliance

a. Store, process, or transmit organizational data on their

Third-parties that: own IT systems and network, or
b. Access the organization’s internal IT infrastructure and
systems (including network, applications, databases, etc.)

Shared with/collected by/accessible to the third

Sensitive data that is:
party. Sensitive data may include:
a. Customer, customer spouse, and prospective
customer information
b. Employee, Employee Family, Applicant, and
Contractor Information
c. Organization’s Intellectual Property,
Proprietary Information, and Financial Data
d. Technology Information

*Note: should be aligned with organizational

data classifications

December 9, 2015
PwC 19
Planning – TPRM security and privacy (continued)

Risk identification and prioritization of third parties:

• An inherent risk questionnaire evaluates the third-party’s inherent security and On-boarding,
approval,
Risk
Assessments
privacy risks against a primary set of qualitative and quantitative risk factors. and renewal

1. IT systems and data sensitivity – Critical systems and sensitive data Monitoring and
Compliance

elements (based on the organization’s data classifications) that are shared

with, collected by, or accessible to the third-party organization.
2. Estimated record volume – The maximum volume of sensitive data and
information accessible to the third-party organization.
• Based on the inherent risk questionnaire, the third-party is risk rated against
defined risk tiers.
• The risk tiers define the due diligence requirements to be completed for each
third-party.
Risk Tier Due diligence requirements
Nature Timing
Tier 4 - High Risk Onsite assessment Annually
Tier 3 - Moderate Risk Remote Assessment Bi-Annually
Tier 2 - Low Risk Self assessment Tri-Annually
Tier 1 - Very Low Risk Annual Recertification of TSP Profile N/A

December 9, 2015
PwC 20
Planning – TPRM security and privacy (continued)

Review and approval of Third Party:

• A mature TPRM program requires approval from the Department of On-boarding,
approval,
Risk
Assessments
Information Security for all new contracts and renewal

• The Department of Information Security performs a precursory review of Monitoring and

Compliance

the Third Party’s control assertions using a risks and controls

questionnaire
• Approval typically requires completion of the following security and
privacy documents:

Business Units

Security &
Inherent Risk Security & Privacy
Confidentiality
Questionnaire Questionnaire
Agreement

Information
TPRM Program OGC Procurement
Security Dept.

December 9, 2015
PwC 21
Due diligence

The following correlates significant third party risks to the assessments utilized by organizations to
evaluate the effectiveness of third party controls in place to mitigate risks.
Reputational: Legend:
Assesses the impact to the organizations Assessment
reputation based on services provided by Risk
Compliance:
a third party.
Assesses the third party’s Operational Competency:
ability/control framework in place to Assesses the ability of the third party to
comply with laws/regulations. deliver the contracted products/services.
Reputational
Subcontractor:
Information Security & Privacy: Assesses the risk management processes
Compliance Operational
Assesses third party’s controls over surrounding the use of subcontractors by
the availability, confidentiality, and third parties.
integrity of third party data. Significant
Third Party Technology:
Risks Assesses the adequacy and
Information Credit/
appropriateness of the third party’s systems
Security Financial
Physical Security: and applications to provide the
Assesses facility access and security product/service.
Business
measures implemented by the third
Continuity
party. Strategic Financial:
and
Assesses financial stability for the third party to
Resiliency
Country Risk: continue provide the product/service.
Assesses political, geographic, regulatory,
legal, and economic risks of sourcing to a Business Continuity & Resiliency: Assesses the third party’s
country or region. ability to perform in the event of a process failure or catastrophic
event.

December 9, 2015
PwC 22
Risk assessment types

The following are examples of Third Party due diligence assessments performed on potential and
existing third parties to understand the existing control environment and capabilities.
Technology Information Security & Privacy Physical Security Subcontractor
• Technology Architecture • Security policies • Fire Suppression • Third Party Relationship
• Assets utilized • Change controls • Server Security & Conditions Management
• Technology Roadmap • Encryption • Data Centers • Sub-Service Third Party
• Technological capabilities • Logical access Control • Backup Power Sources Relationships
• Monitoring, communication and • Asset management • Logical access Control
connectivity • Key Card & Facility Access • Monitoring, communication and
• Incident management connectivity
• Application management
• System development
• Customer contact

Country Reputational Financial Bus Continuity & Resiliency*

• Political • Litigation or ethical flags • Going concern • Recovery
• Geographic • Media coverage • Liquidity • Data Backup Management
• Regulatory • OFAC or other factors • Leverage • Offsite storage
• Legal • Criminal and/or civil complaints • Profitability • Media and vital records
• Economic • Transaction Processing • Data integrity
• Travel Safety

Operational Compliance
• People • Regulatory requirements
• Process • HIPAA
• Financial Reporting • CFPB
• Subcontractors • GLBA
• Concentration • Customer complaints handling
• PCI

*Business Continuity Management includes Business Contingency (“BC”) planning and Disaster Recovery (“DR”)
Note: Regulation W requirements exist when a Financial Institution receives services from an Affiliate, which may have special due diligence assessment aspects to consider.

December 9, 2015
PwC 23
TPRM security and privacy

Security and privacy domains:

• The TSP identifies and monitors third-party risks through On-boarding,
approval,
Risk
Assessments
risks assessments, which provide assurance on whether and renewal

third-parties are meeting the organization’s security and

Monitoring and
privacy standards. Compliance

• The risk assessments assess security and privacy controls

across the following domains:

Security Administration Logical Security Security Operations Physical Security Compliance Monitoring

Policies and procedures, Security administration, Threat and vulnerability Data center access Regulatory compliance
security roles and privileged access, management, security controls, monitoring, management, policy and
responsibilities, HR authentication, monitoring, incident environmental controls standards compliance
personnel and workstation/application/dat response, backup and
subcontractor management abase/platform security, recovery, encryption
and oversight (e.g., network perimeter
background checks, protection, remote/wireless
security awareness access, network
training, etc.) segmentation

December 9, 2015
PwC 24
Ongoing monitoring

Results of the inherent risk should drive the nature, timing and extent of activities used to monitor,
oversee, and re-assess third party relationships. Due to the higher costs associated with more in-depth
assessment activities, a risk based approach should be leveraged ensuring higher risk relationships
receive more active risk management than lower risk relationships.
Depth and Frequency of
Ongoing Monitoring

0%
Very Low Low Moderate High
40-50% 20-30% 10-15% 3-5%
Inherent Risk Rating
December 9, 2015
PwC 25
Termination

Each third party termination will be unique; however, there are common decisions, considerations,
and results that should be addressed with key stakeholders and executed with a defined plan
and checklist.

Legal & Third Parties/ Risk

Business Unit TPRM Office SMS Sourcing
Compliance Subcontractors Management

Consistent & continuous communication

Termination
decision
• Service Failure/Significant
Customer Complaints
• Regulatory/Legislative
• End of Contract
• Business Decision
• Product/Service Discontinued
Termination
Termination result
considerations
• Product/Service Brought In- • Interim Processes
House - NDA
• Product/Service Transitioned to - Transfer Process Knowledge
Alternate Third Party - Migrate or Destroy
• Customer Impact • Costs
• Contingency Procedures - Monetary
• Oral & Implied Contracts - Non-monetary
• Internal Employee Impact • Migrate/Sell Assets
- Software/Intellectual Property
- Hardware
- Facilities
• Notification to Customers and
Internal Employees

December 9, 2015
PwC 26
Ongoing monitoring – TPRM metrics

TPRM metrics:
What is the inherent risk distribution How much assurance is provided by
across the third-party population? the TPRM Assessments?
• Percentage count of third- • Number of TPRM assessments
parties at each security risk tier planned, in-progress, and
• Change in inherent risk completed
distribution over time TPRMTPRM • Number of third-parties assessed
Assessments
Assessments in comparison to broader portfolio
• Average number of findings (high,
medium, low) uncovered as part of
TPRM the assessments
Scope is
TPRM Security and
TPRM realistic
Portfolio Privacy
Portfolio and
Metrics
How often are third-parties on- managed Issue Tracking and Remediation
boarded and renewed? Issue • Total number of observations/risks
• Number of TPRM requests Tracking and • Total number of risks outstanding
• Count of third-parties that are Remediation
Stake- and mitigated
approved, in-process, and holders are • Estimated time to remediate
expired for purposes of TPRM committed

December 9, 2015
PwC 27
TPRM framework & benefits

Cost

• Reduced cost of managing third party risk through stratification, process simplification, and use of technology

Quality

• Consistent approach to assessing third parties and risks they present

Standardization

• Improved quality, efficiency, timeliness and accuracy of TPRM stemming from automated workflows and
reporting tools

Risk

• More effective monitoring of due diligence activities and their frequency driven by both inherent and residual risks

Flexibility and efficiency

• Tighter focus on specific controls associated with those relationships found to pose the greatest risk

Shareholder value

• Improved compliance with laws and regulations, thereby reducing or eliminating fines and penalties that could prohibit
services and impact the bottom line

December 9, 2015
PwC 28
TPRM challenges and trends

• Third party management efforts focus on high-spend Third Parties instead of taking
risk based approach
• Organizations are unable to identify a complete inventory of Third Party relationships
(contracts in desk drawers, etc.)
• Third-party management and security standards are not formalized and requirements
are applied ad-hoc
• Beyond an organization’s IT and Infosec Departments, there tends to be a:
- Lack of training and awareness for Third Party security and privacy risks
- Lack of understanding in what constitutes sensitive data and information
• Organizations often fail to identify 4th party subcontractors engaged by the Third Party
who will have access to the organization’s data and/or systems, and the third-party
does not readily disclose them
• Ineffective coordination between stakeholders (Business Units, Procurement, OGC,
Infosec Department, and IT) often results in weak contractual requirements (security,
right to audit, etc.)
December 9, 2015
PwC 29
TPRM challenges and trends (continued)

• Lack of validation on the accuracy of the data and systems accessible to the third party;
resulting in improper inherent risk classification
• Improper tone at the top leads to a lack of professional skepticism over third party
security assertions
• Unauthorized use of organizational data not expressly prohibited by the contract
• Organizational belief that certain types of vendors are exempt (common to IT hosting
and cloud service providers)
• Organizations often lack enough headcount to support comprehensive Third Party
management activities

December 9, 2015
PwC 30
Reliance on cloud services

December 9, 2015
PwC 31
Reliance on cloud services

What is cloud computing? • Major technology and business disrupter (cost

• A game-changing technology model and reduction and innovation)
paradigm • Security impact: Driving new risks and
• Ubiquitous, convenient, on-demand, pay-as- security concerns that impacts all elements of
you-go network access to a shared pool of the business ecosystem
configurable computing resources

On Demand Broad Network Resource Rapid Measured Essential

Self-Service Access Pooling Elasticity Service Characteristics

Infrastructure as a Platform as a Software as a Business Process as a Service

Service (laas) Service (Paas) Service (Saas) Service (BPaas) Models

Deployment
Models

* Source: “The National Institute of Standards and Technology (NIST) Definition of Cloud Computing (NIST Special Publication 800-145), Sept. 2011

December 9, 2015
PwC 32
Reliance on cloud services (continued)

• Cloud is a shared responsibility environment

Cloud Rewards
and requires a revised approach to manage
risk and security.
• Cloud services often involve multiple third
• The role of IT is changing from building and party providers, however, responsibility for
deploying applications and infrastructure to security controls is often unclear.
providing a service catalog of Cloud
services an organization can consume. • Lack of Cloud governance may lead to LoB
Cloud consumption with little governance,
• Cloud leads to disruption of IT and oversight and unapproved usage.
innovation the LoBs demand.
• Cloud usage must have ownership and
• Cloud provides applications and policies communicated from the top down.
infrastructure at a speed and scale that most
Enterprise IT organizations can’t replicate.
• Cloud allows you to trim the fat and right
size your applications and infrastructure to
what you really need.
Cloud Risks

December 9, 2015
PwC 33
Reliance on cloud services (continued)

Analysts disagree on size of Cloud spending; but all agree it’s large, here to stay, and growing
$1.5 Trillion – Global IT spend Influenced by Cloud. $81 Billion Global Cloud Spend in 2014 (not
Source: “Global Tech Market Outlook 2013 – 2014” including marketing – which was single biggest
Forrester cloud spend category!)
Source: Gartner Cloud Forecast 2013
Forrester’s Global Tech Outlook – 2013 - 14 Gartner’s Cloud Forecast - Yr 2014
Servers
$68.60 Storage
$49.60
Applications
$234.70
Strategy and
consulting services
Computer $147.50 $13,035
equipment
$118.20
Custom-built
software $5,025
$130.20 Software
$364.90
$39,629
System
IT consulting and
integration
system integration
Computer
$1,519.90 services $404.30
project work $23,687
hardware $256.80
support services
IT outsourcing
$68.00 $2,020
and hardware
maintenance
Infrastructure $304.20
outsourcing
$72.50 Communications
equipment $328.30
Hosting Cloud Business Process Services (BPaaS) Total
$69.70
Cloud Application Infrastructure Services (PaaS) Total
Enterprise and
Application
outsourcing
SMBs Cloud Application Services (SaaS) Total
$131.30
$72.90 Application
Cloud Management and Security Services Total
management Telcos
$21.10 $197.00 Cloud System Infrastructure Services (IaaS) Total

December 9, 2015
PwC 34
Reliance on cloud services (continued)

PwC’s Digital IQ survey finds 3 of 5 top planned tech spend categories include “Cloud”
Mobile technologies for customers 5 36 59
Base= 344
Public cloud infrastructure 15 29 56
Base= 423
Public cloud applications 11 34 55
Base= 282
Private cloud 7 43 49
Base= 219
Gameification 21 32 47
Base= 576
Social media for external communication 8 44 47
Base= 301
Data security 4 49 47
Base= 367
Digital delivery of products/services 6 49 46
Base= 562
Data mining and analysis 10 48 42
Base= 417
Mobile technologies for employees 14 44 41
Base= 184
Data visualization 12 49 39
Base= 331
Simulation, scenario modelling tools 10 52 38
Base= 399
Social media for internal communication 13 49 37
Base= 289
Sensors, sensing technologies,… 14 49 37
Base= 202
Virtual meeting and collaboration technologies 14 50 36
Base= 51
Open source applications 8 61 31
Base= 257
Open source infrastructure 5 66 28
Base= 243
Other (please specify) 33 67 0
Base= 18
0 20 40 60 80 100
Will invest less Will invest the same amount Will invest more
*Source: PwC 4th Annual Digital IQ Survey report

December 9, 2015
PwC 35
Reliance on cloud services (continued)

“A-B-C’s of cloud security” succinctly identifies key risks that should be addressed across your cloud
use cases
Secure cloud domain Key risks, issues, and requirements
Access Control • Control access to sensitive data
• Audit and report user access and data use
• Provision and de-provision user access
• Elevated access
Business continuity • Provider availability; contingency of the consumer’s services
• Provide business continuity and disaster recovery
Compliance • Regulatory compliance overall and in face of shadow IT use of cloud
• Maintain regulatory compliance across cloud ecosystems and migration models
• Right to audit
• Contract and SLA compliance
Data protection and • Data classification scheme and processes for handling sensitive data
segregation • Prevent unauthorized data exposure, loss or corruption
• Maintain data segregation in multi-tenet environment
• Data flows across jurisdictions and zones with various regulatory and data protection requirements
• Securely dispose of data no longer required
Events – threats, • Ability to log, monitor, and communicate events; integration with consumer to turn data into actionable
response and intelligence
investigations • Event signature creation across new infrastructure/services to drive security intelligence
• Detect and correct security events
• Cooperate during investigations and incident responses

December 9, 2015
PwC 36
Reliance on cloud services (continued)

What are the implications of cloud migration on security & risk strategy?
1. Migration readiness framework: You need an integrated security and risk
assessment framework to determine the “readiness” of applications to move to cloud;
readiness should be determined based on risk and architecture/operational fit for
various cloud platforms
2. You’re responsible for securing the gaps: Outsourced/cloud providers do not
solve all your risk and security problems (though they take on some of them); many
technology, operations, contracting, and process controls are needed to operate
securely. You must design, implement, operate, and manage these controls. These
should not come as an afterthought to your cloud adoption.
3. Third-party Risk Management: Perform a TPRM risk analysis to understand the
security capabilities of the third party, control integration points, and gaps as you work
to migrate to a cloud service.

December 9, 2015
PwC 37
Reliance on cloud services (continued)

Common challenges and lessons learned:

• Risk of un-authorized data exposure to the cloud from internal users is a critical threat
to your organization.
• Your organization is already using cloud environments and applications whether you
know it or not; you can’t protect data if you don’t know where it is and how it moves.
• Most likely your existing data discovery and protection capabilities don’t natively scale
to cloud; cloud-specific services and products exist to help identify and remediate
sensitive data in your cloud environments.
• Existing data discovery and protection policies may be applicable, but may need to be
revised/tuned.
• What you do with data once it’s discovered is as important as discovery in the first
place. Organizations need to refresh their data protection and response procedures
and governance to address.

December 9, 2015
PwC 38
Questions

December 9, 2015
PwC 39
Appendix A – Bios

December 9, 2015
PwC 40
Placeholder for text

Ellen Ozderman, Director – PwC Cybersecurity, Privacy and IT Risk

Phone: (240) 750 -5669
Email: ellen.Ozderman@pwc.com
Mrs. Ellen Ozderman has over 12 years of cross-functional IT experience including information security program management, vendor risk
management, data privacy/protection, IT strategic planning, IT controls assurance, regulatory readiness and reporting, and IT risk and
compliance management. She provides a wide range of risk advisory services to a number of clients in the Federal Government and Fortune
500 companies across industries.
In her previous role, she was responsible for standing up and leading the Information Security & ITRM practice (a 3-million dollar practice
after 18 months). She led engagements and provide subject matter advisory for Fortune 500 clients in the areas of Compliance Management,
Information Security Management, Data Privacy/Protection, and Risk Governance.
Mrs. Ozderman is an active member of the local ISACA chapter and servers as a regular exam writer for the ISACA CGEIT certification. She
has a Master of Science degree in Systems Engineering from Johns Hopkins University. She is also a Certified Information Security Manager
(CISM), Certified Information Systems Auditor (CISA), Certified in Risk and Information Systems Control (CRISC), Certified Information
Privacy Professional (CIPP), and Certified in the Governance of Enterprise IT (CGEIT).
Select Client Engagements:
• Launched and led the assessment of a global commercial bank’s governance framework and risk management practices for managing its
India-based Outsourcing Service Providers (OSPs) and successfully assisted with preparation of a regulatory examination on Third Party
Supplier Management.
• Led the rollout of a Vendor Management Framework and implementation of the framework, policy, and supporting procedures to
achieve a robust and comprehensive Vendor Management Program for an FX settlement bank to meet federal regulators’ expectations.
• Established an information security management framework based on SANS 20 Critical Controls for a global credit union.
• Led an enterprise-wide security controls gap assessment and remediation project for a leading financial services organization.
• Established an enterprise information protection program for a global logistics company and supported the Safe Harbor
compliance filing.
• Developed a Payment Card Information (PCI) compliance program office, remediation framework and roadmap for a Fortune 100
financial services company.
• Led an Applications Development & Maintenance (ADM) Fed Readiness program implementation at an international insurance
company, including developing action plans, establishing ADM governance models, and coordinating FFIEC controls implementation
across 10 functions/regions.

December 9, 2015
PwC 41
Placeholder for text

Stephanie Hardt, Manager – PwC Cybersecurity, Privacy and IT Risk

Phone: 202-730-4232
Email: stephanie.l.hardt@pwc.com
Background:
Stephanie is a Third Party Risk Management Senior Associate within the Governance, Risk and Compliance practice based out of
Washington, DC. She has seven years of experience in supply chain management with significant emphasis on third party risk and
performance management. She has experience in three distinctive industries; national defense, financial services, and global
pharmaceuticals. Over the last several years, Stephanie has been dedicated to assisting her employers with third party risk program
implementations as well as serving as a third party relationship manager for large outsourcing providers. With PwC, Stephanie has executed
Certification third party internal audits and the redesign and execution of a large third party assurance program. She also holds a Masters of Business
and Administration from the University of Pittsburgh where she focused her studies on global supply chain management and accounting.
Memberships Relevant Projects and Experience:
• NCMA • Transformed the enterprise third party risk management program for one the largest U.S. financial services providers to comply with
• ISACA OCC and CFPB regulatory requirements. Elements of the transformed program included development of risk assessments, due diligence,
• Certified on-going monitoring, performance management processes, organizational structures, policies and procedures, training programs,
Risk and segmentation strategies, and a large third party management technology implementation.
Information • Led IT and BPO third party relationship management activities for a global pharmaceuticals provider including onsite controls and
Systems performance audits at offshore delivery centers in India.
Control • Executed an internal audit of the largest international development bank’s IT third party management practices resulting in monetary
(CRISC) recovery to the organization
• Redesigned elements of a large British banking and insurance corporation Third Party Assurance program and facilitated the execution
of the organizations Third Party Assurance program on their behalf

December 9, 2015
PwC 42
Placeholder for text

Danny Wuckovich, Senior Associate – PwC Cybersecurity, Privacy and IT Risk

Phone: (571) 213 -8308
Email: danny.w.wuckovich@pwc.com
Danny is a Senior Associate in the Cybersecurity & Privacy Services practice based out of the Washington metro region. Danny has
specialized in the area of information security and third party risk management, and has been actively involved in assisting clients in
managing the security risks stemming from their third-party relationships across the world. Danny is currently leading one of PwC’s largest
third-party risk engagements in the Washington Metro region whereby the client has fully outsourced our capabilities to manage a portfolio
of 300+ third-parties. Danny is responsible for coordinating and interfacing on a daily basis with client personnel, providing technical
guidance and direction to teams of assessors and third-party relationship managers, and executing operations and continuous improvement
of the overall third-party risk management program. With his background in cybersecurity and privacy, he is able to understand the key
risks as it relates to his client’s third-parties and the scope of their services. In doing so, Danny is able to deliver efficiencies and cost savings
to our client, and ensure third-party risks are being effectively across the entire portfolio of vendors, suppliers, service providers, joint
ventures, etc.
Select Client Engagements:
• Global Third Party Risk Management Program Design, Implementation, and Execution for Fortune 500 companies and 501(c)(4)
Nonprofit organizations.
• Domestic and global Third Party Risk Assessments for Financial Services, Healthcare, and Power and Utilities clients.
• Currently leads the Third Party Security Program as part of an outsourcing agreement for a portfolio of over 300 vendors with security
assessments being performed on a rolling 12 month basis
• Executed and led Third Party Assessments – Desk-top reviews and global/domestic on-site assessments
• Assessed Third Party Risk Management capabilities in support of Internal Audit
• Cybersecurity Program design, implementation, and assessments for Financial Services clients
• Cybersecurity Program Maturity Assessments – reviewing cybersecurity program design, implementation, and effectiveness of the
programmatic, procedural, and technical controls supporting the overall program
• Technical security audits (e.g., database management audits, operating system audits, etc.)
• Development of organizational security structures, including defining security strategy and objectives, supporting functional security
roles, business and IT risks, and tactical activities required for Fortune 500 organizations.

December 9, 2015
PwC 43
The information contained in this document is shared as a matter of courtesy and for
information or interest only. PwC has exercised reasonable professional care and diligence in
the collection, processing, and reporting of this information. However, data used may be from
third-party sources and PwC has not independently verified, validated, or audited such data.
PwC does not warrant or assume any legal liability or responsibility for the accuracy,
adequacy, completeness, availability and/or usefulness of any data, information, product, or
process disclosed in this document; and is not responsible for any errors or omissions or for
the results obtained from the use of such information. PwC gives no express or implied
warranties, including, but not limited to, warranties or merchantability or fitness for a particular
purpose or use. In no event shall PwC be liable for any indirect, special, or consequential
damages in connection with use of this document or its content. Information presented herein
by a third party is not authored, edited or reviewed by PwC and PwC is not endorsing third
parties or their views. Reproduction of this document or recording of its presentation, in whole
or in part, in any form, is prohibited except with the prior written permission of PwC. Before
making any decision or taking any action, you should consult a competent professional
adviser.

© 2015 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries
or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate
legal entity. Please see www.pwc.com/structure for further details.