IT Vendor Management Strategies. Alan Ferguson, Vice President firstname.lastname@example.org March 2008. Who is Coalfire?. Founded in 2001, with offices in Denver, Seattle and NYC with over 30 full time IT Auditors. Clients include Fortune 100, retail, government, education,
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Alan Ferguson, Vice President
Founded in 2001, with offices in Denver, Seattle and NYC
with over 30 full time IT Auditors
Clients include Fortune 100, retail, government, education,
financial, healthcare, Law Firm and manufacturing
Security, Governance, Compliance Management, Audit
– GLBA, SOX, PCI, HIPAA, SAS70 & Government
IT Governance and Compliance Management
Practice areas: Risk and Vulnerability Assessment,
E-discovery and Forensic Analysis
Solutions: Policy Development, Data Classification,
Logging and Monitoring, Incident Response, Etc.
Application Security: PABP Certification, Code
Audits, Penetration Testing, SDL Development
You are responsible for your vendors and service providers.
Risk Management Programs
The Regulatory Environment Represents a New Enterprise Challenge
Businesses must establish basic
information security programs
In the event of an actual or suspected security breach businesses have a legal obligation to notify impacted consumers resulting in new security requirements
Businesses must proactively manage
Businesses must take steps to know
when their defenses have been
Compliant infrastructures are required!
Know your vendor
Joint Risk Assessment
Defined Control Responsibility
Where is the card holder data?
(card present in stores and parking facilities)
(card not present)
Transaction Servers or Payment Gateway
Transaction Record & Archive
Phone, Fax, Email
Back Office & Customer Svc
Payment Gateway and Transaction Database
Wells Fargo, BoA, Chase
Portal Access to Reconciliation Data (Charge Back / Sales Audit)
Unified Compliance Programs
Unified IT Controls
Not all service providers are aware of industry or regulatory standards for data protection. The data owner must make service providers aware of standards to include:
Control reporting is not optional and is NOT a service provider trade secret. No news is usually bad news.
The VA laptop encryption program was reportedly valued at $6 million and could have prevented the lost data on a stolen laptop computer that cost the VA in excess of $50 million
A recent Gartner study showed that preventing an incident was typically less than 4% of the cost of the incident
This What To Do If Compromised guide is intended for Visa members but similar guidelines have been published by the FBI as part of the former NIPC.
A sample Incident Response Plan has been included in the CD.